Posted by Jim Hartnett on June 23, 2017
Software security and healthcare industry professionals operate at opposite ends of the spectrum. Security aims to maintain a secret. Healthcare aims to discover one.
Doctors operate under the theory that a medical professional should be able to swiftly access the information they’re seeking. Security experts insist upon verifying the actions of those performing sensitive tasks. While these mindsets are opposite, opposites often attract.
The recent strain of ransomware that exploded into the media’s focus, WannaCry, proved devastating for a multitude of healthcare facilities. While the healthcare industry wasn’t the target per-se, it was deeply affected. The ransomware did target those with unpatched infrastructures.
Healthcare facilities are full of vulnerable systems. The machinery is often expensive. There is also often a lack of updates from the vendor. Additionally, systems are rarely brought down for updates for fear that the information stored within the machine will require urgent access on behalf of the medical team. What’s more, passwords are commonly written on terminals so access is immediately available in the event of an emergency.
Practices such as these are sure to raise the blood pressure of security experts. However, medical teams didn’t implement these practices for any other reason than to best serve patients. In a situation where a patient’s life is on the line, is it better to ensure the security of the data on a machine—making it more complex and time consuming to access? Or, is it better to provide sensitive information at your fingertips?
Well, a better solution is to provide a comprehensive understanding of both sides of the situation. Thus, finding a compromise to optimize security while still providing ease of access for those in the medical field.
Mitigating vulnerabilities, rather than resolving them on a technical level, is an acceptable practice in certain situations. It all comes down to risk. The impact of an attack must balance the loss of function or cost to maintain. That cost doesn’t have to hold a monetary value. It can also be something along the lines of a patient requiring Emergency Room care.
The first assets to mitigate are the systems that cannot be ignored. Systems such as life support and Emergency Room equipment. A good practice is to ensure that there is enough equipment on hand to cycle out units for updating. Given that equipment also requires sterilization after use, this is a good time to also run updates.
If equipment is no longer supported, but it’s also not readily replaceable, consider isolation. Use either a separate physical network or VLANs. Isolate the equipment from the electronic medical records (EMR) systems and general workstations. Implement similar processes in the progressively less critical systems such as prescription disbursement machines and non-ER diagnostic imaging equipment.
Medical records systems and workstations, such as crash carts, pose a bigger challenge. These machines can run similar (and some of the same) programs as Windows machines. They have access to EMR systems for pulling patient data as needed. Due to their general-use nature, they can pull data from a variety of sources. Therefore, they carry a larger risk of running malware.
Ransomware, such as WannaCry, is particularly troublesome when it can encounter share drives. It can spread to computers via protocols such as Server Message Block (SMB). Mitigating this issues varies between workstations. Understand that the most important priority is ensuring the Principle of Least Privilege. Using a crash cart to access an EMR portal is acceptable use. That EMR system would have to present a readily exploitable service to infected workstations to lead to compromise.
If the same EMR system stores sharable data in which the workstation can write to, it’s possible that malware can also write directly to the disk, damaging records. EMR systems have protocols available for pulling a variety of data forms. Enforcing EMR system access via its intended service, and cutting off share access, is a good start to prevent record tampering.
Healthcare organizations must ensure that least privilege is enforced at all costs. The toll on operations can escalate quickly, as we saw with the recent WannaCry ransomware attack. The use of isolation controls can further prevent the spread of malware between sensitive systems. Meanwhile, it’s also critical to enable healthcare providers access to systems they require—even if the manufacturer doesn’t secure them by default.
The healthcare industry is an increasingly critical space as networking amongst medical systems has grown quickly over the years. Security has taken a backseat for far too long. It’s time to be proactive and change that.