Posted by: adelvecchio
Black Hat 2014, healthcare security, Medical devices, VDI
Guest post by Mac McMillan, CEO of CynergisTek, Inc.
I’ve recently read several blogs and other pieces in the press proffering the theme that the healthcare industry somehow dodged a bullet at this year’s hacker conferences. If you believe that then you don’t really understand the healthcare IT landscape.
I agree there did not seem to be much focus on medical device security compared to years past, when the hacks of implanted cardiac defibrillators and insulin pumps helped raise the visibility of patient safety. Still, there wasn’t much presented at Black Hat 2014 that won’t be an issue for healthcare. I would have liked for the folks at Black Hat to have kept pressure on medical device security because it is one issue that both providers and consumers need to be resolved.
Healthcare is an industry that is absolutely reliant on its systems and networks. Nearly all processes in hospitals today are automated or supported by some form of technology. More than 95% of patient information is digitized, and just like businesses in many other industries, healthcare providers’ operations hinge on complex interdependencies with supply chain vendors that rely on the Internet, software as a service, hosted services, cloud solutions and more. So, if you understand healthcare, you know that almost everything that went on at Black Hat applies to healthcare in some way. Let’s look at some of the highlights.
Researchers at this year’s Black Hat conference exposed weaknesses in Google Glass that could allow a hacker to capture passwords. Last time I checked we have physicians walking around some of our hospitals testing these newfangled spectacles to learn how they can be used to support care delivery. These glasses can capture patient information directly, presenting privacy and security challenges. Understanding any security issues associated with these devices is absolutely relevant to healthcare. As with any new device, we must fully explore how it can assist or improve the doctor-patient experience. We must also be sure to make any new technology safe to use by evaluating both its capabilities and associated risks.
Another session presented a new method of anonymously performing screen scraping of information with virtual desktop infrastructure (VDI) technology. Not relevant to healthcare? Think again. Many healthcare entities are turning to virtual solutions to reduce the risk of compromising patient information. Many have completed or are in the process of VDI implementations. So threats to VDI are absolutely relevant to healthcare. We are going to see more and more virtualization in the healthcare space as entities identify the risk of desktops. Again, understanding these risks is important and Black Hat provided — if nothing else — a reminder that any technology is exploitable. Presentations at the event also showed that hackers are still out there, and it’s important to be aware of their presence. VDI is no exception.
I can go on and on, and talk about the sessions that discussed compromising active directories through Kerberos, USB controller chip flaws, free cloud botnets, mobile device management solution weaknesses, or a host of other topics. But why bother, no one in healthcare uses these technologies. We’re still using cans and strings. This reminds me of a conversation I had with a CISO at a hospital this past week that highlighted how narrow some peoples’ vision is with respect to security issues. It dealt with medical device security and the fears that some healthcare professionals have — worries that most outside of the IT department totally miss.
As I said earlier, the headlines are always about devices and their potential for harming patients, because that’s what gets people’s attention. The real problem is with insecure medical devices; those running a version of Windows XP susceptible to a zero-day hack for instance, deployed by the hundreds in hospitals networks today — the same networks that also hold EHR, radiology, laboratory and financial systems, etc. All of those would be at risk if a hacker were to work their way onto their network and launch an attack. This would harm the whole network and possibly put the hospital through the embarrassment of being used to hack others. Finally, it would inadvertently affect the patients connected to or relying on the hospitals’ devices.
So were the sessions presented at Black Hat this year relevant to healthcare? You bet they were, even if not directly relevant in some cases. Indirectly, they were a reminder that diligence in maintaining awareness and keeping up with what’s going on in the security world is important to understanding risk.