As CEO of MedSec, Justine Bone leads a company that conducts vulnerability research on medical devices and health care systems. She has also served as the CISO of Dow Jones and the CSO of Bloomberg LP, among other security posts.
Bone discuss the the unique challenges that the health care industry in particular faces when it comes to security, like protecting valuable patient records, securing legacy equipment and navigating an array of regulations. Despite the hurdles, Bone says the community is stepping up and working better together to identify and tackle health care’s toughest challenges.
CyberScoop: No IT network is perfectly secure, and industries and agencies face challenges and have lags in cybersecurity across the board. What challenges is the healthcare industry uniquely facing in cybersecurity?
Justine Bone: For various reasons health care, in terms of health care delivery organizations, have been somewhat on the back foot when it comes to being the target of the breaches that we’ve been seeing, whether that’s ransomware type attacks or whether that’s more destructive or more targeted attacks, when it comes to organized crime going up to PHR (personal health records). The common understanding these days is that health records are worth 10 times as much on the black market as financial data such as credit cards. So you’ve got sort of a perfect storm bad guys, if you will, with relatively easy targets plus high value targets.
On top of that, we’ve got medical devices — which, as most of us know are really just embedded computers like everything else — becoming increasingly connected, just like the Internet of Things. There’s a massive explosion in the number of devices. You add that to the equation, and we’ve got our work cut out for us in health care.
CS: There are always new medical products added to the market. But I get the sense that, in health care settings, there is so much legacy technology that people are struggling to keep secure. Is it possible to reach a point where these devices are designed to stay secure for years into their use?
JB: I actually feel optimistic about that. We’ve got a huge challenge when it comes to legacy equipment and becoming connected and very, very complex hospital environments. The manufacturers are sort of compelled or forced to continue to support outdated functionality, such as single-factor authentication or a lack of encryption because the legacy technology just literally doesn’t have the computational power to handle that type of protection. But looking to the future, you can really see the [Food and Drug Administration] coming out with continuous updates to their regulatory framework and their requirements, especially with regard to cybersecurity. They’re pushing forward on standards such as the UL 2900, which is a baseline requirement for new products that are coming from the device manufacturers. Those standards are pretty thorough in addressing everything from the design through to the implementation and the documentation around that.
CS: Is the burden on the health care organization or the vendor to keep medical devices secure?
JB: I think that we’ve got different models, such as applying updates, for example. In some cases that’s part of a support contract provided by the manufacturer someone on behalf of the manufacturer. In other cases, you’ve got end-of-life systems or other licensing contracts that push that responsibility onto the customer — the hospital themselves. But what’s good is that we’re getting more clarity around that. It’s been a little unclear until recently as to whose responsibility it really was, let alone how you’re going to be rolling out the patches and the automation, or not, of that process. What we’re getting is clarity, but I think we’ll continue to see different models depending on the way that the hospital tackles their technology management as well as the way the manufacturers license the use of their own products.
CS: It seems that organizations such as hospitals often barely have enough resources to dedicate a lot of attention to cybersecurity. What do you think needs to happen to pressure them to take it more seriously?
JB: Hopefully most health care organizations have stepped up and taken notice at this point as to the huge target that they are, with the implications of breaches, whether it’s regulatory compliance fines or whether that’s actual downtime. Worst-case scenario is, of course, any impact to patient safety. I think there is a lot of respect now for the threat scenario. The challenge remains, however. Forget about security; think about technology management in general. We’re seeing a lot of re-archicteting of the hospital network — micro-segmentation projects, for example. These hospitals have figure out how to factor risk management and security into that. We’re seeing a fair amount of previously manual processes that are now being replaced with automated processes. We’re seeing folks such as MedSec and others really focusing on health care and the problems that are unique to health care. For example, you can’t take a traditional enterprise vulnerability scanner, or even an enterprise asset management tool and just point it at a hospital’s infrastructure, because the infrastructure, more likely than not, is going to include many, many sensitive medical devices that simply can can go offline or — even worse, misbehave — if that’s subject to something as simple as a scan. So we have to develop a new way to replace previously manual processes with automated solutions that are cognizant of the unique risks that we face in hospital environments.
CS: What would you say is the biggest thing the health care cybersecurity community had improved upon in the past 12 months?
JB: It’s not a technical answer. It’s communications strategy, which is collaboration. So what we’re really saying is we’re seeing the regulators such as the FDA reaching out. I mean the FDA were at the Bio Hacking village at DEF CON. That’s incredible. We’re seeing manufacturers sitting down with hospitals and presenting their security program, bringing a certain level of transparency to what’s going on within the manufacturers’ product security organizations. We’re seeing hospitals talking about what it was like to go through these breaches and we’re generally bringing a little transparency to the industry that was not there previously. So I actually think that’s the biggest accomplishment so far. And all the implementation requirements all the way up to the technology changes will follow that. But as all know, if we don’t have that they executive cultural support from the inside of these organizations from the get-go, it’s always going to be this sort of uphill battle. That’s really the tipping point that I’ve seen over the last 12 or 24 months.