What’s It Gonna Take to Get Real Security in Healthcare

Blog post by Nick van Terheyden, MD

Last week I attended Blackhat and DefCon two of the biggest security conferences – the latter of these attended by a wide range of security people from both sides of the fence.

While they are not healthcare focused there were many presentations centered on healthcare ranging from:

  • Remote attacks of implanted cardiac pacemakers (see below)
  • The shocking insecurity of HL7 traffic which is unencrypted and wide open for simple “man in the middle” attacks
  • An interview with TrendMicro on the report they published demonstrating the wide open nature of pager communications that they found to contain extensive Personal Health Information (PHI) details in clear text and available to anyone wanting to listen in

I thought it would be interesting to tackle the topic of data security on a HCLDR tweetchat – something that has not been covered in the past – aside from some mention of security in various posts on other adjacent topics.

News over the last several months, even going back years, has been damming of the healthcare industry and its inability to keep data safe and secure. Remember the huge Anthem breach in 2015? It’s all but forgotten due to the frequency and depth of more recent breaches.

Healthcare has a huge target on its back given the rich valuable data we store. The wealth of health information offers criminals multiple uses that extend long past the typical half-life of stolen data. This article touches on why hackers love healthcare data.

There has been some decline in breaches but this has more to do with different vectors of attack than a change in interest or focus by the hacking community. Breaches and loss of data has been replaced by the new income earning opportunity of ransomware and the huge impact of the Petya/NoPEtya ransomware attack that spread round the globe in June 2017 followed shortly afterwards by WannaCry. The US escaped major impact thanks in part to the timing and quick work by security researchers – notably Marcus Hutchins @MalwareTechBlog (he has been trapped in the US facing prosecution for over a year now) who identified and created a kill switch for Wannacry before major spread to US institutions

As one security specialist put it – “there but for a stroke of luck goes the US” and especially given the large impact on the NHS service – the details of which can be found in this the report by the Auditor General of the National Audit Office on the impact of Wannacry in the UK which makes for some sobering reading.

80 out of the 236 trusts across England, because they were either infected by the ransomware or turned off their devices or systems as a precaution. A further 603 primary care and other NHS organisations were also infected, including 595 GP practices. Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency (Emergency/ED) departments.

The impact was staggering on day to day activities. It seems likely that this had an impact on outcomes as well. To date I have been unable to gain access to a data set to prove this point and continue to try, but there is a good proxy for the impact of closures, that Marathon Events has detailed in this paper.

Despite being a large target and despite the negative impact on outcomes, security continues to be lower-priority item for many in healthcare. This lack of security, or more accurately, consideration of security erodes the trust we have in healthcare – something Joe Babaian noted in the hcldr post “Importance of Trust in Healthcare

In 1966, more than three-fourths of Americans had great confidence in medical leaders; today, only 34 percent do. Compared with people in other developed countries, Americans are considerably less likely to trust doctors, and only a quarter express confidence in the health system. During some recent disease outbreaks, less than one-third of Americans said they trusted public health officials to share complete and accurate information. Only 14 percent trust the federal government to do what’s right most of the time.

As you can tell, security in healthcare is a topic I am keenly interested in. If you are too, then you might want to check out these posts and podcasts:

The last post in the list, features a remote hack of an implantable defibrillator device and insulin pump with potential lethal consequences.

Please join me as I host the weekly #hcldr tweetchat on Tuesday August 28th at 8:30pm ET (for your local time click here). We will be discussing the following topics:

  • T1 Do healthcare employees and individuals see security as a serious and important issue or is it relegated to low priority because of the overwhelming workload endured
  • T2 If Security is a focus why then do we continue to struggle to secure our data and healthcare systems
  • T3 Do you have any examples of Security in practice that is working effectively and consistently without hindering the delivery of care
  • T4 What personal tips, suggestions or incremental steps do you have for securing healthcare data

About the Author

Dr. Nick is a leader in Digital Healthcare and Innovation and former Chief Medical Officer for Dell. He provides strategic insights and guidance to support healthcare organizations, medical professionals, and patients through information-enabled healthcare. He brings an incremental approach to developing successful strategies and applies his expertise to achieve a technology environment that is interconnected, efficient and patient-focused. He is a highly sought out speaker on the practical and futuristic use of healthcare technology and how it can improve patient engagement and wellness

Dr. Nick brings a distinctive blend of medical practitioner and business strategist, both national and international, to the realm of digital healthcare technology. A graduate of the Royal Free Hospital School of Medicine, University of London, Dr. van Terheyden is a pioneering creator in the evolution of healthcare technology. After several years as a medical practitioner in London and Australia, he joined an international who’s who in healthcare, academia, and business, in the development of the first electronic health record in the early 1990’s and later, as a business leader in one of the first speech recognition companies.

Resources

Alford, Alan. “Why Hackers Love Healthcare”, DarkReading, 26 April 2018, https://www.darkreading.com/endpoint/why-hackers-love-healthcare/a/d-id/1331537, accessed 26 August 2018

Hilt, Stephen and Lin, Philippe. “Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry”, TrendLabs, https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-leaking-beeps-healthcare.pdf, accessed 26 August 2018

Dameff, Christian et al. “Pestilential Protocol: How Unsecure HL7 Messages Threaten Patient Lives”, BlackHat USA 2018, 9 August 2018, https://www.blackhat.com/us-18/briefings/schedule/index.html#pestilential-protocol-how-unsecure-hl7-messages-threaten-patient-lives-11726, accessed 26 August 2018

Newman, Lily Hay. “Wannacry Hero’s New Legal Woes Spell Trouble For White Hat Hackers”, Wired, 8 June 2018, https://www.wired.com/story/wannacry-hero-marcus-hutchins-new-legal-woes-white-hat-hackers/, accessed 26 August 2018

Thomson, Ian. “Everything You Need to Know About the Petya, er, NotPetya nasty trashing PCs worldwide”, The Register, 28 June 2017, https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/, accessed 26 August 2018

“Investigation: WannaCry cyber attack and the NHS”, NHS, 25 April 2018,  https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS-Summary.pdf, accessed 26 August 2018

Jena, Anupam B et al. “Delays in Emergency Care and Mortality during Major U.S. Marathons”, New England Journal of Medicine, 13 April 2017, http://www.nejm.org/doi/full/10.1056/NEJMsa1614073, accessed 26 August 2018

Babaian, Joe. “Importance of Trust in Healthcare”, HCLDR¸ 23 January 2018, https://hcldr.wordpress.com/2018/01/23/importance-of-trust-in-healthcare/, accessed 26 August 2018

van Terheyden, Nick. “Are Your Pagers Leaking PHI Data?”, Incremental Healthcare Blog, 23 August 2018, http://incrementalhealthcare.com/are-your-pagers-leaking-phi-data/, accessed 26 August 2018

van Terheyden, Nick. “The Impossible Task of Security in the Age of Sophisticated Social Engineering”, Incremental Healthcare Blog, 16 July 2018,  http://incrementalhealthcare.com/the-impossible-task-of-security-in-the-age-of-sophisticated-social-engineering-chris-hadnagy/, accessed 26 August 2018

van Terheyden, Nick. “Security, Passwords and Data Breach Services – Troy Hunt”, Incremental Healthcare Blog, 2 July 2018, http://incrementalhealthcare.com/the-incrementalist-troy-hunt/, accessed 26 August 2018

van Terheyden, Nick. “Incremental Security”, Incremental Healthcare Blog, 4 August 2018, http://incrementalhealthcare.com/incremental-security/, accessed 26 August 2018

van Terheyden, Nick. “Exploiting Implanted Medical Devices”, Incremental Healthcare Blog, 9 August 2018, http://incrementalhealthcare.com/exploiting-implanted-medical-devices/, accessed 26 August 2018

Image Credit

Data Security – Blogtrepreneur

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: