How cyberhardening can reduce risk to the entire medical community

An average hospital room can house as many as 20 medical devices, and almost all of them will be networked – either wired or wirelessly.

Larger hospitals can have more than 85,000 connected devices. A recent KLAS survey found that more than 60% of healthcare IT professionals lack confidence that their current medical device security strategy protects patient safety and prevents disruptions in care. One reason is that these devices for the diagnosis, prevention, monitoring, treatment or alleviation of disease were not built with security in mind. But they are now an easy entry point for attackers, who can gain network access through Internet of Medical Things (IoMT) connectivity. From there they can move on to a server, which has rich patient data, or just cause mayhem by sabotaging a device’s intended use.

Many organizations struggle with devices outdated operating systems and the inability to patch due to potentially voiding manufacturers’ warranties. Some device manufacturers invoke FDA policies as an excuse not to patch – claiming that they would have to submit to another 501(k) certification, which is not necessarily true.

A TREASURE TROVE OF MARKETABLE DATA
Last year, the healthcare sector saw an average of 32,000 intrusion attacks per day per organization, compared to approximately 14,300 in other industries, according to Fortiguard Labs. An astounding 5.579 million patient records were affected in a total of 477 breaches. Forbes has reported that on the dark web, a Social Security number goes for about 10 cents, a credit card number is about 25 cents, but a complete medical record can fetch hundreds. What makes these records so desirable to hackers and the people who use the data fraudulently?

Medical records contain all the detailed demographic information needed for nefarious types to recreate or assume an identity. With spouse’s name, full mailing address, and date of birth, a bad actor can access a bank account, apply for a loan, or purchase products. Insurance policy or Medicare data lets fraudsters make false claims or get access to prescription medication. Email addresses are used for phishing schemes. According to Robert Lord, President and Co-founder of Protenus, “The medical record is the most comprehensive record about the identity of a person that exists today.”

An additional complicating factor is that confidential patient data must often be accessible to several medical professionals, both on-site and remotely, and through different devices – computer, laptop, tablet, or phone. Security may take a back seat to expediency when involved in making life-altering decisions. It should also be noted that healthcare data breaches cost organizations $408 per record – the highest of any industry and nearly three times higher than the cross industry average. .

WE KNOW THE SYMPTOMS, BUT WHAT ARE THE CAUSES?
On average, healthcare organizations spend half as much on cybersecurity as other industries. Up until about five years ago, there was very little concern about the threats inherent in connected devices that integrate components and software from various vendors. Nor was there much notice given to legacy equipment not originally intended to send or receive data via the internet.

Electronic Healthcare Records are now the standard for workflow, documentation, and patient information. The attack surface of the health information system expands greatly when mobile devices, medical devices, and applications are permitted to connect to EHRs. Again, not all areas of the medical ecosystem have protected their digital assets well.

TRADITIONAL DEFENSES CAN’T COPE
Unfortunately, traditional cybersecurity measures aren’t built to prevent malware from propagating, because they rely primarily on network and perimeter solutions like gateways, firewalls, intrusion prevention, and anti-virus agents. In other words, these tools focus on identifying symptoms rather than on addressing the underlying causes. While established tools have worked for decades on known attack types, their effectiveness continues to diminish against motivated adversaries skilled in designing new types of exploits. Detection offers no protection in cases where the supply chain itself is compromised, such as in file-less attacks like memory corruption exploits, stack and heap attacks, zero-day attacks or return oriented programming (ROP) chain attacks. It should also be noted that many of these current solutions simply aren’t applicable in the medical environment.

CYBERHARDENING WORKS AGAINST EXPLOITATION OF VULNERABILITIES
Memory corruption attacks try to trick a software program into running attacker-provided code, instead of programmer-written code. For this to work, the attacker must find vulnerabilities in the software binary code that allow the injection of code and/or the redirection of execution.

One of the latest and most effective means to reduce risk is to cyberharden systems using Runtime Application Self-Protection (RASP) technology, which prevents exploits from executing and from spreading across multiple devices and networks. RASP hardens software binaries by using techniques such as binary stirring, control flow integrity and stack frame randomization. The process insures that attackers can’t calculate in advance how to successfully execute their code. This can prevent an entire class of malware attacks related to buffer overflows.

RASP uses runtime instrumentation to detect and block attacks via information from inside the running software. It differs from perimeter-based protection like firewalls, which can only detect and block attacks by using network information without context. When a threat is detected, RASP prevents exploitation and execution. In other words, it denies malware the uniformity required to propagate.

RASP is easy to implement and requires no new investment, software, services or hardware, and only a one-time transformation with limited overhead. Potentially vulnerable code is protected against an entire class of attacks. It doesn’t require access to source code and isn’t dependent on complier or operating systems. There are no alerts to monitor, and RASP is remotely deployable, as binary code can be cyberhardened via API. It’s far superior to “rip and replace.”

PROTECT PATIENT PRIVACY AND TREATMENT
SonicWall Capture Labs recorded a total of 5.99 billion malware attacks during the first half of 2018, a greater than 100% increase over the same period in 2017. A good number of these targeted the medical community, as previously noted. If you assume (as you should) that a hacker will make it past all traditional security layers, what’s left to protect the healthcare infrastructure? If the hacker gets access to an EMR server or remote control of a medical device, what is there to prevent major damage? Cyberhardening with techniques like RASP can be the last layer of defense protecting highly sensitive medical and personal information.

Lisa Silverman is the vice president of marketing a RunSafe Security, a provider of cyberhardening technology for industrial control systems and embedded systems and devices.

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months