Technology is understandably viewed as a nuisance to be managed in pursuit of the health organizations’ primary mission
For understandable reasons, health delivery organizations center their focus on helping sick people, rather than on fiddling with information technology. Technology is seen as frictional annoyance to be managed in pursuit of their primary goal, so it takes a commensurate cultural back seat. Unless you ask security people here at the RSA Conference.
A few forward-looking healthcare folks showed up here to talk about it, get it out in the open. That was fun.
Things that are obvious within the continuing arc of a cybersecurity perspective are only tangentially discernible from those in the context of trying to fix things that affect people in real, impactful ways, like emergency room surgery.
Healthcare folks train to react to the most potentially impactful thing, which in the past couple years has been a combination of a global pandemic, and later thwarting ransomware, which could take down the hospital financially and operationally. Oh, and trying to do it all on a thin budget. Device security was somewhere way down the list.
Fifteen years ago, no one thought much about healthcare device security, or hospital digital security in general. But now that ransomware has grown into the digital scourge du jour (or should that be “de la décennie”?), practitioners have started to wonder what other digital ills could bring direct patient care to a screeching halt.
Many of the same devices in use today in health organizations were designed, built and rolled out for medical use 15 years ago. They still run just fine.
This means no one really wants to upgrade or replace them. Even as new devices hit the market, convincing the top medical leadership to upgrade a system that’s been working fine is a tough sell, especially since the (cyber)security threat seems pretty theoretical to them. If they had the appetite, new medical devices are devilishly expensive – who will pay for that bill?
Except people started to wonder if a pacemaker, insulin pump, or other potentially life-impacting device could be hacked. That was before Black Hat talks a few years back proved that they could, at least in theory.
While there are limitations, devices in certain circumstances could now be perceived as vulnerable. That’s why we’re talking about it at RSA.
There’s a big divide between machines that can be affected by traditional malware and specialty devices that operate on a stripped-down microcontroller. The former devices are far easier to attack with off-the-shelf malware; the latter require some effort.
But the potential impact would be huge.
A prescription for success?
The solution provided by some: Don’t hook them up to the network. Except holistically integrating patient health to a single pane of glass is a wonderful thing that can reduce staff time dramatically. If a nurse at a nursing station can watch a dashboard showing all alerts for all patients on a floor in real time, the patient responses improve, while all the patient data can be silently slurped into databases used for updating patient records automatically.
That’s why they want it. But when medical information from aging devices gets pumped onto the network, that’s when we get nervous.
One idea is to heavily segment the network by functionality, but that would require more tech staff than most hospitals can hire right now.
In the next years there will be a lot more proof-of-concept hacks against medical devices, so healthcare organizations will have to deal with it, and perhaps some in real life. Black Hat is about a month away; don’t be surprised if we see more.