Nick Hunter, senior manager of threat intelligence at cyber security company Venafi discusses what systems need to be put in place if cyber security is to be made key in healthcare.
Technology is changing the healthcare landscape for the better – from providing immediate access to medical records, to sensors that can track a patient’s vitals and new devices to provide medical interventions. Yet while there is much to be gained for patients, doctors, and the industry more widely, the potential consequences of technology failures and the risk of security breaches relating to healthcare devices is greater than ever before. Just look at 2017’s WannaCry attack – this resulted in an estimated 19,000 appointments being cancelled and disruption to over a third (34%) of NHS trusts across England. With an increase in the use of med-tech and health-tech devices, the industry needs to ensure it is adequately protecting its systems and devices. Although many healthcare organisations recognise this need and put safeguards in place to protect data and control user access, there is a growing area that is being forgotten – machine identity management. However, as the number of internet-enabled devices continues to grow, healthcare organisations need to wake up to this problem.
Raining on healthcare’s parade
The healthcare industry is typically seen as slow to adopt technological advances. However, as new ways for healthcare organisations to track patient vitals through a range of devices – including wearables and fitness trackers – are increasingly becoming mainstream. Such devices are also making it possible to provide interventions outside of a hospital environment – for example using pacemakers to regulate the heart. As a result, these machines are transmitting highly sensitive data on an ongoing basis, data that could be extremely damaging if intercepted, misused or in some way tampered with.
We have already seen the damage that can be caused when these devices are compromised – St Jude Medical is currently facing lawsuits after its implantable cardiac defibrillators and pacemakers were found to be vulnerable to hacking. Imagine if one of these machines were hi-jacked for nefarious purposes – an attacker could remotely stop someone’s heart. A lack of adequate cybersecurity is a danger for any company, but in the healthcare industry the repercussions could be far more serious. Giving hackers the keys to sensitive medical data, or life-saving devices could not only lead to reputational damage if something goes wrong, but potentially illness, injury, or even death in extreme cases.
A false sense of (cyber) security
Recent research has shown 79% of healthcare professionals are concerned about the cyber security of their own healthcare information. The new wave of technologies – while offering obvious benefits to patients and healthcare professionals – is also introducing fresh risks and adding to the complexity of managing cyber risk for healthcare that goes beyond the ‘human problem’ and into the machine domain.
Firstly, most of these devices connect to the cloud regularly, for software updates, to receive information from applications, and to share data that can be used by the device manufacturer and medical staff. Additionally, many medical devices are issued with very basic security protocols, such as using the manufacturers default logins to connect securely to the other systems – either in the cloud or via an internet connection. In order to do this, these machines need to be able to communicate with one another and transmit data securely. This is why machines need to have their own ‘identity’ – a unique cryptographic key or digital certificate that verifies that a computer, application or, in this case, device is what it says it is and that it can be trusted. These machine identities allow machines to talk to one another privately, through encrypted channels, to ensure that nobody is listening or sending unauthorised instructions – but what happens if one of these identities is stolen of forged?
Checking the vitals of healthcare technology
In much the same way that finding out someone’s password would allow access to the system they use those login details for, having control of a machine identity would allow a hacker to send instructions, move data and cause disruption by appearing as a trusted machine. As machine identities are a sign of trust to other machines, any instructions given by the compromised device are likely to be followed without query. With medical devices, this could be an instruction to escalate the privileges that a user has to access data or could mean remotely turning off a device like a pacemaker – a potentially fatal situation. As many businesses have systems which are inter-connected, a hacker having access to one machine identity can potentially allow for access to a range of systems and data. It’s frightening to think that one stolen machine identity could be used to access all the medical data an organisation holds.
However, despite its importance, the need to protect machine identities is often over-looked, meaning they are often inadequately secured and managed. Tracking and monitoring these machine identities is the vital next step to ensure any compromised device can be identified and the issue can be resolved. Healthcare providers need the ability to identify, revoke and replace machine identities to ensure a device cannot be used maliciously. Unless these machine identities are tracked, updating and replacing them becomes are more arduous task for healthcare organisations.
Getting the all clear for heath-tech’s security
Often, the easiest way to ensure this is done is to automate the discovery and management of machine identities. Healthcare organisations can then be confident in the knowledge that they are adequately protecting its patients from the risks of medical devices, becoming compromised through their machine identities. Healthcare organisations need to act now to implement a cybersecurity policy that protects their patients.
As we continue to see improvements to healthcare technology, the industry is becoming ever-more data driven and reliant on technology and new devices to monitor the health of an ageing population. Healthcare organisations need to act now to implement a cybersecurity policy that protects their patients securing machine identities to protect patient’s privacy and their safety.