How Cyber Hardening Can Protect Patient Privacy And Treatment

Lisa SilvermanHere’s a nightmare scenario: hackers gain access to a healthcare service network, affecting 40 hospitals and health facilities, locking staff out of their computers, denying access to patient medical records, appointment schedules, and email. Or how about this: a government database is compromised, leading to the exfiltration of 75,000 personal records. Finally, consider this horror: implanted heart pacemakers are “reprogrammed” by an unauthorized person to modify the number of shocks delivered.

Unfortunately, you don’t have to do too much imagining, because the first two events actually happened, and the third was demonstrated as possible.

You may recognize the name WannaCry, a notorious strain of ransomware which hit not only the United Kingdom’s National Health Service in May 2017 but also government agencies and corporations in 150 countries. as well. The ransomware targeted machines running Microsoft Windows operating systems, encrypting data and demanding payment in the form of bitcoin in exchange for a decryption key.

Just this October, the Centers for Medicare and Medicaid disclosed a cyber attack on the Healthcare.gov database which impacted the portal that insurance agents and brokers use to directly enroll customers. The application for subsidized health care coverage under the Affordable Care Act requires extensive personal and household information including Social Security number, income, address, and age.

At Black Hat USA in August, researchers showed that they could compromise a programming device that runs on Windows XP and allows doctors to control implanted Medtronic pacemakers. They demonstrated the ability to issue a shock and deny a shock with relative ease.

These examples are part of our new normal. Today, the healthcare industry experiences twice the number of cyber attacks as any other business sector, and with the adversarial mindset identifying healthcare attacks as low risk, high reward, it would be misguided to expect a reduction in threats any time soon.

The Sobering Reality – The Attack Surface Looms Large

The abundance of internet-connected devices that collect and share patient data has greatly increased the “attack surface” (where an attacker inserts or extracts data) and a number of possible vulnerabilities within a system. Now that medical devices can connect to home-based routers, public Wi-Fi or cellular networks to relay data to hospitals, specialists, and care providers.

Malware - Credit - Nara.nra28 in from Wikimedia Commons (CC BY-SA 4.0)

In addition, the software in those devices lacks cybersecurity and can be updated and reprogrammed remotely. Thus, sensitive patient information is even more prone to data breaches, and the safety of the devices can be compromised. Recent supply chain compromises, and the migration of health applications and platforms to the cloud, also add to the threat equation.

This article looks at why the medical community is so vulnerable and suggests how it can better protect life-saving equipment and sensitive data from unprecedented cyberattacks.

The Wisdom Of The Crowd

Recently KLAS conducted a survey of medical IT executives at the request of the College of Healthcare Information Management Executives (CHIME). The survey found:

  • Only 39% of respondents were confident or very confident in their medical device security program;
  • About 18% of the respondents said they had medical devices infected with malware during the past year and a half; and
  • Each respondent organization had an average of 10,000 devices, of which one third were unpatched.

While aiming for the goal of improving patient outcomes, the increasing interconnectivity of medical devices introduces potential weaknesses for data security. One reason is that medical devices for the diagnosis, prevention, monitoring, treatment or alleviation of disease were not built with security in mind. As such, they are an easy entry point for attackers who can gain network access through the Internet. From there, attackers can move on to a server, which likely has rich patient data, or just cause mayhem by sabotaging a device’s intended use.

A Wealth Of High-Value Data

Fortiguard Labs reported that last year the healthcare sector experienced an average of 32,000 intrusion attacks daily, per organization. Other industries averaged 14,300 intrusion attacks per day, per organization. In the second quarter of 2018 alone, Protenus found that 3.14 million patient records were breached in 142 disclosed incidents. Incredibly, that is almost triple the amount (1.13 million) reported for the first quarter.

Hackers are extremely motivated because while a Social Security number sells for about 10 cents on the dark web, and a credit card number goes for 25 cents, a complete medical record can fetch significantly more. In fact, a complete Medicare or Medicaid record can command up to $500. With the detailed information in a record, a bad actor can assume an identity or create a fake ID, withdraw funds from a bank account, file false insurance claims, and get access to prescription medication.

Confidential patient data is often accessible to a number of medical professionals: primary care physicians, hospitalists, specialists, therapists, and laboratory personnel to name a few, both on-site and remotely. And each may use a different device: computer, laptop, tablet, or phone. “Patient information collected, stored, processed, and transmitted on mobile devices is especially vulnerable to attack,” according to the National Institute of Standards (NIST) and the National Cybersecurity Center of Excellence guide, Securing Electronic Records on Mobile Devices.

What Has Caused This Tsunami Of Vulnerabilities?

On average, healthcare organizations spend half as much on cybersecurity as organizations in other industries. This is despite the fact that the vulnerabilities presented by interconnected devices, the attractiveness, and accessibility of health records, the virtualization of computer resources, and the increased complexity of software and hardware supply chains make the healthcare sector a prime target for attacks. Lack of adequate IT spending by healthcare organizations and lack of awareness about cybercrime by medical personnel have also contributed to the issue. The overall impact of on hospitals and healthcare systems is estimated to be nearly six billion per year.

Up until about five years ago, there was very little concern about the threats inherent in connected devices that integrate components and software from various vendors. Nor was there much notice given to legacy equipment not originally intended to send or receive data via the internet. Now, there is the problem of failure to update or patch software in legacy systems – even when notified that a patch is available.

Electronic Health Records (EHR) are now the standard for workflow, documentation, and patient information. The attack surface of the health information system expands greatly when mobile devices, medical devices, and applications are permitted to connect to EHRs.

For example, an emergency room contains a myriad of devices and medical equipment. These devices have different operating systems, hardware, and connectivity schemes. Some devices have a rich ecosystem of cybersecurity solutions – Windows laptops or mobile tablets, for example. Other devices, like infusion pumps or patient monitoring units, are unique and have no standard cyber solutions.

And The Diagnosis?

Before we get to the remedy, let’s take a bit of a deeper dive into the diagnosis. Anywhere there is software code and an internet connection, there’s the risk of cyber attack. Software programs run everything from medical monitoring devices to the network system that contains patient X-Rays, lab results, and history. Malware is an abbreviation for “malicious software.” It’s used by cybercriminals to disrupt computer, mobile or device operations and to access sensitive information without consent. Ransomware is a particularly vicious strain of malware that holds a computer or network hostage until a payment is made.

One of the most prevalent ways malware is introduced is through memory corruption attacks, which try to trick a software program into running attacker-provided code, instead of programmer-written code. For this to work, the attacker must find vulnerabilities in the software binary code that allow the injection of code and/or the redirection of execution.

Traditional Defenses Can’t Cope

Unfortunately, traditional cyber security measures aren’t built to prevent malware from propagating, because they rely primarily on network and perimeter solutions like gateways, firewalls, intrusion prevention, and anti-virus agents. In other words, these tools focus on identifying symptoms rather than on addressing the underlying causes.

While established tools have worked for decades on known attack types, their effectiveness continues to diminish against motivated adversaries skilled in designing new types of exploits. Detection offers no protection in cases where the supply chain itself is compromised, such as in file-less attacks like memory corruption exploits, stack and heap attacks, zero-day attacks or return-oriented programming (ROP) chain attacks. It should also be noted that many of these current solutions simply aren’t applicable in the medical environment.

Cyber Hardening Works Against Exploitation Of Vulnerabilities

One of the latest and most effective means to reduce risk is to cyber harden systems using Runtime Application Self-Protection (RASP) technology. This technology prevents exploits from executing and from spreading across multiple devices and networks.

RunSafe Security’s Alkemist hardens software binaries by using RASP techniques such as binary stirring, control flow integrity, and stack frame randomization, processes that ensure that attackers can’t calculate in advance how to successfully execute their code. This can prevent an entire class of malware attacks related to memory corruption errors, buffer overflows, and zero-day exploits.

As noted above, the large number of medical devices in hospitals and medical facilities creates a challenge when designing a broad-based cybersecurity architecture with scale and applicability across the wide range of those medical devices.

The good news is that RunSafe’s Alkemist directly addresses this complexity. Alkemist doesn’t rely on a specific operating system or firmware. As long as the device is running on an x86 (Intel), ARM or PowerPC based central processing units (CPUs), Alkemist can harden any software it may be running. This now provides the hospital with a single solution that protects a wide variety of devices.

Alkemist is easy to implement and requires no new investment, software, services or hardware, and only a one-time transformation with limited overhead. Potentially vulnerable software code is protected against an entire class of attacks. It doesn’t require access to source code and isn’t dependent on compiler or operating systems. There are no alerts to monitor, and Alkemist is remotely deployable, as binary code can be cyber hardened via a web client or API. It eliminates the need for re-engineering, re-testing, and patch management emergencies, so scarce IT resources can be applied to maintain system uptime and continuity of operations.

If you assume (as you should) that an attacker will make it past all traditional security layers, what is left to protect in the healthcare infrastructure? If the hacker gets access to a server containing an EHR or takes remote control of an implanted medical device, what is there to prevent major damage? Cyberhardening with Alkemist can be the last layer of defense protecting highly sensitive medical and personal information.

Lisa Silverman,  is the Vice President of Marketing of RunSafe Security.