a hospital isn’t a bank
TRANSCRIPT
A Hospital isn’t A BankWhy Healthcare Cybersecurity is HardSession 115, August 11, 2021
1
CEO, Scope Security
Michael Murray
DISCLAIMER: The views and opinions expressed in this presentation are solely those of the author/presenter and do not necessarily represent any policy or position of HIMSS.
2#HIMSS21
Welcome
CEO, Scope SecurityMichael Murray
Mike Murray is the founder and CEO of Scope Security. At Scope, Murray builds on his nearly two decades of experience leading teams of highly skilled security professionals to solve critical security problems in healthcare.
Throughout his career, Mike has helped discover some of the world’s most notorious breaches and nation state threats, and is sought out by industry, media and security teams for insights on today’s most pressing issues in cybersecurity.
Prior to founding Scope, he served as the Chief Security Officer at Lookout, where he presided over the protection of nearly 200m mobile users and their data. Previously, he led Product Development Security at GE Healthcare, where he built a global team that secured all of GE Healthcare’s portfolio of pre-market medical devices and services. Murray also co-founded The Hacker Academy and MAD Security, and has held leadership positions at companies including Lookout, nCircle Network Security, Liberty Mutual Insurance and Neohapsis.
Mike has spoken at all of the largest security conferences - RSA Conference, Blackhat Briefings, BSides, Defcon, Infosec Canada, Infosec Europe, SecTOR, etc. etc.
#HIMSS21
Conflict of Interest
Michael Murray
Has no real or apparent conflicts of interest to report.
3
#HIMSS21
Agenda
• An examination of the challenges healthcare has with cybersecurity
• A review of the financial considerations of the security market as a whole and rationale that healthcare is a “second class citizen”
• Understanding of Healthcare’s “3 environment” challenge for cybersecurity
• Examination of the challenges with each environment that make them hard for traditional security products and services
• A view toward the future and 4th environment
4
#HIMSS21
Learning Objectives• Identify the three parts of the blended healthcare technology environment
• Analyze the security strategy for their organization in the context of the specifics of a healthcare environment and identify gaps
• Recognize the challenges that the security industry has with healthcare delivery organizations
• Evaluate common security solutions on their applicability and specificity to the healthcare environment
• Formulate a strategy for securing each of the three parts of the healthcare technology environment
5
#HIMSS21
The stakes for cybersecurity have continued to increase as attacks have become more disruptive
Not only have 50 million+ patients recordsbeen compromised in the last two years…
…but we have seen several systems shut down operations due to cyberattacks
#HIMSS21
HEALTHCARE SECURITY BREACHES ARE EXPENSIVE
• 28,756,445 Healthcare records exposed due to data breaches in 2020
• $113M average impact from a single breach on long-term brand and market share according to Accenture
• $6.5M average mitigation cost for a breach in the healthcare industry
• $1.5M penalty per patient data leak incident from HITECH Act
#HIMSS21 8
“Beckers Hospital Review
November 13, 2020
“Cyberattacks on healthcare providers expected to triple [in 2021]”
THE ATTACKERS ARE ORGANIZED AND MOTIVATED BY PROFIT
Attackers are well funded, motivated by profit and often backed by nation states. This increase in sophistication and aggression has contributed to the increase in attacks over the past few years.
The ratio of providers who have experienced a breach in the last 2 years.
Documented attacks have originated across the entire hospital network including clinical and IT devices. Regulations limiting clinical device monitoring and end of support for operating systems such as Windows 7 create further challenges and expense.
91%29M patient records were exposed in 2020 and healthcare as an industry has had the highest breach costs with an average mitigation cost of $6.45M. A single health record is worth $429 on the open market.
>$6M
The Key 43 Days
Ransomware Infection Timeline
Day 0
Phishing email
delivers initial
malware
Attacker compromises
laptop
Attacker finds pivot
point
Attacker performs reconnaissance and
discovers high value assets to encrypt
Day 1 - 43
Attacker deploys ransomware and demands
payment
Day 43+
12#HIMSS21 12
Healthcare is expected to spend $18B on security in 2021.*
* But financial services is expected to spend $70B
13
“Because that’s where the money is”
Willie Sutton, on why he robbed banks
A Hospital Isn’t a Bank
Cybersecurity as percent of IT budget
Government Banking Healthcare
16%
10%
4%
The Visibility Gap
#HIMSS21
HDOs have 3 Technology Environments
15
Traditional IT
Clinical Technologies
EHR/EMR Systems
Attackers can pivot through all three
Each Environment Provides Security Challenges
#HIMSS21
IT Security is Different in Healthcare
22
10x Staffing DifferenceAt a given revenue level, financial service organizations have about 10x the number of security staff that HDOs have.
Most security products come with large numbers of alerts by default – and most of them enabled by default
Different PrioritiesHealthcare has different data types, different use and access patterns and even different systems than most other types of organizations
Different Threat ActorsThe majority of threat intelligence is developed against actors who are not sector specific or those who are attacking financial and government
Because of this, most detections in the security product space are trained on the way that attackers act in other environments – not how they act specifically in healthcare.
#HIMSS21
Clinical Security is Hard
23
FDA Regulations are ChallengingClinical devices, including the machine AND software on the machine, are regulated by the FDA
No software can be put onto any device without first being validated by the FDA
Security patches have an extremely long timeline compared to the rest of the industry
Complex Mix of DevicesHospitals manage a complex mix of legacy devices with old operating systems and new devices with increased connectivity and functionality.
IT/OT Split is Difficult to EnforceUnlike traditional Operational Technology environments, Hospitals mix IT devices and clinical devices in nearly every room,, which can make segmentation strategies difficult or cumbersome. And devices are increasingly being asked to have broad connectivity to enable data transfer.
Attackers can gain access to a network and quickly pivot devices, coming in and out of view of traditional security tools
#HIMSS21
EHR/EMR Security is even harder
24
Unknown VulnerabilitiesEHR vendors are not regulated like medical devices; they are not required to publish their security updates or vulnerabilities to the world.
Without those vulnerabilities being reported, most security products behave as though the product has no vulnerabilities.
Most security technologies are simply blind to attacks against the EHR.
Detections Must be in the DataBecause EHR vulnerability data is limited, the only way to find attacks against the EHR is to find the anomalous behaviors within the audit and logs of the EHR.
While some tools exist to perform analytics for privacy purposes, those tools are almost never real-time, nor are they reporting back to the security infrastructure.
The Unmonitored Crown JewelsEveryone knows that the EHR holds the crown jewels of the modern health system – not just access to PHI, but also the entire working of the hospital.
Unfortunately, because monitoring the EHR for attacks has rarely been possible and vulnerabilities are often kept quiet, we believe (falsely) that the EHR is secure.
The Fourth Environment
#HIMSS21 26
The Fourth Environment
The Employee’s / Provider’s Home1
The Patient’s Devices 3
The Patient’s Home2
