When researchers at Independent Security Evaluators published its 2016 report, Hacking Hospitals, the idea that vulnerabilities in medical devices could result in patient harm seemed like a serving of FUD (fear, uncertainty and doubt). Four years later, as we debate how and whether to return to life as we knew it before quarantine, there is irrefutable evidence that the health care sector is highly vulnerable to attack.
From daily news stories to scholarly articles, security experts continue to warn of the cyber threats the health care sector is facing, yet they continue to rely on technology and connected devices without a full understanding of the cybersecurity risks or having the right intelligence to mitigate those risks.
In the recommendations section of the 2016 “Hacking Hospitals” report, the authors recognized,“Decision makers at health care facilities have little insight or control over the security practices of their vendors.” This fact remains true today. Without insight into whether any of the vendors in a health care organization’s complex supply chain have been compromised, it’s nearly impossible to understand all of the security risks in the IT infrastructure, third-party technology systems and connected medical devices they rely on.
Yet, in response to the shelter-in-place orders instituted around the world after the World Health Organization declared the global pandemic, medical service providers have expanded their attack surface even further by offering telehealth visits, a move encouraged by the Department of Health and Human Services in March.
This week, the HHS’s Office of the Inspector General released a strategic plan to assess the security of this IT infrastructure. The plan calls for an audit of, “whether known cybersecurity vulnerabilities related to networked medical devices, telehealth platforms and other technologies being used in COVID-19 response have been mitigated.” What about the unknown vulnerabilities?
As the ISE authors wrote, a third-party security assessment, “by experienced professionals can lend to empowering the CIO and other executives if vendors are required to produce such evidence,” but an assessment alone is not enough. Not in 2020.
Guidance from the FDA advises that practitioners need to decide whether the benefits of medical IoT devices outweigh the security risks. All the while experts continue to debate the best risk management course of action. “But these discussions often miss the problems replete in the expansive supply chains on which many of these products and services we depend on are built,” wrote Scott J. Shackelford, Michael Mattioli, Steve Myers and Austin Brady in a 2018 issue of the Minnesota Journal of Law, Science & Technology.
The truth of their words again rang true in February 2020, when the FBI warned of the Kwampirs malware that was being used against health care companies as well as those in the energy and financial sectors. Evidence continues to reveal that medical devices are vulnerable. We also know that health care organizations are targets. Prevailion’s Q1 2020 Apex Report found that over 40 hospitals, many located in the US, showed evidence of compromise and the health care sector overall showed high concentrations of company compromise. Many of the health care industry’s security issues tie back to risks in the supply chain.
Current supply chain vetting is flawed because companies have an incomplete picture of the partners they are entrusting. They may be able to verify what security measures the company has in place, but they won’t be able to see how well the company has performed under real world attacks. Without real evidence of compromise, they have no way of knowing a partner’s cybersecurity track record, current infections that they haven’t disclosed – or those infections that they haven’t yet detected.