During the week of February 11, Fortinet will be at the HIMSS19 Global Event in Orlando, a large gathering focused on healthcare. The security challenges within this industry are certainly unique, and I have some thoughts I would like to share.
The Problem of Data
Medical patient records are at an all-time high valuation on the Dark Web. As we all know, healthcare records are different because of the permanence of the data. This gives cybercriminals plenty of time to use patient information for financial gain, such as selling complete ID theft packages, using plastic surgery details for ransom, or socially engineering individuals for further attack.
But there are other potential uses that get more interesting and have potentially deeper ramifications.
We are experiencing an increase of medical costs and a challenge to find readily available, top-quality healthcare for patients with lower income or minimal healthcare plans. With this in mind, patient records could be used to obtain healthcare with a false recipient masquerading as a valid patient. The false recipient can immediately remit supplemental costs such as copays for treatment and medications, thus stealthily leveraging the health plan to obtain the desired healthcare. Valid patients might not notice the fraud, particularly if they have relatively constant care events that bury illegal periodic usage in the resulting flurry of associated billing and resolution notifications. The loss would be passed to the insurance company or government assistance program, negatively impacting all participants.
A darker side to this same potential issue lies in the fact that patient data is becoming more transportable and shared among medical professionals. Now imagine that same false recipient being treated for what might seem to be a somewhat medically mundane condition, such as hyperglycemia. If the valid patient gets involved in a car accident their emergency care could be changed to accommodate the false recipient’s current suite of treatments due to this shared pool of information. It creates an unexpected consequence to the valid patient as a result of the false recipient’s data being used to provide incorrect treatment to the valid patient. Ironically, the same thing could happen in reverse. The false recipient could receive incorrect care as well, with similar potential legal ramification.
Organizations used to rely on a handful of primary technologies that were deeply deployed. Imagine these dozen or so technologies as rather tall cylinders. The top surface areas are relatively confined, which we can imagine as representing the attack surface for this exercise.
Now imagine adding more technologies. Cloud is an excellent example. We will implement a cloud instance, but only use it for a piece of our business we don’t care too much about…possibly a non-critical data manipulation system. Now we have two architectures where there used to be one. Now another solution is embraced, such as a hybrid public/private cloud, and we throw some critical operations in that so they can be more closely monitored. Now we have three architectures where there was one. We add a few business partner clouds, shuffle some regulatory pieces to new cloud implementations, and now we have several infrastructures where there was once a single one. Our attack surface has thinned out and become much broader. We are more susceptible to attack.
Here is another example. Healthcare organizations, particularly hospitals, are heavy users of IoT devices. Devices allow patients to be remotely monitored and treated using implanted devices. Inside the hospital, a wide range of IoT devices are connected and freely communicating to the hospital staff, medical records and scheduling systems, and other pieces of the patient care puzzle. IoT device vendors and manufacturers are also in communication with the devices, creating an ever-widening attack surface. The surety and safety of a device’s operations is entirely dependent on how it was developed and tested, creating potential exposure. Was security integrated throughout development or simply bolted on prior to deployment into customer environments? With a thinning attack surface, the ramifications are clearly apparent.
Now we can add virtualization and the impact of it to our ever broadening, thinning attack surface. We stand up and tear down server environments at a whim, or use SD-WAN and micro segmentation to create smaller subnetworks to suit regulatory or operational needs. Applications are also used only when needed, often residing outside of our infrastructure with associated data repositories potentially located anywhere on the planet.
Digital transformation provides the fastest method of responding to business and customer needs, but the individual methods and technologies used to gain that advantage also cause our attack surface to expand.
Think of contained infrastructure as a bucket of oil. We can readily define the edges providing containment. Now think of that bucket of oil poured on a large body of water. While doing something like that is simply terrible from an ecological perspective, it is a good analogy for what happens when we adopt a wider range of disparate technologies that we actually deploy less of on a per-technology basis.
The attack surface expands and gets thinner. The technology cylinders we described earlier get flatter and wider. We have a harder time defining the edges. Identifying and managing attacks becomes more difficult.
The number of security professionals in the workforce is at an all-time high. Unfortunately, a large reason for this is due for the high demand, which caused a large influx of relatively inexperienced resources to enter the security profession. It is still difficult to locate, hire, and retain highly competent technical security talent. That in and of itself is certainly an issue, but not necessarily the core problem.
The true cause of concern is largely due to disparate security systems. We often look for best-of-breed instead of best-of-need security implementations. While the latest and greatest might appear to be the panacea of our sleepless nights, we often find ourselves with larger operational support issues as a result of spending on these new single security tools. We have more disparate technologies than we can reasonably manage, and getting a unified status or view of what we are trying to protect is almost impossible.
Security professionals cannot continue to increase operational security complexity in hopes of containing consequence. This simply mirrors the very cause of the problem. Adding disjointed security technologies that result in knowledge and awareness gaps actually copying the root cause of our challenges. We also waste our scarce and valuable technical security resources trying to remedy the situation – that we basically created!
Viable security management requires the focused use of advanced capabilities such as completely integrated controls management, automated known and unknown threat response, tools that perform according to spec and are independently validated, and the ability to integrate security solutions. If we are to be successful, the complexity of the protected asset base must be operationally simplified from the security perspective.
The ability to create the capability to outpace cybercriminal efforts can be realized with a security architecture capable of providing end-to-end visibility, rapid threat intelligence sharing, and simplified policy enforcement throughout a wide range of architectural domains. These types of capabilities, coupled with greater speed to detect, analyze, and resolve attacks, have never been more critical for protecting infrastructure and information and our success as security professionals.
Look for technical security solutions that can easily communicate between themselves and provide an accurate, focused view into the operational environment. Solutions that readily integrate with the critical security capabilities, tools, and services your organization requires to stay competitive. Solutions that provide a readily expandable fabric approach to secure the ever-broadening attack surface, delivering instant scaling capabilities.
Our security challenges are as daunting as ever. A truly effective security strategy for today’s CISO must be based on a truly integrated security portfolio that has the flexibility to adapt to the ever increasing complexity of today’s IT environment and very determined cybercriminals.
Join me and Tom Stafford, VP and CIO at Halifax Health to discuss AI and machine learning in healthcare. Our HIMSS TV panel discussion takes place at the HIMSS TV News Desk at 11 am on Wednesday, February 13.
Read more about Fortinet cybersecurity solutions for healthcare.