HIT Think article by Cliff Kittle of SecureWorks and Clearwater's Mary Chaput
Originally published on healthdatamanagement.com on August 18, 2017 at 4:14 pm EDT
HIPAA regulations—and the mindset they have inspired for information security—can no longer be the standard on which a healthcare information security program is built.
The philosophy spawned from the compliance mentality toward information security, in too many instances, has resulted in an attitude of complacency and “Good Enough” is enough. It is behavior modeled on a checklist approach that ends with “completion of the required checklist and is considered ‘Good Enough’ security.”
“The regulations in place weren’t designed for current threats,” said Leo Scanlon, Health and Human Services deputy chief information security officer, in testimony to the House Energy and Commerce Committee on June. Regulatory mechanisms are fundamentally challenged by threat actors, who work at “machine speed,” Scanlon added. “It’s hard to avoid the place where we’re victimizing the victim.”
If the healthcare industry is to avoid “victimizing the victim,” a new approach, driven by an entirely new philosophy, needs to be adopted. This approach must account for the tempo at which the threat actors develop and employ new attack vectors that ultimately jeopardize patient safety. To diminish the threat to patient safety, the vulnerability and subsequent risk to multiple critical assets containing protected health information (PHI) must be evaluated and appropriate security measures taken to defend its ongoing confidentiality, integrity and availability.
Medical devices are such an asset. The continued growth in the implementation of IoT-connected medical devices is providing an insecure, target-rich environment that threatens both data security and patient safety. This threat was pointed out in the NIST SP 1800-8, draft report, “Securing Wireless Infusion Pumps,” released in May. It noted that, “As IoMT grows, with an increasing number of infusion pumps connecting to networks, the vulnerabilities and risk factors become more critical, as they can expose the pump ecosystem to external attacks, compromises or interference.”
In an independent study by Ponemon Institute, released in May, both device manufacturers and health delivery organizations expressed a lack of confidence in device security. According to a post in HIPAA Journal, 60 percent of healthcare organizations have already introduced network medical devices into their technical infrastructure, and 89 percent of those organizations reported a security breach as a result.
The Ponemon study also reported that 31 percent of device makers and 40 percent of health delivery organizations said they were aware of patients having suffered inappropriate therapy/treatment because of an insecure medical device.
It is time to accept the reality that healthcare is at war, and patients’ well-being is at significant risk. Implementing an information security program using the seven principles of “The Doctrine of Maneuver Warfare” to both adopt tactics in support of the organization’s security strategy and ensure the proactive “Continuous Oversight” necessary to better prevent, detect and respond to threats provides the framework desperately needed for the current threat environment.
The first principle of Maneuver Warfare, “Targeting Critical Vulnerabilities,” is but one example of how our adversaries are using the principles of maneuver warfare against the healthcare industry. In the truest conventional warfare sense of identifying the weaknesses of your opposition, the threat actor has identified vulnerabilities related to many of the medical devices operating in the average healthcare delivery organization’s environment.
The Institute for Critical Infrastructure Technology (ICIT) found that attackers have set up beachheads on these devices for future attacks. “Vulnerable legacy systems and devices that lack the ability to update and patch are “Frankensteined” into networks possessing newer technologies that can be updated and patched. As a result, the organization’s IoT microcosm becomes collectively vulnerable as effective layers of network security cannot be properly implemented.” This can help create a type of remote access trojan on a vulnerable device potentially making the entire network vulnerable because there is no endpoint security for that device.
An example of this type of attack is the Medjack attack on medical devices this past March. In this case, the threat actor used old malware to target medical devices running outdated operating systems. In doing so, they more easily avoided detection, because the other parts of the network were running current operating systems that did not flag the activity. The reason for failing to flag the activity was the newer systems were patched against the malware and automatically classified the attack as a minor threat.
If the healthcare organization were to employ this fundamental principle in the execution of their information security action plan, the result would be the identification of critical vulnerabilities and associated risks. With this knowledge, appropriate mitigation efforts could be taken before the threat actor has an opportunity to exploit the vulnerability.
Behavior such as procrastinating system patches and postponing medical device updates are examples of violating the Doctrine of Maneuver Warfare’s principle of “Tempo” diminishes the organization’s ability to adjust to the threat actor’s machine-like speed of threat evolution. It’s reasonable to assume that the impact of the WannaCry attack would have been significantly reduced if organizations had been patching Windows vulnerabilities.
NIST SP1800-8 recommendations for reducing the overall risk posture of infusion pumps and best practices include creating an operational information security program to monitor potential exploits of medical devices. It states, “Each system is monitored for compliance with a secure configuration baseline.” This stresses the importance of “Continuous Monitoring” in achieving a proactive security posture and, when combined with the principle of “Tempo,” the defender may be able to act ahead of the threat actor’s attack and mitigate the risk of exploitation of the vulnerability. Worst case would be staying abreast of the threat actor and have a plan for containing the depth of the compromise of a successful breach. “Targeting Critical Vulnerabilities” and “Tempo” are two examples of how the implementation of the seven principles may be used to improve information security.
Developing a “war mindset” as the Office for Civil Rights has encouraged, will clarify the importance of “Continuous Preparation,” which is critical to a defender’s ability to plan for and respond to a multitude of attacks. The importance in establishing a behavior of “Continuous Preparation” is not stressed by the current HIPAA regulations.
Christos Dimitriadis, ISACA board chair and group head of information security at Intralot, has said “There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner. Cybersecurity professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”
In the white paper, “Applying the Doctrine of Maneuver Warfare to the Execution of a Cybersecurity Action Plan,” seven dynamic principles are presented for use in support of the execution of an enterprise security strategy to protect the increasing number of attack surfaces, of which medical devices is but one example.
Cliff Kittle, Principal for Healthcare and Life Sciences Information Security at Dell SecureWorks
Mary Chaput, Chief Financial and Compliance Officer at Clearwater Compliance