Cyber Thoughts

Balancing access and usability with security is top priority for hospitals

Sat, 27 Oct 2018 16:27:06 -0600

Balancing access and usability with security is top priority for hospitals:

Sound advice from my friend and follow security leader Chad Wilson at Childrens’ National Health System

Man-in-the-Middle Attacks and “HTTPS Inspection Products”

Mon, 03 Apr 2017 15:14:05 -0600

Man-in-the-middle (MITM) attacks occur when a third party intercepts and potentially alters communications between two different parties, unbeknownst to the two parties. MITM attacks can be used to inject malicious code, intercept sensitive information like protected health information (PHI), expose sensitive information, and modify trusted information.

Many organizations have implemented end-to-end connection security on their internet transactions using Secure Hypertext Transport Protocol, or “HTTPS.” Additionally, some organizations use “HTTPS interception products” to detect malware over an HTTPS connection. HTTPS interception products, also known as “HTTPS inspection,” work by intercepting the HTTPS network traffic and decrypting it, reviewing it, then re-encrypting it. To do so, HTTPS interception products must install trusted certificates on client devices to perform the HTTPS inspection without presenting warnings.

However, this process may leave organizations using HTTPS interception products vulnerable, because the organizations can no longer verify web servers’ certificates; view the protocols and ciphers that an HTTPS interception product negotiates with web servers, and, most importantly, independently validate the security of the end-to-end connection. In other words, the organizations that use these interception products are able to validate only the connection between themselves and the interception product, not between themselves and the server. This is problematic, because many HTTPS interception products do not properly verify the certificate chain before re-encrypting and forwarding information to the organizations, which leaves the connection vulnerable to a malicious MITM attack.

The United States Computer Emergency Readiness Team (US-CERT) recommends that organizations verify that their HTTPS interception product properly validates certificate chains and passes any warnings or errors to the client. Organizations can find a partial list of products that may be affected at CERT Coordination Center’s The Risks of SSL Inspection. Also, organizations may use badssl.com as a method of determining if their HTTPS interception product properly validates certificates and prevents connections to sites using weak cryptography.

Securing end-to-end communications performs an important function in protecting the privacy of HTTPS traffic and preventing some forms of MITM attacks. US-CERT recommends reviewing the following mitigations in Alert TA15-120A to reduce vulnerability to MITM attacks:

Update Transport Layer Security and Secure Socket Layer (TLS/SSL) US-CERT recommends upgrading TLS to 1.1 or higher and ensuring TLS 1.0 and SSL 1, 2, 3.x are disabled unless required. The continued use of TLS 1.0 and SSL 1, 2, 3.x is leading to increased cases affected by MITM attacks and session hijacks.
Utilize Certificate Pinning
Implement DNS-based Authentication of Named Entities (DANE)
Use Network Notary Servers

Further, a recent security analysis (The Security Impact of HTTPS Interception) of HTTPS interception products found that poor implementation of many of these products may actually reduce end-to-end security and introduce new vulnerabilities. US-CERT recently issued an Alert, TA17-075A, warning of the vulnerabilities that organizations expose themselves to when they use HTTPS interception products.

Covered entities and business associates using HTTPS interception products or considering their use should consider the risks presented to their electronic PHI transmitted over HTTPS, and intercepted with an HTTPS interception products, as part of their risk analysis, particularly considering the pros and cons discussed by the US-CERT alerts, and the increased vulnerability to malicious third-party MITM attacks.

In addition to reviewing recommendations from US-CERT, covered entities and business associates should also review recommendations from the National Institute of Standards and Technology (NIST) for securing end-to-end communications, especially regarding the configuration, use and updating of TLS/SSL implementations. OCR’s Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals references NIST SP-800 series publications to describe the valid encryption processes to use to ensure that electronically transmitted PHI is not unsecured.

Source: OCR April 3, 2017

'Elliot Hacks His Hospital'

Sat, 16 Apr 2016 19:23:18 -0600

'Elliot Hacks His Hospital'

Fair is Fair!

Tue, 05 Apr 2016 13:35:50 -0600

Users: Please DoNotTrack me
WebAdIndustry: Screw you

WebAdIndustry: Please DoNotAdBlock me
Users: Screw you

cyber-thoughts: Spotted on a colleagues’ phone tonight over...

Tue, 22 Mar 2016 22:44:09 -0600

cyber-thoughts:

Spotted on a colleagues’ phone tonight over dinner. And I thought I was behind on email!!!!!

Are we each receiving too many emails or is it just a thing of the past now that we all iMessage, Jabber, and SnapChat?

Spotted on a colleagues’ phone tonight over dinner. And I...

Tue, 22 Mar 2016 21:28:13 -0600

Spotted on a colleagues’ phone tonight over dinner. And I thought I was behind on email!!!!!

OCR Launches Phase 2 of HIPAA Audit Program

Mon, 21 Mar 2016 13:03:52 -0600

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates. Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews. These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information. An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.

The audit program is developing on pace and OCR is committed to transparency about the process. OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.

OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. We will evaluate the results and procedures used in our phase 2 audits to develop our permanent audit program.
To learn more about OCR’s Phase 2 Audit program, please visit our website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.
Follow OCR on Twitter at http://twitter.com/HHSOCR.

Addressing Gaps in Cybersecurity: OCR Releases Crosswalk...

Fri, 26 Feb 2016 08:04:10 -0700

Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework

The sensitive health information maintained by health care providers and health plans has become an increasingly attractive target for cyberattacks. The need for health care organizations to up their game on health data security has never been greater.

To help health care organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) to bolster their security posture, the Office for Civil Rights (OCR) today has released a crosswalk, developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC), that identifies “mappings” between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule. The crosswalk also includes mappings to other commonly used security frameworks.

In addressing security, many entities both within and outside of the healthcare sector have voluntarily relied on detailed security guidance and specific standards issued by NIST. In February 2014, NIST released the Cybersecurity Framework to help organizations in any industry to understand, communicate and manage cybersecurity risks.

Entities covered by HIPAA must implement strong data security safeguards in their environments, and in particular, comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of all of the electronic protected health information (ePHI) they create, receive, maintain or transmit. We hear frequently from covered entities and business associates who say they are working hard in an increasingly challenging atmosphere to assure their PHI is adequately protected. We also know from our HIPAA enforcement work that far too frequently entities are leaving PHI vulnerable to breach and access by unauthorized persons. According to a report in USA Today, the healthcare industry has accounted for over 40 percent of data breaches over the last three years, and 91 percent of all health organizations have reported a breach over the last two years.

Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful in identifying potential gaps in their programs. Taking specific action to address these gaps can bolster compliance with the Security Rule and improve an entity’s ability to secure ePHI from a broad range of threats. The HIPAA Security Rule is designed to be flexible, scalable, and technology-neutral, which enables it to accommodate integration with more detailed frameworks such as the NIST Cybersecurity Framework. Although the Security Rule does not require use of the NIST Cybersecurity Framework, and use of the Framework does not guarantee HIPAA compliance, the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.

In addition, Congress, in both the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) as well as the Cybersecurity Information Sharing Act of 2015 (CISA), called for guidance on implementation of NIST frameworks. In response, this crosswalk provides a helpful roadmap for HIPAA covered entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help entities safeguard health data in a time of increasing risks. The crosswalk also supports the President’s Cybersecurity National Action Plan (CNAP) by encouraging HIPAA covered entities and their business associates to enhance their security programs, increase cybersecurity awareness, and implement appropriate security measures to protect ePHI.

No matter how much you spend on security, you can’t...

Fri, 26 Feb 2016 07:47:43 -0700

No matter how much you spend on security, you can’t change “STUPID”! Laptop left unlocked on a train out of London this morning for at least 5 minutes in an almost empty carriage while its owner went to the toilet. Anyone could have uploaded or downloaded anything. ………Or maybe his hope was that he could expedite a laptop refresh!

Hollywood Ransomware

Tue, 23 Feb 2016 02:14:17 -0700

It looks like Hollywood Presbyterian Hospital system was victim of “Locky” ransomware.

Sophos has an explanation: https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/

HHS OCR In Action

Wed, 03 Feb 2016 10:25:40 -0700

February 3, 2016

Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800

A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that Lincare, Inc. (Lincare) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring Lincare to pay $239,800 in civil money penalties (CMPs) imposed by OCR. This is only the second time in its history that OCR has sought CMPs for HIPAA violations, and each time the CMPs have been upheld by the ALJ.

Lincare is a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, with more than 850 branch locations in 48 states. OCR’s investigation of Lincare began after an individual complained that a Lincare employee left behind documents containing the protected health information (PHI) of 278 patients after moving residences. Evidence established that this employee removed patients’ information from the company’s office, left the information exposed in places where an unauthorized person had access, and then abandoned the information altogether. Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken offsite, although employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time. Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules.

“While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “The decision in this case validates the findings of our investigation. Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”

Lincare claimed that it had not violated HIPAA because the PHI was “stolen” by the individual who discovered it on the premises previously shared with the Lincare employee. The ALJ rejected this argument, in agreement with OCR: “[U]nder HIPAA, Respondent [Lincare] was obligated to take reasonable steps to protect its PHI from theft.”

The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lincare/index.html.

Follow OCR on Twitter at http://twitter.com/HHSOCR.

Virus Debate Reaches the White House. No this isn’t another...

Sat, 30 Jan 2016 17:26:26 -0700

Virus Debate Reaches the White House.

No this isn’t another cyber attack, this is a pathogen for a change! Remember those?

Security bod watches heart data flow from her pacemaker to doctor via ... er, SMS? 3G? Email?

Tue, 05 Jan 2016 09:47:43 -0700

http://www.theregister.co.uk/2016/01/05/researcher_hacks_her_own_pacemaker/

Attack of the health hackers

Tue, 22 Dec 2015 17:54:18 -0700

Attack of the health hackers:

PDF of print article

Attack of the Health Hackers

Tue, 22 Dec 2015 17:51:56 -0700

Breach of Anthem database, probably from China, is part of a 2015 wave of 100m hacked medical records

Financial Times, By Kara Scannell and Gina Chon, 21 December 2015

Attrib: http://www.ft.com/intl/cms/s/0/f3cbda3e-a027-11e5-8613-08e211ea5317.html#axzz3uzhPuwCi

Last January an administrator at health insurer Anthem noticed an unusually complex query running on the computer network. It looked like a colleague was responsible, but a quick check revealed that it was coming from somewhere else.

Minutes later, Anthem was in crisis mode. Investigators believe the hackers were from China and had been operating undetected inside the company’s network for months. They gained access by tricking the employee to click on a phishing email that was disguised to look like an internal message.

Using the administrator’s credentials, hackers combed through Anthem’s database containing names, social security numbers and birth dates of over 78m people who have been enrolled in its insurance plans since 2004.

Anthem’s breach sent a wave of panic through the healthcare industry. It exposed clients’ most sensitive and valuable personal information, and revealed just how unprepared the health industry was to threats from increasingly sophisticated cyber criminals — and from nation states.

Hackers accessed over 100m health records — 100 times more than ever before last year. Eight of the 10 largest hacks into any type of healthcare provider happened this year, according to the US Department of Health and Human Services.

Insurers scrambled to hire cyber security companies to scrub their systems. Premera Blue Cross, CareFirst BlueCross BlueShield, and Excellus Health Plan announced breaches affecting at least 22m individuals in total since March, including hacks that stretched back more than a year. Investigators told the FT that they believe some of the hacks are related and trace back to China.

The insurers face multiple investigations from state insurance regulators and attorneys-general and some could face fines for failing to comply with state data privacy laws, while federal law enforcement agencies are investigating who is behind the hacks.

“For a lot of them it is often less of a priority than it should be. Because their focus is often on many other things it creates a vulnerability that I think a lot of hackers have figured out,” said Deven McGrath, Deputy Director for Health Information Privacy at the HHS’s Office of Civil Rights. “We’re seeing some pretty consistent areas of non-compliance across the board.”

The HHS is investigating the breaches and declined to comment on them specifically. Healthcare companies are required by privacy laws in numerous countries, including the US and UK, to protect personal data. Yet they have been inconsistent in maintaining basic security, say regulators.

In the UK, there have been no reported hacks at the National Health Service, but it has been fined £1.3m by the Information Commissioner’s Office, which conducts audits on behalf of the government over data privacy. The fines are mostly for sloppiness: lost laptops, files left at a grocery shop and records abandoned at a bus stop.

“The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern,” Christopher Graham, the Information Commissioner, said this year. ICO was granted new authority this year to conduct compulsory audits of NHS systems. “Protecting the security of data across government and especially within the health system is a top priority,” an NHS spokesman said.

As in the UK, US healthcare providers see a majority of its data breaches falling into the categories of lost laptops or improper access to systems by insiders. Yet as more information is maintained in electronic form — an idea pushed heavily by the US government to make health records more portable — cyber intrusions have grown.

At some hospitals, the doctors who are often part of management have long resisted electronic measures that they thought could slow down or interfere with patient care. HHS’s Ms McGrath said this is a common excuse, but she said it is far more troubling that many companies don’t encrypt their data.

The problem has been exacerbated by the hundreds of hospital mergers that have occurred over the past few years, often resulting in multiple IT systems in one hospital group. Cyber security is often overlooked as a priority.

“It’s a very fragmented industry so there aren’t as many major players who drive the entire sector the way you’ve seen when it comes to financial services and cyber security,” said Bryan Palma, Senior Vice-President of Cisco’s Advanced Services in Cyber Security. “That is not happening in healthcare.”

With healthcare profit margins under pressure, only about 3 per cent of the IT budget is earmarked for cyber security, according to experts. Too many aspects of patient care are shared on a single hospital network. That means hackers in search of patient data could also disrupt life-saving equipment such as respirators running on the same network.

A new threat emerges

The threat changed this year with the emergence of hacks that investigators say are connected to China.

“We know of multiple threat groups operating out of China that have engaged in attacks in the healthcare industry,” said Charles Carmakal, an investigator with Mandiant, a cyber security company. Mandiant was hired by Anthem, Premera and others.

“While we believe we know from an organisational perspective who they are, we can’t tell who tasked them to do it. The big question is: are they hackers for hire and were they asked by the Chinese government to do this?” said Mr Carmakal.

The Chinese government has denied it was involved in the hacks. American investigators believe hackers in China targeted insurers in the US, including Anthem, to learn how medical coverage and insurer databases are set up, people familiar with the cases said. The records are also valuable for intelligence purposes. Addressing healthcare challenges has been a top priority of the Chinese government, which is facing an ageing and affluent population that is demanding better care.

“China is very interested in anything that will help them with the illnesses they are dealing with and changes in their population,” said Dmitri Alperovitch, co-founder of CrowdStrike, who declined to talk specifically about the Anthem breach. “For example, diabetes is a big problem in China so they have targeted companies in that space.”

China has promised to provide universal access to healthcare to all its citizens by 2020. Currently, China’s spending on healthcare per capita still lags far behind that of developed countries, and the healthcare system is riddled with corruption and kickbacks.

The industry is also an attractive target for criminals who sell personal health data on the black market. Medical records are much more valuable than credit card numbers because it often takes longer to detect so the data have a longer shelf life. Data such as social security numbers can be used in a range of schemes from tax refund fraud, insurance fraud or Medicare fraud.

A credit card record can be bought for about $1 on the black market, but “one person’s complete [medical] record I’ve seen anywhere between $200 and $2,000,” said Carl Leonard, an analyst for Raytheon Websense, a security company.

The market is flooded with stolen credit card details, he said, so “healthcare records attract the premium now”.

Investigators do not believe information from the Anthem breach has been sold on black markets. However, other hackers have targeted victims of the Anthem attack with fake emails that appear to be from Anthem or offer credit protection. Those emails aim to steal data that could be sold to criminals, people familiar with the case say.

Anthem plans to spend $130m over two years to better protect its networks from breaches. The company has assured regulators that it has strengthened its system, taking steps such as changing administrator passwords every 10 hours and hiring 55 cyber security experts.

Bad ‘cyber hygiene’

The hackers’ tactics vary but in many of the health breaches they set up domain names that look similar to the websites operated by the insurance companies, which were set up before the hacks were detected.

The fake sites often had one letter off from the authentic site or used the number “1” in place of where the letter “l” should be in site names, according to research done by cyber security companies ThreatConnect and Symantec.

For Anthem, which was formerly known as WellPoint, the domain www.we11point.com was set up. There was also prennera.com for Premera, EmpireB1ue.com for Empire Blue and caref1rst.com for CareFirst. All of these domain names were traced to China.

When the Anthem administrator discovered the hack on January 27, it was just as the hackers were extracting a large file of patient data. The hackers are believed to have been in the system for months, staying under the radar by running multiple queries against the database to understand it before they began removing files, a person familiar with the attack said.

The hackers used a repeating pattern of extracting data and slightly altering the query to avoid detection. They then removed the data and transferred it to an encrypted share site, similar to a drop box. The hackers chose a share site similar to one that Anthem already used, making detection tougher.

Anthem has been faulted for not having the right “cyber hygiene” or protections in place to minimise the risk of a hack or limit what information was vulnerable if the network was infiltrated.

Citing a report produced by Mandiant, a class-action lawsuit filed by dozens of Americans enrolled in its health insurance plans alleges Anthem did not implement a two-factor authentication, failed to require users to change their password and allowed employees to access personal information that went beyond the scope of their job.

Anthem also allegedly ignored alerts — including one that lasted a month, according to the lawsuit — and failed to implement systems that would monitor data usage or extractions. The company now has two-factor authentication for its high-level system administrators.

In a September 2013 audit of Anthem, the US Office of Personnel Management’s inspector general said the insurer had vulnerabilities that could provide a “gateway for malicious virus and hacking activity.”

Anthem could face fines and be required to take corrective measures.

Already, the hack has cost Anthem about $230m in legal and consultant fees. Most of the costs were covered by its cyber insurance policy. However, Thomas Zielinski, Anthem’s general counsel, told insurance regulators in August that its cyber insurance has become more expensive since the breach. Now Anthem is on the hook for the initial $25m cost of any breach, and has purchased a policy offering $100m in additional coverage.

“The [Anthem] breach has raised awareness,” Mr Palma said. “The healthcare industry is saying, ‘This is real now. There is precedent in our industry.’ They are late to the party but at least they are there now.”

The Anthem breach that affected almost 80m customers was a wake-up call to US regulators.

Health insurers already had to meet cyber standards and are subject to federal health reporting rules when there is a breach. But the vulnerabilities exposed in the Anthem hack prompted regulators to question whether current cyber security standards are up to the job of protecting against today’s hackers.
The National Association of Insurance Commissioners is updating the cyber standards insurers have to meet and also set up a consumer bill of rights for breach situations in October.
“Do we need to increase what they [insurers] do no matter who is behind it?” said Connecticut state insurance commissioner Katharine Wade. “It’s constantly evolving and you could have the best systems in the world but still have a breach. So we have to take a balanced approach.”
Just a few months before the Anthem breach was reported, the NAIC created a cyber security task force in November 2014. The NAIC has also been meeting with representatives from Anthem, Premera and CareFirst to get updates on their hacks and remediation efforts.
Other states are also looking to step up their standards. In Indiana, where Anthem is based, attorney-general Greg Zoeller said he has advocated legislation that would require companies that collect data to meet safer storage standards, including deleting files that are no longer needed for business purposes.
In New York, state attorney-general Eric Schneiderman plans to push a bill next year that would broaden the definition of “private information” that companies will be required to report in case of a breach. This would include medical and biometric information and health insurance details.

The Security of Medical Devices

Tue, 11 Aug 2015 21:04:43 -0600

Republished here because this is very solid advice!

[Written and first blogged by John D. Halamka, MD, MS, is CIO of Beth Israel Deaconess Medical Center, Chairman of the New England Healthcare Exchange Network and Co-Chair of the HIT Standards Committee. http://geekdoctor.blogspot.mx/2015/08/the-security-of-medical-devices.html ]

Last week the U.S. Food and Drug Administration advised hospitals not to use Hospira’s Symbiq infusion system, concluding that a security vulnerability enables hackers to take remote control of the system. The agency issued the advisory some 10 days after the U.S. Department of Homeland Security warned of the vulnerability in the pump.

My view is that this will be the first of many advisories

For years, manufacturers of medical devices depended on the “kindness of strangers” assuming that devices would never be targeted by bad actors. EKG machines, IV pumps, and radiology workstations are all computers, often running un-patched old operating systems, ancient Java virtual machines, and old web servers that no one should currently have deployed in production.

In the short term, hospitals must do their best to isolate medical devices from the internet and from other computing devices that could infect them. At BIDMC, we have three wireless networks

A guest network for patients and families
A secure network for clinicians and staff
A device network for medical devices that is not connected to the Internet or the other two networks.

Further, we use firewalls around medical devices to prevent them from communicating to outside parties.

Over the past few years, I’ve asked medical device manufacturers to give me a precise map of the network ports and protocols used by their devices so that I can build a “pinpoint” firewall - only allowing the minimum necessary transactions from/to the device. Many manufacturers do not seem to know the minimum necessary communication requirements for their products.

A few years ago, BIDMC had a reportable breach when a medical device manufacturer removed our hospital provided security protections in order to update a device from the internet. It took about 30 seconds for the unprotected device to become infected and transmit data over the internet. The Office of Civil Rights adjudicated that it was the manufacturer, not BIDMC, which was responsible for the breach. We were advised to follow any visiting manufacturer reps around the hospital to ensure that they do not remove hospital provided security protections in the future.

Some manufacturers have claimed that adding operating system patches, intrusion detection/prevention and other cybersecurity defenses will require them to re-certify their devices with the FDA.

That is simply not true. The FDA has issued guidance declaring it the responsibility of the manufacturers to secure their devices. No re-certification will ever be needed for adding new protections.

In the short term, CIOs need to build “zero day” defenses, creating an electronic fence around vulnerable devices. In the medium term, manufacturers must update their products. In the long term, medical devices must be designed from the ground up with security as a foundational component.

Whenever I write about a topic, I avoid hyperbole. In this case, the threat is real, I have experienced it myself, and CIOs must act.

My advice, after securing your own perimeter - get the CTOs of your medical devices on the phone and ask them for their security roadmap. If they do not have one, plan to change your vendor. We’re already doing that with some devices because attention to this issue by some manufacturers has been insufficient.

US Victims of Chinese Cyber Espionage over the past five years!

Tue, 04 Aug 2015 16:08:23 -0600

US Victims of Chinese Cyber Espionage over the past five years!

If Google was a Guy

Fri, 31 Jul 2015 14:11:45 -0600

If Google was a Guy

Photo

Fri, 31 Jul 2015 13:45:31 -0600

Email in Real Life

Thu, 04 Jun 2015 13:13:14 -0600

Email in Real Life