Baber Amin, CTO Office, Ping Identity, discusses how Zero Trust and its granular consent-based authorisation can help healthcare secure itself and seize important innovations in treatment based on real time information sharing.
Hospitals and medical centres tend to privilege one key attribute in IT: access. At any one time, patient data, medical records, schedules, email and everything else is flying from one part of an organisation to the other. And in this environment it matters even more, because the speed at which a medical professional can get access to that information could impinge directly on the health and safety of a patient.
And because the health sector was largely disconnected from the wider online world, we could rely on that attribute. Not anymore.
The medical field is connecting itself. In recent years, the healthcare sector has largely taken up Electronic Health Records (EHRs) as a replacement to pen and paper records. To boot, legacy systems and devices which were never intended to be networked are now being connected and opened to a whole array of online threats.
There are plenty of disciplines and fields undergoing similar transformations. With the rise of the Internet of Things (IoT) – industries which once only had to worry about IT doing its job effectively are now being forced to change their perspective. Take critical infrastructure – there are plenty of energy facilities that were designed to protect against failures and accidents but never attacks. In fairness, they never had to – many such facilities were completely air gapped from the outside world and for a long time, their primary concern was whether the computers could do their job and whether there were appropriate physical security controls in place.
Now, Digital Transformation is forcing those devices to connect to a world that is riddled with threats and cybercriminals looking to make their fortune or just cause disruption.
Medicine is not just being forced to reckon with the cyberthreats that so long laid off, but are also on the verge of their own digital revolution which promises to transform the state of medical technology – but if handled poorly could spell disaster.
IoT has found a rich vein in medicine. And everything from insulin pens to cancer monitoring systems to inhalers to ingestible sensors to contact lenses will soon be connected into great glimmering endpoint-ridden medical networks – providing better information to healthcare providers and improving patient care. That is, if they can secure them.
Not that those potentially catastrophic security incidents weren’t already a threat. The last few years have shown the immense cybercriminal appetite for attacking medical targets. The reasons are not hard to decode: hospitals groan with medical data; medical data is extremely personal and fetches a high price on the black market; medical organisations often think of access first and security a distant second; a service outage at a hospital can create life threatening institutional paralysis and set against mass harm to human health and it can seem as though there is no ransom not worth paying.
These kinds of attacks have become popular in recent years. An early example came in 2016 when the Hollywood Presbyterian Medical Centre handed over US$17,000 to hackers who locked up the centre’s IT systems.
The largest example to date is the WannaCry attack on the UK’s National Health Service. Though only part of a global assault, the attacks managed to shut down 42 separate NHS Trusts. The ransomware forced hospitals to turn away patients, cancel 19,000 appointments and eventually cost the UK government nearly £100 million.
Still, even lessons as powerful as WannaCry can be hard to learn. A 2018 report from the UK Parliament revealed that the 200 medical facilities checked in the wake of the attacks failed their cybersecurity tests.
Introducing IoT-enabled devices into an already lucratively insecure environment merely increases the attack surface and provides creative new ways to make money.
While the cybercriminal imagination in this area is likely dreaming up all kinds of new ways to exploit this, the same problems keep rearing their heads.
Medical cybersecurity often privileges the protection of patient privacy – a noble aim, but one that cannot cover all the security concerns of the technology now being used. Privacy alone is no longer enough.
The risks to medical technology are specific, but they are not unique. In fact, they are representative of a larger problem within cybersecurity which is less a question of products or devices than it is a question of mindset.
To use an admittedly tired analogy, the castle walls can no longer hold. Traditional security mindset is no longer keeping pace with the reality of today’s threat landscape.
For many years now, the castle-and-moat concept has been the reigning idea about how to protect a network embodied in tools like perimeter security and macro authentication. The castle walls will protect the network and with enough fortification, any assault on the outside walls will be rebuffed, hopefully.
Getting through the walls is not the primary aim of a cybercriminal, getting at what’s inside is. And they’ll do whatever they have to, to get at it.
Cybercriminals have become extremely good at making their way past perimeter defences undetected. From there, their victims often rely so much on perimeter defences that they often have free roam of their victim’s network – they can start lateral movement and edge ever closer to the critical systems and data that they’re after.
Furthermore, it has become easier for them to do so. The changing nature of the perimeter has meant that we can no longer draw a ring around the data centre and be satisfied with protecting that. The cold hard facts of BYOD, cloud computing and other innovations that take data out of the castle, have provided access vulnerabilities which make it far easier to penetrate a network, especially when organisations have not done the necessary homework to police that access.
So, if for example a misconfigured database or an unpatchable sensor gets compromised – it could mean trouble for the entire network. Zero Trust aims to create strategies which cannot be undone by a single oversight.
Zero Trust is a concept that has become popular in recent years. First conceived by Forrester, Zero Trust demolishes the castle walls on which we have so long relied – not because it wants to stop protecting, but because it wants to protect what’s inside.
Building on previous concepts, like the principle of least privilege and defence in depth, Zero Trust does not implicitly trust anything. Any system, device or user that wants to connect to a resource must first be verified and trusted before it gets to connect to anything.
Medical environments, especially ones leveraging IoT, will be filled with endpoints, devices, systems and connections all needing to communicate. As important as speedy access to those things are, they have to do so securely and at the level of the individual resources.
With an ephemeral perimeter based on task level identification as opposed to on some increasingly arbitrary basis, resources can be protected individually and granted access to according to their own level of risk. Each can be protected according to the risks against it. So too can the level of authentication required to access it.
As the world is joined up through the inescapable march of technological innovation, it’s important that we take a step back. One fatal mistake of embracing IoT is seizing that promise of innovation without thinking about how quickly technology can morph from a blessing to a curse.
Healthcare professionals realise this. In the 2017 Internet of Health Things survey, a majority of those surveyed identified three top barriers for IoT adoption in the health sector: privacy concerns, security concerns and legacy system integration.
The health sector’s experience is not a unique one, but it does stand to gain and possibly lose more than many of the industries undergoing the same process. The technology is changing and we can no longer build high enough walls to contain it. We have to find ways to build around it, not against it.