 |
|
Brigadier General Gregory Touhill (ret.)
|
Q. The Office of Civil Rights statistics show that healthcare breaches have been steadily increasing over the past 10 years and over the past five years the types of breaches have shifted from data loss and theft to hacking and IT incidents. Where are the main threats to healthcare data coming from now and into the future?
A. I put them in a couple of categories.
The first threat that I think is really significant are careless, negligent, or indifferent employees. I believe nearly every business in the Western world and certainly here in the United States has become intrinsically reliant on information technology in order to do their jobs. IT fuels so much speed, velocity and precision in business so, as a result, we've been digitizing everything. I don't think you can have privacy without security and security without privacy.
With the risk exposure that's out there in an increasingly complex ecosystem with different devices, even the slightest mistake can expose a significant amount of information. In the healthcare sector, that can be extremely sensitive private information. So that's the first threat factor: careless, negligent, and indifferent employees who inadvertently expose data because they don't properly patch and configure; they don't keep things properly up to snuff.
The second risk that is profound in the healthcare sector is not keeping software and hardware and the essential backbone elements of the ecosystem up-to-date. There are a lot of contributing factors to that as we've certainly seen with the ransomware attacks that took out the National Health Service in Britain. They were still using Windows 95. There’s a bill to pay when you don't invest in keeping things current. I think that's a cultural thing as much as anything because as a lot of folks say, “Hey, I bought this this car and it still works, so we will use it until we can't drive it anymore.” Well, do I really feel safe with a 1965 Corvair? Lee Iacocca had a really good quote about the Mustang (he was the brains behind the team of the Mustang.) When asked whether or not he would rather have a 1965 classic Mustang or brand new 1995 Mustang. He said, “Oh, I'd much rather have the 1995 one because I know the brakes will work.” When it comes to your cyber ecosystem, you can buy down your risk by making sure that you are in fact driving a safe and modern infrastructure.
The third risk that gets all the press are the criminal and nation-state actors out there that are constantly on the hunt for information. In the healthcare sector, I view the Chinese Five-Year Plan that said, “ Hey, we have a couple billion people and one of our goals is to build a great healthcare system to help support the Chinese people,” as kind of a warning and, as a cybersecurity professional, as a roadmap for the Chinese who have been known to be active in cyber espionage. I view this plan as meaning that they're coming after the healthcare system, and we've certainly seen that with some pretty profound breaches in the healthcare system network of hospitals and managed healthcare providers and other parts of that ecosystem.
Q. What are they after? The technology or information data what are they trying to do?
A. I think they're slurping up everything and then they parse it out. But I think the key targets are not necessarily personal data, although I can't rule it out because personal data has value, but I think the number one thing is intellectual property. They want to know about things like new pharma medications. If they can go out and find the secret formulation of this new drug and (like finding the Colonel's secret recipe, or that of Frosted Flakes), they can reduce their expenses over time to go out and develop new drugs, for example. That’s an example of intellectual property theft in the pharma realm.
If we take a look at medical technology such as imaging or infusion pumps, or diagnostic devices and the like, we're seeing some evidence through government analysis as well as my company Cyxtera, that medical technology is a target. At Cyxtera we have the Cyber Threat Intelligence and Analysis unit. We see evidence that points towards malicious actors trying to gain access to information and discover how to reverse-engineer the plans for such things as high-tech medical devices so that they can go and take those plans and manufacture their own or take those plans and improve upon them. It's kind of like finding the plans to the Death Star and finding the notorious 6-meter port vulnerability, patching it and then going out selling a new product that is new and improved or hold it in reserve. If you know where that port is, maybe on a rainy day you can go in there, attack it or leverage it for something else.
And then the last thing we're seeing, and this is predominately with criminal groups, is attempting to get into healthcare networks and compromise things like active devices, printers, medical devices that are connected to the networks, and use them as launching points for other attacks either inside that medical or healthcare provider, or use it as a launching point from the healthcare provider to attack somebody else. That's particularly pernicious.
Q. Do you see the nation-state threat as a growing threat for healthcare organizations, or is it coming more from the criminal sector?
A. I think the lines are blurring, and to be perfectly honest, I see them both as potent threats that we need to be aware of and be wary. I say both because, having spent 35 plus years in the military and government service, I'll tell you that government service does not generally pay as well as the private sector. In some countries out there where you may have a cyber person in the military of country A, B or C, they may not get their pay every two weeks like we do in the US Military and they may not get paid as much as a cyber professional in the US military forces, or one of our allies. They want to take good care of their families and want to have a good salary. So, they could take those cyber skills that they're using during their day job and instead of driving an Uber or Lyft for a side hustle, they align themselves with a criminal group that is going to pay for that specific skill set. They go out and basically, they're moonlighting as cyber criminals in addition to being nation state actors during their day jobs.
I'm seeing some evidence that points to that as a threat vector that we need to be wary of because it makes it very difficult for intelligence and law enforcement authorities to make direct attribution. Is this person who is a private in country C’s military, when this person was attacking business X in the United States or elsewhere, were they acting under the orders of their government or were they acting in their side hustle as a cybercriminal? It makes attribution very difficult, and that is something that continues to be popping up on my screen.
Q. Speaking to the vulnerability of healthcare organizations, we're trying to make healthcare seamless wherever you go for treatment so that your doctor or your specialist is able to access your medical records, and that's increasing the number of sources for accessing your records. At the same time, we're pursuing enterprise imaging as an example where the number of input devices is growing. Doctors are even starting to upload pictures of scars or lesions from their cell phones for example. All of these seem to be increasing the vulnerability of healthcare organizations. Is healthcare cybersecurity keeping up with growing field of vulnerabilities? What do you see as the threat there?
A. Frankly it is increasing the risk exposure landscape astronomically. I'm very concerned about it. Given that cited environment and the efforts that are under way for the most noble of causes, I as an individual have now lost control over my privacy on my health records and that's a great concern for me and it should be a concern for every American. Now we do not know who else has had access to our records and how often they're being viewed.
Moreover, if an area where your sensitive medical data gets punctured, somebody now has access to that information without your permission. You have no means of controlling the access of your sensitive medical information and are reliant on people whom you don’t know to protect that information. I think that it is fraught with peril at this point. Regarding universal electronic health records, I'm reminded of my time in third grade with Sister Lauren Mary who said just because you can doesn't mean you should.
Q. What kinds of things should we be doing to match our security with the growing vulnerability?
A. Well, frankly, I think it's very difficult to put the genie back in the bottle. I don't believe that the American people really understand all the risks that come with how electronic healthcare records are being implemented. And once again, while the intent is quite noble to try to improve the standard and quality of care, from a privacy and security standpoint there are some great risks that have been accepted along the way. Walking back from that would almost take a reboot in some areas on how we deal with electronic records that are associated with patient health identity.
Q. Cybersecurity seems to be very much a case of being only as secure as the weakest link. If that is the case, how do you control the cyber security precautions that your vendors and other folks that you're dealing with are taking?
A. That’s an excellent question. I agree with your statement that you're only as good as your weakest link. I believe that the traditional perimeter is dead. With the traditional perimeter, we said, “Hey, I'm running my network and I've got total control of my firewalls as my boundary. I've got control of the inside and I keep the hordes of criminals and nation-state actors and malicious actors outside my gates.” That's been shattered with the prevalence of cloud computing, with mobile devices, putting your stuff in co-located data centers, etc. The traditional perimeter is dead.
The perimeter now is really the person and it's not even the device because, I don't know about you, but I use multiple devices throughout the day at different venues throughout the day. As a result, the traditional model doesn’t work anymore. It really is an identity-centric world.
So I think as we take a look forward, I have been one of the folks that has embraced the zero trust strategy where I'm not going to connect and authenticate in the traditional TCP IP manner. I want to authenticate and connect only to what the user is authorized to see, and I want to log everything so nobody should be able to see any information, particularly in the healthcare system, unless they are properly authenticated as having a need to know. Then further, using zero trust and technologies such as software-defined perimeter technologies, when they are connected, they should only be connected to the information they need in order to execute the tasks that they have. The rest of the network should be completely invisible. I think that will help lower the risk exposure considerably, and if we implement these types of technologies and the strategic approach of zero trust, then we can better manage our risk to a more acceptable level than what we have now, which I'm very uncomfortable with.
Q, Is that being done at any of the healthcare organizations your company works with?
A. Yes, as a matter of fact it is. We have one partner who is a major provider in South Florida, which has several lines of businesses. As a major hospital chain, they have patient care; they have pharmacy; they have radiology; they have inpatient and outpatient services. They have all different lines of business and, oh, by the way, they have lots of data too. They are in Azure; they also are in AWS or in Google Cloud, and they’re co-located. They have a hybrid enterprise.
They're using Cyxtera’s capabilities to implement a software-defined perimeter and micro-segmentation. That provides them an identity-centric approach to security that uses multi-factor authentication and role-based access controls to establish that you are indeed “Dr. X.” After the system establishes your identity as Dr. X, it looks to see whether you're associated with this particular function and this particular practice and can even check, through an API call to the ticketing or scheduling system, whether the doctor has Greg as a patient. If all checks as correct, Dr. X is granted access to Greg's healthcare record and any requirements associated with that. You can even check to see whether Greg had some other information, such as a referral for imaging, so you can go and see that particular image that was referred to. However, if Dr. X is not Greg’s authorized provider, the system will not permit the doctor to view any of Greg’s records and can be configured to alert the Security Incident and Event Management system of an unauthorized attempt to access Greg’s records.
That is the kind of granularity that is needed as we're seeing more and more of the larger healthcare enterprises starting to implement software defined perimeters and micro-segmentation. For some of the smaller organizations and the private practice primary care physicians, they're usually going out to a managed service provider who may or may not be leveraging this technology but should.
Q. It sounds like there needs to be some education going on as to what really is needed to be secure. Are healthcare professionals even in the in the C-suite up to speed on what's actually needed?
A. I've spoken at the HiMSS conference. I've spoken at the Healthcare ISAC and the I even wrote a book Cybersecurity for Executives: (a practical guide). I, as well as others, have been trying our best to try to get the message out that with information technology being an intrinsic part of every part of our society, including the healthcare sector, we all need to be very sensitive not only to protect our patients and our clients, but ourselves and to be extremely wary of the risks that are out there.
We should not be thinking about technology alone; we need to be thinking about the overall risk. Cybersecurity is a risk issue that involves people, processes and technology. I think most mature organizations are making sure that they're educating employees at all echelons from the board of directors all the way down to the new employees and continually exercising and making sure that that they're certainly aware of what their responsibilities are as well as what those risks are.
Q. I want to go back to your software-defined perimeter technology. How do you authenticate first?
A. There is a very good video on YouTube that explains it. Google a guy named Jason Garbis and there's a white paper and a video by Jason who was vice president of the Cloud Security Alliance and we ended up bringing him into Cyxtera. I like the video. I think it gives a good overview on how a software-defined perimeter works. At the end of the day, it's all about the data. That's the way I look at it and when it comes to the healthcare sector, boy that is pretty rich data.
I remember talking at a High Trust conference where I got some questions from some physicians who were there and had graduated to management roles. They asked, ‘why do I need to be concerned about protecting this health care data as opposed to PCI DSS credit card info?’ I said, ‘I can go and buy a bunch of credit cards, say a hundred credit cards for a hundred bucks out on the internet, but for credit cards if my credit card gets compromised, I call Cap One, USAA, JP Morgan, etc. and that credit card is killed in a second and the new one is issued with the new discrete number.
If my healthcare record is compromised, it’s not like I'm going to get a new life. Once that's gone. It's gone. That's an intrinsic part of my humanity and the value of the healthcare record on the black market is astronomically higher than what you can get for a credit card. It's big business for the criminals, so I want to protect my healthcare record because it is so much more valuable.’
I can do so much more with the healthcare record than what I can do with a stolen credit card and the doctors were going, ‘holy crap what do you mean?’ I replied that I can take that healthcare record and it’s going to tell me when I was born, where I was born, it tells me my height, weight, my eye color. Typically, I'm also harvesting the healthcare record of next of kin. I know all the addresses; I'm given a basic treasure trove right off the bat but then I'm also offering up all sorts of health information as to what kinds of conditions I have. Do I have any afflictions? Do I take any medications? There are so many different criminal aspects I can use and spin-off of the healthcare record. As a result, healthcare records are very valuable compared to credit card theft and that's kiddie stuff compared to a healthcare record.
Q. At your HiMSS talk you talked about artificial intelligence as a coveted healthcare attack surface. What do you mean by that?
A. What I was referring to about (at HiMSS), is that all the different devices that are on a medical network present a huge cyber-attack surface. For example, I have an MRI device that can connect to the network that transmits images from the actual MRI machine into a storage location where the image can be called up by any physician that has access to it.
That's an another device on the network that wasn't designed to have cyber protections per se and, oh by the way, it's got more than one computer on board. Now, medical devices are connected to the network, so to the cyber operator that's just more potential attack location on the cyber landscape where I can get a toe hold that will allow me to go somewhere else in the network. It’s the same thing with printers. Most printers that you get out of the box aren't patched. You put them on your network and most people don't configure them and keep them up-to-date. Many cyber operators and criminals are looking for printers right off the bat because they're so easy to pluck.
When I was director at the National Cybersecurity and Communications Integration Center, one of my subordinate units was the Industrial Control System Cyber Emergency Response Team (ICS-CERT). The ICSCERT published a report on infusion pumps for diabetics and the cyber vulnerabilities discovered in the devices. They get connected to the network as well, and boom. I can infect them. The worst I can do is kill a patient because I can monkey with the drip or the infusion of different medicines. Your risk exposure is beyond just the traditional industrial control systems and the information technology servers that are out there. That was what my intent (at HiMSS) was to discuss those added risks. If you want to talk about AI, that’s a whole new ball of wax.
Q. It is one of the hottest topics in healthcare right now, in terms of cybersecurity is AI just adding another layer of risk or is it maybe cybercriminals can use AI to become more efficient?
A. Both. Artificial intelligence and machine learning can be very valuable. But we need to go into it with our eyes wide open as to what the risks are. At this point, given the state of the art, do I really want to trust the computer as my sole source of information before making a decision on a treatment option, or diagnostic option or what not? I don’t think so. Certainly, AI can aid and assist. A lot of folks are using the term artificial intelligence. I think a more appropriate label should be augmented intelligence.
The decisions still should remain with the human as opposed to with the computer.
Now there are people in marketing and sales who are saying, ‘well, this stuff's is so good, it can speed decision-making and make the decision for you.’
That sounds alarm bells with me and not just because I've met Governor Schwarzenegger and I'm afraid of Skynet. I think that yeah, computers as tools and being able to help physicians and diagnosticians and researchers collate and make sense out of vast amounts of data is a good thing, but at the end of the day, we need to take a look at it where the human needs to make the decision and we also have to recognize that bad data in will always produce bad data out.
Q. What steps do you recommend PACS administrators take to anticipate and evaluate these future threats of AI or augmented intelligence?
A. Specialists who are keeping an eye out and working in IT and cyber environments within the healthcare sector really need to do a couple of things to invest in making sure that they can help buy down their risk.
First is participate in information sharing organizations. I previously mentioned the Sector Coordinating Council, the Information Sharing and Analysis Center (ISAC), or other public information sharing organizations such as HITRUST and HiMSS. They all are great investments in understanding best practices, the state of the environment and the like. I strongly encourage that participation.
Second of all, I do think that there's great value in certifications and continuing professional education. There are several cybersecurity certifications that are offered by organizations such as ISACA (Information Systems Audit and Control Association) as well as organizations specifically attuned to help healthcare partners make sure that they are exercising best practices in cybersecurity. I think those are good investments.
If I were in the healthcare business myself, I would not hire anybody who would be touching my network who didn't have the proper certification and credentials. I view it is pretty similar to having a board-certified physician. I wouldn't want anybody but a board- certified physician to conduct an operation on my child and by the same token I wouldn't want anybody but a certified IT or cyber professional touching my information.
The third thing is this I would invest in education for staff which includes my physicians, my administrators, and all healthcare providers. I would invest in their education, so they understand cybersecurity is a risk management issue so that they understand what their roles are, who's managing that risk, and that information has value and they are the custodians at all levels of some very highly sensitive and highly important and valued information. Most folks in the medical professions and the healthcare professions that I've dealt with don't necessarily view themselves as being on the cybersecurity front lines and the fact of the matter is, they are.
As we look forward it's a great value to invest in education to make sure that everybody knows what their role is to protect information, what the consequences of not doing so are, and then further to exercise those best practices through such things as cyber drills and exercises.
Chuck Noll used to be the coach of the Pittsburgh Steelers and won four Super Bowls. He talked about becoming a champion. Noll said champions are made up of ordinary people doing ordinary things in extraordinary ways every day. I think if you want to have a championship organization in the healthcare sector, you have to do the ordinary cyber things in an extraordinary way every day and that comes with practice.
I think those three things that I outlined, culminating with continuous investment in training and education, will pay great dividends.
Q. Going back to the thing you said about certifications, which is what PARCA does, it sounds like you would be advocating that PACS administrators also be able to get a certification in cybersecurity.
A. Sure. Adding a PARCA certificate in information security, would be significant. I am a CISSP (Certified Information Systems Security Professional.) I also have my Certified Information Security Manager credential. The first is from ISC2 and the second from ISACA. So, yeah, I put my money where my mouth is. I do my continuing professional education credits every year. I'm always doing my best to keep up, but I'll also tell you, anybody who says they're an expert isn't, we're just highly skilled practitioners who are continually learning.
No comments:
Post a Comment