Bill Siwicki of Healthcare IT News recently interviewed Mike Murray, founder and CEO of Scope Security, about medical device security and what can be expected in the cybersecurity space for 2022. Murray also spoke on this subject at HIMSS21, and he organized a panel with the FDA at the recent DefCon hacking conference.
The first question Siwicki asked Murray was to describe his view of the hospital and health system IT environment today, especially in relation to the security of computers and medical equipment. Murray says in addition to managing a traditional IT environment, hospitals and health systems have to deal with the complexities of health care, which presents unique security challenges. In a hospital, if you have a security tool that sends out 100 alerts a week, the team will be overwhelmed at the tenth alert. Scope’s research shows healthcare organizations have approximately 10 times fewer security staff members than a traditional financial organization. Today, over 75% of devices run outdated operating systems like Windows XP and Windows 7 that do not receive any security patches, making them vulnerable to attacks. There is no rule requiring traditional security technologies to be able to monitor these devices, which makes them ideal targets for hackers to hide in, while they do reconnaissance and escape detection. Today’s security products have no means of protecting these systems, as they are not designed to do so. We see these challenges in modern hospitals since they are specific to healthcare environments and are causing security issues.
The second question Siwicki asked Murray was do you believe healthcare does not invest enough to secure medical devices versus computers? Why do you think that is the case? Are there any solutions? Murray says profit margins and budgets dictate what the industry can spend on healthcare. Sadly, that spending is out of step with the main challenge. About half of devices are either clinical devices or relate to the storage or movement of electronic health records. Nearly 100 percent of security spending is on the IT system and infrastructure. Health systems are not to blame. Despite increased budgets for clinical and EHR systems, these organizations are faced with generalist security solutions focusing solely on IT systems and ignoring the rest of the medical infrastructure. In the past few years, the leading EHR vendors have released a multitude of security patches and upgrades. Because these vendors haven’t worked with the security community (and the security community doesn’t focus on them), most security products don’t know about security vulnerabilities and patches in the products of these vendors. If the security controls do not cover more than half of the systems in a network, the hospital security team fights with one hand tied behind their back. Things won’t change anytime soon. The leader of a major security vendor recently told me, “I don’t have the resources or time to get Windows right.” That is an old cliché in security–you can’t stop what you cannot see.
The third question Siwicki asked Murray was how should healthcare CISOs and CIOs approach the issue of patching medical devices? Murray said we could talk endlessly about patching and FDA regulation, but I just don’t think we’ll be able to patch our way out of this problem. Like I said earlier over 75% of medical devices run outdated operating systems like Windows 7 that vendors no longer patch. Patching Microsoft’s products is often impossible unless Microsoft provides the patch. As a result, hospitals and health systems are either taking the risk with these devices, limiting their functionality or availability, or having to invest tremendous amounts of capital in replacing them. Having an effective monitoring program can also make the process of applying patches to thousands of systems less urgent. It is better to invest in a home burglar alarm system than to replace the entire house.
The Final question Siwicki asked Murray was what are the most pressing issues to be addressed in healthcare cybersecurity in 2022? Murray said hospitals are the perfect hiding spots for attackers of all kinds, whether they’re interested in ransomware, stealing patient data, or stealing other information. Lack of system-wide visibility is the ruling theme of healthcare security. As a result of this, ransomware has become one of the most discussed threats, due to the fact that it often detects itself. Only after your systems are shut down and you are notified do you pay a ransom. While it’s important to develop a security strategy to prevent ransomware attacks, more attention needs to be paid to the far more dangerous attacks that remain silent. To prevent data theft and other important information assets being compromised, healthcare security professionals need specialized tools to find all those invisible attackers hiding inside their EHR systems or on legacy medical devices. In doing so, they will detect ransomware attackers. Hospital leaders should not concentrate only on these attacks. The tunnel vision approach leads to a security strategy that centers on a very specific attack pattern. Real success comes from a detection and response program that detects all attackers early and often.
If you would like to read the full article here – Why investments in IT and device security are often ‘misaligned with the actual challenge’