Over this past weekend, a major distributed denial-of-service (DDoS) attack — technical speak for a cyberattack — crippled parts of the internet by targeting Dyn, a provider of domain name services (DNS). In simple terms, a DNS provider routes internet traffic like an air traffic controller. By targeting a DNS provider with a flood of junk requests by a “zombie army” of botnets (a standard modus operandi for these types of attacks), major services such as Twitter, Netflix and Spotify were unavailable or were loading slower than normal.
The early indications are that the cyber attackers found vulnerabilities in devices connected to these major services — including smart home appliances, wireless-enabled baby monitors, and the like — and unleashed botnets using a malware known as Mirai. In other words, the attackers exploited the internet of things (IoT) by identifying and taking advantage of devices with weak security features. The Mirai malware has infected an estimated 500,000 internet-enabled devices.
We also learned that at least two vendors of electronic health record systems (EHR), Athena Health and Allscripts, were impacted by the Mirai malware attack.
Why healthcare is more vulnerable than other sectors
I wrote in a recent column here that IT security in healthcare is no longer about healthcare or medical data. Recent data breaches reported by Banner Health and Bon Secours Health System were attributed to breaches at one of their HIPAA business associates (BA). Healthcare is a particularly attractive sector for cyber attackers because a) healthcare information systems are not up to date compared to other industries, and b) healthcare data fetches a handsome price in the black market for stolen personal information. This is further corroborated by a recent survey indicating that nearly 90% of healthcare lawyers believe that their industry is more vulnerable to cyberattacks than others.
So, on the one hand, we have the promise of IoT that can significantly improve healthcare outcomes through remote patient monitoring and connected health programs leveraging “smart” devices. On the other hand, we have the threat of cyberattacks that can cripple an entire system by exploiting vulnerabilities in one tiny corner of the IoT ecosystem.
While technology optimists and vendors continue to make the case (rightly) for improving healthcare quality and lowering the overall costs of care through timely interventions and prevention of hospitalizations using connected devices, health systems (equally correctly) are cautious about exposing their infrastructure and networks to malicious attacks from IoT devices.
The mandate for healthcare enterprises
The good news is that data breaches and IT security, in general, have become CEO-level issues this year, especially in healthcare (over 112 million medical records breached in 2015, and 2016 set to be an even bigger year). Consequently, budgets for IT security have gone up significantly. However, instead of simply throwing money at the problem, especially on technology tools, organizations such as Group Health Cooperative (GHC), a Seattle-based health system, are focusing more on process improvement, automated incident response and early containment. GHC is extremely restrictive about exchanging medical information with other technology providers and IoT devices, thereby insulating itself from technology partners with weak security practices. Other tactics include strengthening internal environments through simulation techniques such as penetration tests and advanced analytics for correlations and geo-locational “hot-spotting,” which has become relevant recently in light of evidence indicating the involvement of nation-states in sophisticated cyberattacks.
Healthcare enterprises operate in a rapidly expanding ecosystem of business associates (BA), including medical device manufacturers, known to have weak security features. At the same time, other parts of the system, including cloud services providers such as Amazon Web Services (AWS) and Microsoft Azure arguably have more robust security features in their environments compared to traditional healthcare enterprises.
The weakest link in the chain determines the strength of a chain, and healthcare companies need to continually assess their internal environments as well as their relationships with technology providers and other business associates.
For their part, federal agencies such as the Food and Drug Administration (FDA) and the Department of Health and Human Services (HHS) have swung into action to protect healthcare by defining security recommendations for device makers and guidelines for cloud service providers — a sort of “building code” update for IT infrastructure in healthcare.
In the long term, healthcare will need to be able to turn its focus from “firefighting” to “code upgrades” when it comes to securing IT environments.