Why are healthcare networks so vulnerable to attacks?
Forescout Research Labs has published a study on the vulnerabilities impacting the healthcare industry’s connected devices. The research division of Forescout Technologies has published the report as part of its Project Memoria, and it reveals that healthcare organisations are affected five times more by TCP/IP vulnerabilities than any other sector.
Elisa Costante, a software engineer and Forescout's Vice President of Research, explains why this is and how to prevent it.
What is Project Memoria?
Project Memoria aims to improve the security of TCP/IP stacks and understand what the main security issues are. TCP/IP stacks are a very core component of every network device, whether it's an iPhone connected to the internet, or a robot controlling the process of manufacturing. If they're connected to the internet they need to have a piece of software controlling communication.
There are several variants of this software and we're analysing them to understand if they have security bugs or vulnerabilities that if misused by attackers, could lead to disruption of the device itself, and to the network at large. Our goal is to make the industry aware of the problem, and engage with stakeholders as well as the customers.
Why is healthcare particularly vulnerable?
This is what the data is telling us. We have a device cloud, which is like a data lake of device information. This device cloud has a lot of information about the devices, like who the vendor is, what the role of the network is, and which vertical this is. We are able to leverage this information, and join it with the intelligence we have from Project Memoria to understand which devices are vulnerable.
We found that in healthcare there was a huge spike in the number of devices that are vulnerable - as much as five times more than in other verticals. The reason seems to be because of the number of devices, and because of the intrinsic difficulty of addressing the problem.
The problem surrounding TCP/IP stacks is that there is not one single vendor that is vulnerable; on average, a healthcare organisation has 12 vendors that are vulnerable.
Let's say that on average we have 500 devices per healthcare organisation. Then you need to contact 12 vendors for each of these. These vendors then need to issue a patch to secure the device, and this patch cannot just be automatically delivered and installed in 500 devices. You have to be realistic and think about whether each of the devices is critical, for example if it goes down will it turn the lighting system off, or stop the MRI machine from working.
Patches are very complex to deploy. On top of that, the patch needed might not even be available. That's why we want to understand this problem better so we can provide solutions.
How much of the responsibility of keeping a device secure lies with the vendor?
There are responsibilities that lie with all the different stakeholders, and one of these is the vendor. There might be multiple vendors involved, which makes it very complex from a management perspective.
For instance the device at the end of the chain, which might be an MRI, contains a board that has a connectivity module, and this has one of the stacks that is vulnerable, which could have four different vendors.
If the vendor responsible for the TCP/IP stack releases a patch, this patch has to go down the chain. We identified chains with a length of six vendors, so you can imagine how complex this is. Some vendors have good hygiene security and some don't because they don't know how to deal with it - they need training.
This is a new issue related to the software bill of materials, which is being tabled for legislation at the moment to create policies regarding the complexity of the supply chain. We need to shed light on this issue so that legislators can put these policies in place to help with security.
What can healthcare providers do themselves to stay secure?
Visibility is important; they need to know what they have in their network. In the case of vulnerable devices they should find out if there's a patch available. If there isn't, because it's an old device for example, but it's still critical to the system, they may want to isolate it so it only communicates with the devices it really needs to.
Interestingly enough, our research found that most of the healthcare organisations we analysed had a flat network, which means they don't have isolated devices. For instance, a drugs dispensing machine, which you typically find in pharmacies, is connected to a building automation light system, which is connected to a switch. This is also connected to an IoT sensor device. Why would you have all of them together in the same place?
The first step is having this information, which often comes as a surprise. Then you can take action; you can segment a network, and if you can't do that you can control the network's access by isolating devices that are risky.
How can Forescout help healthcare organisations?
Forescout is uniquely positioned to help. We provide visibility end-to-end, which means having a full inventory of devices that includes quite granular detail, so they can know what the operating system is, who the vendor is and so on. Then we enable them to do network segmentation.
This enables organisations to write policies around how to secure their networks, for example if a device is vulnerable specify which connected devices must be isolated, or which device it must communicate with exclusively.
Getting ready for cloud data-driven healthcare
As healthcare continues to recognise the value of data and digital transformation, many organisations are relying on the cloud to make their future-forward and data-centric thinking a reality. In fact, the global healthcare cloud computing market was valued at approximately $18 billion and is expected to generate around $61 billion USD by 2025.
At the forefront of these changes is the rapid adoption of cloud-based, or software-as-a-service (SaaS), applications. These apps can be used to handle patient interactions, track prescriptions, care, billing and more, and the insights derived from this important data can vastly improve operations, procurement and courses of treatment. However, before healthcare organisations can begin to dream about a true data-driven future, they have to deal with a data-driven dilemma: compliance.
Meeting regulation requirements
It’s no secret that healthcare is a highly regulated industry when it comes to data and privacy – and rightfully so. Patient records contain extremely sensitive data that, if changed or erased, could cost someone their life. This is why healthcare systems rely on legacy technologies, like Cerner and Epic EHRs, to manage patient information – the industry knows the vendors put an emphasis on making them as secure as possible.
Yet when SaaS applications are introduced and data starts being moved into them, compliance gets complicated. For example, every time a new application is introduced into an organisation, that organisation must have the vendor complete a BAA (Business Associate Agreement). This agreement essentially puts the responsibility for the safety of patients’ information — maintaining appropriate safeguards and complying with regulations — on the vendor.
However, even with these agreements in place, healthcare systems still are at risk of failing to meet compliance requirements. To comply with HIPAA, U.S. Food and Drug Administration 21 CFR Part 11 and other regulations that stipulate the need to exercise best practices to keep electronic patient data safe, healthcare organisations must maintain comprehensive audit trails – something that gets increasingly difficult when data sits in an application that resides in the vendor’s infrastructure.
Additionally, data often does not stay in the applications – instead healthcare users download, save and copy it into other business intelligence tools, creating data sprawl across the organisation and exposing patient privacy to greater risk.
With so many of these tools that are meant to spur growth and more effective care creating compliance challenges, it begs the question: how can healthcare organisations take advantage of the data they have without risking non-compliance?
Yes, healthcare organisations can adhere to regulations while also getting valuable insights from the wealth of data they have available. However, to help do this, organisations must own their data. This means data must be backed up and stored in an environment that they have control over, rather than in the SaaS vendors’ applications.
Backing up historical SaaS application data directly from an app into an organisation’s own secure cloud infrastructure, such as AWS or Microsoft Azure, makes it easier, and less costly, to maintain a digital chain of custody – or a trail of the different touchpoints of data. This not only increases the visibility and auditability of that data, but organisations can then set appropriate controls around who can access the data.
Likewise, having data from these apps located in one central, easily accessible location can decrease the number of copies floating around an organisation, reducing the surface area of exposure while also making it easier for organisations to securely pull data into business intelligence tools.
When healthcare providers have unfettered access to all their historical data, the possibilities for growth and insights are endless. For example, having ownership and ready access to authorised data can help organisations further implement and support outcome-based care. Insights enabled by this data will help inform diagnoses, prescriptions, treatment plans and more, which benefits not only the patient, but the healthcare ecosystem as a whole.
To keep optimising and improving care, healthcare systems must take advantage of new tools like SaaS applications. By backing up and owning their historical SaaS application data, they can do so while minimising the risk to patient privacy or compliance requirements. Having this ownership and access can propel healthcare organisations to be more data-driven – creating better outcomes for everyone.