Is the CIA triad of information security being weakened by myopic focus on only one side?
The triangle is widely regarded as being the strongest geometric shape. This rings true in cybersecurity where confidentiality, integrity, and availability combine to form the CIA triangle or 'triad' as it is also known. This combination has become the established foundation of data protection and cyber risk management.
Confidentiality, Integrity, and Availability
A myopic focus upon securing 'confidentiality' over the past 20 years has weakened the intrinsic strength of the CIA triangle. This is largely thanks to increased regulatory privacy compliance across healthcare. HIPAA, PDPA, APA, GDPR, and a heap of other regulations ensure that scarce security resources are focused upon meeting the minimum of healthcare and privacy compliance rather than responding to actual risks with severe consequences for patient safety.
This was the basis for my presentation to the HIMSS Singapore eHealth and Health 2.0 Summit last week where healthcare providers in Singapore face similar security problems to hospitals in Europe, Australia, and North America. The ASEAN region in particular has become a prime target for cyber-attacks with its dynamic position as one of the fastest growing digital economies in the world, accounting for 35.9% of all cyber attacks globally in 2017 according to CIO Magazine. The advanced persistent cyber attack against SingHealth last year should be a wake up call for governments and healthcare providers across the world that security across healthcare must be improved.
The growth of medical devices and other Healthcare IoT (HIoT) is prolific and already outnumbers traditional computing systems. Compound growth in medical devices has reached 20% per annum by some global estimates. Furthermore, most HIoT assets are connected now to hospital networks and talk directly to core HIT systems like their Electronic Health Record (EHR). Hackers know this, and have used the fact that HIoT systems are by and large unprotected against cyber-attack to launch their infiltration campaigns.
Medical devices and other HIoT systems now pose the single greatest risk to patient safety according to many in the industry because of their lack of inherent security, inability to be patched, or secured with AV and host firewalls, as even a Windows PC can be, and the fact that they are often directly connected to patients.
Consider what happens when a patient's blood type, allergies or past treatment records are altered by a hacker. Unfortunately, the risks impacting healthcare are more nefarious than just the disclosure of confidential patient information. What happens when a ransomware attack locks up all Health IT systems as it did to many hospitals in the British NHS with the WannaCry attack? The threat to the integrity of health records and other clinical data, as well as the availability of HIT systems needed to treat patients may be far more worrying.
Risk Assessment and Mitigation
Many legacy medical devices can only connect to hospital WiFi using insure WEP encryption, which means any teenager with the right tools could gain access to core systems in most unsegmented healthcare networks with little more than a SmartPhone from a hospital waiting room.
On-stage demonstrations at security conferences like DefCon, Black Hat, and KiwiCon often feature the hacking of some sort of medical device that if connected to a real patient, would undoubtedly result in that patient's death. Yet, the FDA, device manufacturers, and hospitals all downplay the risks, knowing that devices have a 15 to 20 year lifespan and few, if any, are ever updated with security patches once sold.
The fact of the matter is that we have almost no idea if, and how many patients have died as a result of a medical device being hacked. No one is currently required to forensically investigate a failed medical device. Instead, all data is wiped to comply with privacy rules and the device is shipped back to the manufacturer to be re-imaged, tested, and put back into circulation. This is a subject I have written about in the past and one perhaps best demonstrated by Doctors Christian Dameff, MD and Jeff Tully, MD from the University of California Health System, in their realistic yet alarming presentation at the RSA Conference last year.
The need to better understand and evaluate risk in this growing sector of healthcare has reached a tipping point. OCR in the United States has started to ask questions about the risk analysis of these devices, many of which are covered under the HIPAA Security Rule.
However, healthcare IT and Security teams face several daunting challenges before they can even begin to mitigate security risks and chase compliance:
1. In most hospitals, medical devices are owned and managed by Bio-Medical or Clinical Engineering, while other groups outside of IT control building management and other hospital IoT systems. Consequently, there is limited security visibility or coherence, if any at all!
2. An accurate inventory of what HIoT assets are connected to the network is almost impossible to accomplish manually. Devices change all the time and manual spreadsheets and traditional IT asset management systems have proven inaccurate.
3. Evaluating the risks of medical devices is difficult since most are connected to patients and cannot be scanned with normal security tools. Larger equipment like X-Ray machines, MRI, CT and PET scanners are in use 24/7 and cannot usually be taken out of service for regular security scans.
4. Inherent weaknesses in some HIoT protocols like DICOM allows a malicious actor to embed weaponized malware into a legitimate image file without detection, as researchers at Cylera Labs discovered recently.
5. Lack of internal network security allows a hacker to intercept and change a PACS image with false information during transmission between a CT scanner and its PACS workstation adding a tumor to an image or removing one.
Fortunately, new AI security tools from Cylera, created especially with healthcare in mind, are able to automate the entire risk management process to identify, profile, assess, and remediate HIoT assets in line with NIST SP800-30 standards. Just as healthcare delivery is moving towards innovative technologies, so security risk management tools are being used to support the adoption of new technologies and new procedures.
Cylera’s 'MedCommand' platform empowers healthcare providers to protect the safety of patients, assets, and clinical workflows from cyber-attacks. 'MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology.
The 'MedCommand' solution is built on Cylera’s 'CyberClinical' technology platform, which incorporates machine learning, behavioral analytics, data analysis, and virtualization techniques. Cylera has partnered with leading healthcare providers, experts, and peers to develop the most comprehensive and integrated HIoT security solution for healthcare.