Cybersecurity expert says ‘almost everything can be hacked’ and endpoint protection is not enough

By Bill Siwicki

07:03 AM

Core Security general manager Chris Sullivan predicted that in one or two years information security professionals and healthcare executives will realize that endpoint protection and agents are not always practical.

The average consolidated total cost of a data breach grew from $3.8 million in 2015 to $4 million in 2016, according to the 11th Annual Cost of Data Breach Study from the Ponemon Institute and IBM. The study also found the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158.

Digital records of healthcare information have become quite valuable to cybercriminals, and healthcare is widely considered to be behind other industries in figuring out and implementing the best tactics and technologies to protect its data. What’s more, healthcare has some fairly unique security problems, including unusual variables in personnel access control, the challenges of mobile health, and dated, hackable equipment such as drug pumps.

Chris Sullivan, general manager for intelligence and analytics at Core Security, a data security technology and services vendor, is well-versed in cybersecurity issues in healthcare and other industries. Healthcare IT News spoke with Sullivan about some of the signature security issues in healthcare.

Q: It often is said that people are at the heart of any solid cybersecurity defense. What kinds of personnel issues does healthcare pose that might be a bit different compared to other industries?
Healthcare is unique because you have so many people coming and going, so many people with different job functions. For example, you can have long-term care organizations with people swapping shifts with each other, winding up at different facilities, and that makes it difficult to make sure these people have the minimum necessary access to the information they need from location to location. And then you can have university teaching hospitals where you have people who may be working for foundations for six months and then at the university, sometimes in different capacities at the same time in different facilities. So healthcare tends to be more complicated than other industries with respect to information security.

Q: What is the ultimate aim of personnel access control in today’s heightened security environment?
Hospitals and other healthcare organizations must make sure it is easy to do thorough and accurate credentials for users. In general, organizations want to make sure people have the minimum necessary access, and then manage that access. Organizations need a comprehensive view of which people need access to what – physicians, claims, business – and watch that over time and make sure that stays in line, and then tighten up access over time.

Q: Mobile health tools are really gaining traction with consumers and provider organizations. How do healthcare organizations plug all the security holes that innumerous mobile devices can create?
My personal opinion goes against the conventional wisdom in the market. Everyone is about end-point protection. But it is very easy to compromise mobile devices. I can compromise a mobile device when it’s on the network at the hospital or when it’s at an employee’s home. So how do you keep track of that? People react, “Oh my gosh, we need an agent on every device.” But there are a lot of problems with that approach today. I don’t think that approach will continue to be in a year or two. First, it’s difficult to get agents on every device. For example, Internet of Things devices are proliferating, and they tend to be very lightweight with regard to memory, which makes it difficult to get an agent on top of that. On another note, the constant change in mobile devices in an infrastructure is tremendous, and it will only get worse. To keep up with this you’re going to do agents on every single device and subsequently install updates on every one of those devices? That is not going to work.

Q: So what is the answer, in your opinion, to the cybersecurity challenges posed by mHealth?
In a year or two everyone will realize agents and end-point protection is not practical in every instance. What healthcare organizations need to do is move to high-end network monitoring and network anomaly detection. You can actually see and infer a huge amount from the behavior of devices on a day-in and day-out basis. For example, Jim never reaches out to these sites and now he is, that is a warning. Now, you don’t want to send too many warnings, but once you begin with high-end network monitoring, you can start to study deep-packet information, start to see if something is signaling out like a machine, start to see if devices are reaching out to known bad actors, and from there you can figure out pretty quickly what, if anything, has been compromised. Organizations will move to a balanced approach to monitoring some devices but in reality taking a much closer look at their networks. They have to be running real machine-learning models that know what is normal for mobile device users.

Q: Similar to the issue with mobile devices, much is being said about issues surrounding medical devices and Internet of Things devices. How do healthcare organizations approach cybersecurity issues surrounding these often hackable devices?
Plain and simple: Almost everything can be hacked. The white-hat hackers we employ who do this for a living are building exploits and finding very creative ways to get in. Recently it was found that half of the IoT devices out there use the same controllers and very simple operating systems, and there is an uncovered vulnerability: If you overflow the TCP headers in the correct way, you can take over just the network interface card. However, because of these simple operating systems, network interface cards have full access to the memory on the IoT devices. So you can get in, and get in the middle. It’s a very simple hack for a high percentage of IoT devices today.

Q: This opens up a huge opportunity for hackers. What can healthcare organizations do to protect themselves?
Organizations need to be scanning their networks constantly for all of these IoT devices, servers, anything using the network, and matching things against known vulnerabilities. But that brings up a different problem: You will necessarily get back too much information to deal with. There are organizations that scan their networks and know they have 750,000 vulnerabilities. So what you need to do is feed all of that into an analytics engine, prioritize all of that information, and know what the most important things are in a hospital. The biggest problem in information security is too much information and a huge shortage of cyber-defense resources. Forbes recently said there are a million cybersecurity jobs open today, and by 2020 it will be 5 million. Organizations can’t get the staff to do this work even if they wanted to. You have to find a way to automate this analysis, to say these are the things to focus your scarce resources on.

Learn more at the upcoming HIMSS and Healthcare IT News Privacy & Security Forum in Boston Dec. 5-7, 2016. 

Twitter: @SiwickiHealthIT
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn