Vulnerabilities are an intractable part of the cyber security landscape. As long as healthcare organizations rely on computer hardware and software, security flaws will be found and exploited.
The vast majority of vulnerabilities (99%) leveraged in cyber attacks are publicly known beforehand. This fact should ring alarms for every healthcare IT professional.
A solid and consistent patch management process – designed to discover, prioritize, and fix or mitigate these flaws – is critical to preventing successful attacks.
Zero-day vulnerabilities – those that are not publicly known before they are exploited in an attack – are rare. They make great headlines, but they are expected to play a role in less than 0.1% of cyber attacks through 2020 (outside of sensitive government organizations), according to Gartner.
A survey of more than 600 IT professionals in healthcare, conducted by Ponemon and published in March 2018*, found:
- 71% experienced a security incident attributed an exploit of a software vulnerability greater than three months old in the 12 months prior.
- 66% experienced an incident in the same period attributed to a vulnerability less than three months old. This was the third-most common driver of security incidents found in the report.
Exploitation of old security vulnerabilities was the most widely cited cause for security incidents in the survey.
Clearly, many healthcare organizations need to improve their practices for patch management and vulnerability mitigation.
Vulnerabilities vs. Reality
Unfortunately, no simple answer exists to solve the widespread problem of unpatched legacy devices.
The diversity of systems in healthcare environments, and the rapid adoption of digital technology and electronic health records, and other factors, have outpaced the ability of most IT departments to secure the network and maintain systems.
Resource constraints also contribute to the problem.
For example, an MRI machine can cost up to $3 million. The devices are often network-enabled and paired with a control PC. If a vulnerability is discovered in the machine and no patch exists, then the organization will likely tolerate the flaw and perhaps mitigate or ignore it long before the system is replaced.
The burden falls on to the IT staff to “make it work” perhaps by isolating the system on the network and tightening access controls.
However, even these mitigations can encounter constraints. Medical environments – and hospitals in particular – rely on fast and easy access to data to improve patient outcomes. This can pressure IT departments to “loosen” security controls and ease constraints, potentially elevating the risk of data breach.
A balance between security and convenience must be struck in all organizations, and in all industries, but the unique circumstances in healthcare can make the balance especially difficult to maintain.
These factors and others help to explain why healthcare organizations continue to rely on outdated systems known to have severe security flaws.
An Infoblox survey, published in July 2017, polled 305 healthcare IT professionals in the US and UK and found:
- 22% had systems running Windows 7, which was originally released in 2009. Windows 10 was released in 2015.
- 20% had systems running Windows XP, which reached end- of-life and stopped receiving routine patches in 2014.
Medical device security
Vulnerabilities discovered in medical devices – such as CT scanners, pacemakers, and drug infusion pumps – are a growing concern to heal are professionals, and even lawmakers.
More than half (55%) of health IT security professional said medical device security is not part of their overall cyber security strategy, according to the Ponemon study*.
Thankfully, within this group, 62% expect to address the problem in the next 12 months. Time will tell if the plans come to fruition.
When asked to select their greatest concern with medical device security, 39% of healthcare IT security professionals cited patient safety. That’s even greater than the number who chose data breach (26%) and the internal spread of malware (14%) as their primary concern, according to the 2018 HIMSS Cybersecurity Survey.
While some devices can be updated or replaced, this is not always the case. In the Infoblox survey, 15% of healthcare IT professionals said they either cannot update these systems or are unsure if they can.
In organizations with more than 500 employees, the figure jumped to 26%.
Thankfully, it’s not all bad news. For IT professionals who are able to update the devices, 57% of them patch at least once per week.
Networks are often so broad and diverse that IT staff cannot update and maintain every system on a regular basis. Instead, patches must be prioritized, based on attributes such as the system’s function, the data it handles, its exposure to external threats, the severity of vulnerabilities addressed in the patch, and other factors.
While a great deal of emphasis is often placed breach prevention, limiting the scope of a successful breach should also remain a priority. A ransomware infection on a single workstation is of far less concern than one on a critical server.
In a study of 215 data breaches at U.S. hospitals between 2009 and 2016, researchers found that only 4% were breaches of data on a network server. However, that number impacted more than 4.6 million records, nearly 70% of all records compromised, according a Feb. 2018 report by the American Journal of Managed Care.
In the same study, more than five-times as many breaches occurred on laptops, however they impacted a tiny fraction of all impacted records (6%). This is why organizations must carefully prioritize patching and maintenance.
Misconfiguration can open a security flaw in even the most rock-solid systems. This can cause major data leaks, especially when the system is a public-facing database.
On Jan. 25, 2018, a security researcher discovered a database owned by a Long Island medical practice had been misconfigured and left publicly available.
This revealed the medical information of more than 42,000 patients, including more than 3 million “medical notes” such as a doctor’s observations. Accessing the information required only knowing the server’s IP address.
In March 2018, a nonprofit healthcare conglomerate based in St. Louis notified 33,420 patients affected by a data leak caused by a server misconfiguration. The leak publicly exposed scanned images of patient driver’s licenses, insurance cards, and medical documents.
In April 2018, medical management firm MedWatch notified an undisclosed number of members that their personal information was exposed on search engines for two months in late 2017. The leak was caused by misconfiguration of an online portal.
Proper configuration of network resources is essential keeping the organization secure.
Spectre and Meltdown
On Jan. 3, 2018, security researchers revealed two security vulnerabilities present in billions of systems worldwide. Known as Spectre and Meltdown, they are among the most widespread data security flaws ever discovered.
In short, the flaws are related to how most modern processors handle data. When exploited, they can allow an attacker to bypass data access controls and steal sensitive data – including data from the kernel or other applications.
When major security flaws are announced, the vendors associated with them often strive to provide clear information and simple patches to address the problem. This was not the case with Spectre and Meltdown.
Regardless of cause, the information available in the days following the announcement was unclear and patches were not immediately available. Some called the response a total train wreck. Many IT professionals were left with major questions and few answers.
Since the chaotic initial days of the announcement, many vendors have issued stable patches. Reports have surfaced of some patches slowing processor performance, which has left many to advise testing them before applying on critical systems.
While the flaws are a major concern across the security industry, statements published by the U.S. Healthcare Cybersecurity and Communications Integration and Center (HCCIC) and forwarded by OCR scored the vulnerabilities severity level at “2: Medium”.
“The significance of this vulnerability for the Healthcare and Public Health Sector is considered medium due to the fact that local access to the computing device is generally required, and vendors are quickly releasing appropriate software patches to mitigate the hardware vulnerability…”
The patches do have potential to slow down processor performance in limited cases, and organizations should exercise caution and test patches carefully before implementing on high-value assets…”
– Excerpt from HCCIC statement.
HCCIC issued these warnings before vendors such as Dell and Lenovo were forced to recall patches meant to resolve the flaws.
The department published a second statement (Jan. 12, 2018) that clarified the differences between Spectre and Meltdown and provided more technical information and mitigation strategies.
* Note: the Ponemon report, “The State of Cybersecurity in Healthcare Organizations in 2018,” is no longer publicly available.