Health Care Still in Hacker Cross-Hairs, but Defenses Improving

NEWS ANALYSIS: Good and bad news: A lot of health-care organizations are still being hit by cybersecurity problems. The good news is that there are signs that they are better prepared for such incidents and are spending more money on security and staff training,

ORLANDO, Fla. -- There is both good news and bad news in health-care security trends: The bad news is that 74 percent of health care organizations were hit by "significant" security incidents in the past year, of which 56 percent were conducted by so-called bad actors targeting specific organizations with sophisticated, targeted, financially motivated attacks. The numbers were flat over last year, according to the 2019 HIMSS Cybersecurity Survey, released this week at the HIMSS 2019 health IT conference.

The good news is that there are signs that health-care organizations are better prepared for such incidents and are spending more money on security and staff training, according to Rod Piechowski, Senior Director of Health Information Systems for the HIMSS. Organizations are doing a better job of making "everyone believe they are part of the solution," he told eWEEK. "Too often security is viewed as an IT-only responsibility."

More good news is found in the work of the Food & Drug Administration, vendors, provider networks and volunteer groups who are working to establish standards for securing medical devices as well as developing plans for mediating the next big cyberattack along the lines of WannaCry, which decimated businesses and health-care organizations across Europe in 2017.

FDA Offers an Update on Medical Device Security

For instance, here at HIMSS, Suzanne Schwartz, Associate Director for Science & Strategic Partnerships at the FDA, presented an update on the FDA's work on its Medical Device Safety Action Plan, Premarket Guidance for vendors, and Medical Device Cybersecurity Sandbox.

The FDA has become more involved in the past two years, at least in part to mediate disputes between device makers and hackers, such as the one that was disclosed at last summer's Black Hat conference involving vendor Medtronic. Among those advising the FDA is the hacker cooperative I Am The Cavalry, which is co-sponsoring the Biohacking Village at this summer's Def Con conference.

The parties are looking to avoid incidents in which vendors threaten hackers with legal action for discovering and publishing vulnerabilities and "help decrease the friction and come to the ground truth quicker around some of these issues," said Dr. Christian Dameff, a practicing emergency doctor and lifelong hacker. "How do we protect security researchers? How do we help device manufacturers through this process better? And then how do we focus most of the energy toward the patients?"

Part of the FDA's pre-market recommendations is that vendors include a software "bill of materials" (BOM) and cybersecurity BOM, which would also include hardware, in order to be able to find or trace vulnerabilities. Another part is the CyberMed Safety Expert Analysis Board (CYMSAB), which is being led by MITRE. In concert with that, Massachusetts General Hospital this month received a $950,000 grant from the Department of Homeland Security to develop a medical device cybersecurity data repository.

Securing Access While Simplifying Workflows

Security vendors including Imprivata and Cylance are also are working on ways to keep computers and devices safe from unwarranted access while at the same time trying not to interfere with clinical workflows. At HIMSS, Imprivata unveiled Proximity Aware, a version of its card-based access and authentication solution.

Instead of a card, Proximity Aware uses a smartphone as the token along with Bluetooth connectivity to the machine. Once the phone is set up as a secure token, providers need only walk up to a terminal for the machine to log the user on. Once the user walks away from the machine it will automatically be logged off. Such functionality is critical for Electronic Prescription of Controlled Substances (EPCS) services, which will be required as of Jan. 1, 2020.

"In the case of most two-factor authentication, which you need for EPCS and some more workflows to come, you would use a token on your phone and enter a number. That's inefficient," Imprivata CEO Gus Malezis told eWEEK. "We automatically read that token, and that sign-on becomes completely invisible. It's hands-free 2FA, where you don't have to take the phone out of your pocket."

AI-based endpoint protection vendor Cylance is also working on a technology that applies AI models to the concepts of "continuous authentication" on health-care workstations, eliminating the need for password reentry, said Rob Bathurst, Worldwide Managing Director at Cylance for Healthcare and Embedded Systems. The technology, which is about to enter early-adopter stage, is tentatively called Persona.

Ensuring That Users Are Who They Say They Are

"If you look at your typical health-care environment, you've got hundreds of people logging in to these systems, and they may move from one system to another, or the credentials may get stolen or might get passed around," Bathurst told eWEEK. "And the point of it is to ensure that the person who is logged into that system is actually that person."

Bathurst explained that Cylance is building user-behavior models that look at how users type on a keyboard, what types of applications they use and when they perform tasks or open applications. In short, what does a normal "routine" look like?

If the machine detects behavior out of the norm, it uses a "process of gradual friction that gets more incredulous about the user as time goes on as it differs from the model," Bathurst said.

Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. He has an extensive background in the technology field. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture, at TechTarget. Before that, he was the director, Editorial Operations, at Ziff Davis Enterprise. While at Ziff Davis Media, he was a writer and editor at eWEEK. No investment advice is offered in his blog. All duties are disclaimed. Scot works for a private investment firm, which may at any time invest in companies whose products are discussed in this blog, and no disclosure of securities transactions will be made.

Scot Petersen

Scot Petersen

Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture,...