Is the CIA Triad Being Weakened by a Myopic Focus on One Side?
The triangle is widely regarded as being the strongest geometric shape. It is the only two dimensional polygon that if constructed of rigid members with hinged corners is absolutely fixed in shape up to the compressive and tensile limits of its members.
The same is true for cybersecurity where Confidentiality, Integrity and Availability combine to form the CIA triangle or 'triad' as it is also known, which has become the established foundation of data protection and cyber risk management.
Confidentiality, Integrity and Availability
A myopic focus upon securing 'confidentiality' over the past 20 years I would argue has weakened the integral strength of the CIA triangle, thanks largely to increased regulatory privacy compliance across healthcare. HIPAA, PDPA, APA, GDPR, and a heap of other regulations ensure that scarce security resources are focused upon meeting the checkbox mentality of healthcare and privacy compliance rather than focus on actual risks. Risks to the confidentiality, integrity and availability of health data and systems and most importantly risks to patient safety.
This was the basis for my presentation to the HIMSS Singapore eHealth and Health 2.0 Summit last week where healthcare providers in Singapore face similar security problems to hospitals in Europe, Australia and North America, and where the advanced persistent cyber attack against SingHealth last year should be seen as a wake up call for governments and healthcare providers across the entire region of the need for improved security across healthcare.
The ASEAN region, according to CIO Magazine, with its dynamic position as one of the fastest growing digital economies in the world has become a prime target for cyber-attacks, accounting for 35.9% of all cyber attacks globally in 2017. The targeted attack against SingHealth is perhaps a wake-up call for the region to do a better job of securing Confidentiality, Integrity and Availability (CIA) its healthcare and other critical services.
But the risks impacting healthcare are way more nefarious than just the disclosure of confidential patient information. Far more worrying is the threat to the integrity of health records and other clinical data, and the availability of HIT systems needed to treat patients.
What happens when a patient's blood type, allergies or past treatment records are altered by a hacker?
What happens when a ransomware attack locks up all Health IT systems as it did to many hospitals in the British NHS with the WannaCry attack?
Patient Care suffers and Patient Safety is placed at risk
The growth of medical devices and other Healthcare IoT (HIoT) is prolific and already outnumbers traditional computing systems. Compound growth in medical devices has reached 20% per year by some estimates. Furthermore, most are connected now to hospital networks and talk directly to core HIT systems like the Electronic Health Record. Hackers know this and have used the fact that HIoT systems are by and large unprotected against cyber-attack, to launch their infiltration campaigns.
Many legacy medical devices can only connect to hospital WiFi using insure WEP encryption, which means any teenager with the right tools could gain access to core systems in most unsegmented healthcare networks with little more than a SmartPhone from a hospital waiting room.
Medical devices and other HIoT systems now pose the single greatest risk to patient safety according to many in the industry because of their lack of inherent security, inability to be patched or secured with AV and host firewalls as even a Windows PC can be, and the fact that they are most often connected to patients.
On-stage demonstrations at security conferences like DefCon, Black Hat, and KiwiCon often feature the hacking of some sort of medical device that if connected to a real patient, would undoubtedly result in that patients death. Yet, the FDA, device manufacturers, and hospitals all downplay the risks, knowing that devices have a 15 to 20 year lifespan and few if any, are ever updated with security patches once sold.
The fact of the matter is that we have almost no idea if, and how many patients have died as a result of a medical device being hacked. No one currently is required to forensically investigate a failed medical device. Instead all data is wiped to comply with privacy rules and the device is shipped back to the manufacturer to be re-imaged, tested and put back into circulation. This is a subject I have written about in the past and one perhaps best demonstrated by Doctors Christian Dameff, MD and Jeff Tully, MD from the University of California Health System, in their realistic yet alarming presentation at the RSA Conference last year.
The need to better understand and evaluate risk in this growing sector of healthcare has reached a tipping point, as OCR in the United States starts to ask questions about risk analysis of these devices many of which are covered under the HIPAA Security Rule. However healthcare IT and Security teams face several daunting challenges before they can mitigate security risks and chase compliance.
1. In most hospitals, medical devices are owned and managed by Bio-Medical or Clinical Engineering, while other groups also outside of IT, manage building management and other hospital IoT systems. Consequently, there is limited security visibility, if any at all!
2. An accurate inventory of what HIoT assets are connected to the network is almost impossible to accomplish manually as devices change all the time and manual spreadsheets and traditional IT asset management systems have proven inaccurate.
3. Evaluating the risks of medical devices is difficult since most are connected to patients and cannot be scanned with normal security tools. Larger equipment like X-Ray machines, MRI, CT and PET scanners are in use 24/7 and cannot usually be taken out of service for regular security scans.
4. Inherent weaknesses in some HIoT protocols like DICOM allows a malicious actor to embed weaponized malware into a legitimate image file without detection, as researchers at Cylera Labs discovered recently.
5. Lack of internal network security allows a hacker to intercept and change a PACS image with false information during transmission between a CT scanner and its PACS workstation adding a tumor to an image or removing one
Fortunately, new AI security tools from Cylera, created especially with healthcare in mind, are able to automate the entire risk management process to identify, profile, assess, and remediate HIoT assets in line with NIST SP800-30 standards. Just as healthcare delivery is moving towards disruptive innovative technologies, so are the security risk management tools being used to support the adoption of new technologies and new procedures.
Cylera’s 'MedCommand' solution, empowers healthcare providers to protect the safety of their patients, assets, and clinical workflows from cyber-attacks. 'MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology.
The 'MedCommand' solution is built on Cylera’s 'CyberClinical' technology platform, which incorporates machine learning, behavioral analytics, data analysis, and virtualization techniques. Cylera has partnered with leading healthcare providers, experts, and peers to develop the most comprehensive and integrated HIoT security solution for healthcare.