Mike Murray is founder and CEO of Scope Security. Previously a security leader at GE Healthcare, Murray founded Scope to focus on protecting medical devices and networks. He spoke at HIMSS21 on the subject, and also organized a panel with the FDA at the recent DefCon hacking event on the contentious issue of patching medical devices.
Healthcare IT News spoke with Murray recently to discuss the healthcare security environment – medical device security in particular – and what 2022 holds in store for cybersecurity.
Q. Please describe how you see the hospital and health system IT environment today, especially with regard to the security of computers and medical devices.
A. Traditional IT-oriented businesses (for example, banks, payers, startups) have a single-technology environment. All of their systems are general multi-purpose computers that perform traditional IT functions.
However, while a hospital or health system has to manage a traditional IT environment like any other business, they face additional difficulty with two more environments: clinical technologies involved in delivering care and the modern electronic health records system and its associated technologies. Each presents its own unique security challenges for the modern healthcare-provider organization.
Hospitals have the same traditional IT technologies (for example, laptops, switches, routers, servers, etc.) that other verticals have, and securing those assets is similar to how that happens everywhere. But Scope’s research shows that, for a given revenue level, healthcare organizations have about 10 times fewer security staff members than a traditional financial services organization.
So, if you have a security tool that sends out 100 alerts a week, a hospital’s team will be overwhelmed at the tenth alert.
Clinical technologies – medical devices and all of the technologies involved in delivering care – have well-known challenges. Regulations and manufacturer contracts restrict the ability to deploy IT-style security controls on these devices.
And these devices’ long useful life (up to 25 years in some cases) leads to a significant population of legacy equipment (more than 75% of devices in use today are on operating systems like Windows XP and Windows 7 that no longer receive patches). No regulation requires that these devices are easily monitored by traditional security technologies, which leaves them as fertile targets for hackers to hide in a healthcare environment while they perform reconnaissance and evade detection.
The third environment encompasses massive EHR systems that hospitals have come to depend on and all of the infrastructure involved in using them (for example, patient portals, interface engines, etc.). These technologies hold the key information assets of the hospital, and, because of a lack of regulation, publish no information about vulnerabilities or how to detect attacks against them. Consequently, most modern security products have no way of understanding how to protect these systems.
These challenges are unique to healthcare environments and create headwinds that have led to the security issues we see in modern hospital and care delivery environments today.
Q. You believe healthcare does not invest enough to secure medical devices versus computers. What is the problem here, from your point of view? How can it be resolved?
A. It’s not that healthcare doesn’t invest enough in security: Given the profit margins and budgets in healthcare delivery, the industry spends what it is able to. Unfortunately, that spending is misaligned with the actual challenge.
When I look at a health system network, more than 50% of devices are either clinical technology or related to the storage and movement of EHRs. And yet, nearly 100% of security spending is on the IT systems and infrastructure.
Unfortunately, it’s not the health systems’ fault. Even if they wanted to align their spend to better protect clinical and EHR systems, they are hampered from the start with generalist security solutions that focus exclusively on IT systems and ignore all of the medical infrastructure. That leaves them unprotected on more than half of their infrastructure, because the security industry simply doesn’t build to solve their problems.
As a simple illustration, the leading EHR vendors have released numerous security patches and upgrades over the past few years. Because those vendors haven’t worked with the security community (and the security community doesn’t focus on them), most security products know nothing about the vulnerabilities and security patches in those vendors’ products.
This means that if an attacker is going after your Epic, Cerner, etc. system, none of the major security vendors on the market today will be able to detect and stop those attacks.
And it’s not going to get better. I recently was talking to a leader at a major security vendor, and when I asked about their future plans for coverage of attacks against medical technologies, his response was: “Mike, I don’t have the time and resources to get Windows right. We’re never going to get around to GE, Phillips, Epic and Cerner.”
It’s an old cliché in security that you can’t stop the attacks you can’t see. When their security controls cover less than half of the systems in the network, the hospital security team is fighting with one hand tied behind its back.
Q. How should healthcare CISOs and CIOs go about tackling the big issue of medical device patching?
A. The short answer from everyone I’ve talked to is: They’re not. We could talk forever about the challenges of patching and FDA regulation, but I just don’t believe we’re ever going to patch our way out of the problem.
One of the main reasons for this is the statistic I quoted earlier, that more than 75% of medical devices in use today are running outdated operating systems (for example, Windows XP, Windows 7, old versions of Linux) that vendors no longer patch – even if you’re a medical device manufacturer that wants to be responsible and put out patches for everything, and often you can’t patch Microsoft’s products unless Microsoft gives you the patch.
This leads to hospitals and health systems either taking the risk with these devices, limiting their functionality or availability, or undertaking incredible amounts of capital expenditures to replace the devices.
There’s a better way. A strong security-monitoring program designed specifically to understand how to monitor those devices can extend the useful life, while maintaining risk, even in the absence of patching. Use this suite of tools to protect the 75% of medical devices that aren’t patchable to complement patching. An effective monitoring program can also reduce the urgency of applying patches to thousands of devices, which can keep the biomedical team happy as well.
To use an analogy, suppose you had a door that you couldn’t lock on your house. Today, most health system security solutions involve either tearing down and rebuilding the house or locking the door by putting up concrete in front of it. I’m suggesting that a strong burglar alarm system on that door will let you live with an acceptable level of risk rather than replacing the entire house.
Q. What are the top couple of healthcare cybersecurity issues going forward into 2022?
A. The common theme in healthcare security is the lack of system-wide visibility, which has made hospitals the perfect place for attackers of all types to hide, whether for ransomware, theft of data and patient records, or anything else.
Ransomware has been the most discussed threat, but that is often because ransomware is one of the very few attack patterns that detects itself. You only pay a ransom once the attackers shut down your systems and announce themselves.
While it is important to build a security strategy to deter and stop ransomware, the far scarier attacks are the ones that stay quiet forever. Security leaders in healthcare need specialized tools to detect all of those invisible attackers hiding inside of their EHR system or on legacy medical devices as they steal patient data and other important information assets. If they do a good job of that, they will detect ransomware attackers in the process.
While hospital ransomware has captured headlines this past year, healthcare IT leaders should avoid focusing only on these attacks. Tunnel vision leads to a security strategy that relies on that specific attack pattern. A strong detection and response program designed to detect all attackers early and often is the real goal.