Jon Samsel
Jon Samsel
Jun 25, 2020

It’s no secret that healthcare is under attack by dark forces aimed at disrupting, stealing and profiting from gaps and loopholes in medical security workflows, applications and communications. But beyond the highly publicized email phishing attacks and server data breaches, are threats really as wide-spread and pervasive as alarmists forewarn? This article delves into four somewhat new and surprising Healthcare security threat surfaces that many healthtech professionals are talking about and grappling with today – with use cases and solutions explored.

In a recent US FDA webcast that covered patient risk issues, Jay Radcliffe, a diabetic who found cyber vulnerabilities in his own insulin pump, told a compelling story about how he tried to alert a large medical device manufacturer of the risks to patients, but heard nothing back. He decided to “out” the company during a Blackhat conference -- not because he wanted to harm the organization; he simply wanted the world to take notice. Jay felt that the healthcare community needed to take security more seriously, and better safeguard patients from harm.^

Facts seem to back Jay up; the entire healthcare industry is under attack and things are getting worse by the day.

  • Just last week, Krebs on Security reported, "Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyberattack on its technology systems." *
  • There have been 28 data breach incidents reported in 2020 so far [in the United States], including email hacking incidents, malware attacks and unauthorized access to EHRs," according to US-based Becker's Hospital Review.  **
  • In one of the biggest healthcare data breach settlements ever, Banner Health agreed to pay $8.9 million to cover expenses incurred from a breach involving 3.7 million victims. Attackers gained access to Banner Health’s servers via payment processing malware. ***
  • In April 2020, INTERPOL’s Cybercrime Threat Response team put out a new press release saying it “has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the COVID-19 virus response.” +

In May 2020, the prestigious HIPAA Journal announced that Advanced Persistent Threat (APT) groups are continuing to target healthcare providers, big pharma and research institutions to extract personal information of patients, IP, and business intelligence. APT groups are using a variety of attack methods to slip past applications and networks, gain a foothold, and pilfer personal data. Two tactics are most common: Exploitation of vulnerabilities and password spraying. ++

 

Healthcare Cyber Security Threats Are Ultimately a Patient Issue

While security threats are traditionally considered an IT issue, they’re also a patient safety issue. If a connected medical device such as a kidney home dialysis monitor, is hacked and injected with malicious code, a patient's health could be at risk. If medical system passwords are compromised and held for ransom, preventing doctors from accessing vital patient records, life and death could be on the line.

Dark Reading reported that "ransomware attacks and data breaches targeting hospitals may cause a higher mortality rate among heart patients in the months and years after an incident." They cited a Vanderbilt University researcher’s report, noting that breach remediation time interfered with patient care and outcomes. The research found that the time it took for a patient to receive an electrocardiogram increased by as much as 2.7 minutes after a data breach, and this lag remained as high as two minutes even after three to four years. Researchers believed that these findings explained why the 30‐day acute myocardial infarction mortality rate increased by as much as 0.36 percentage points during the three‐year window following a breach. ^^

Healthcare IT and the security that guards their ecosystems often involve a complex interfusion of solutions involving a mixture of legacy systems, homegrown methods, and licensed tools that when combined, help protect both the organization and its patients.

 

Managing Medical-Related Security Defenses
Is Not Easy

Some compare it to a bare-knuckled brawl. IT teams are often understaffed, underfunded, and torn in different priority directions; from adhering to compliance standards to preventing email phishing attacks, to securing mobile medical apps to securing networked IoT devices.

 

 

Studies have shown that some medical professionals such as doctors have been slow to embrace the cloud, particularly in rural medical practices or in underdeveloped countries. Yet, patients and healthcare providers not only trust the cloud, they are raving fans and regular users of cloud-based services.

 

Risk vs. Benefit of Medical Cloud Computing

The migration of valuable medical-related data to the cloud has made patients safer by making critical data more easily accessible, but it’s also exposed patients to greater risk. For example, a wearable device can send out alerts for emergency medical help for a patient in need. Some medical device manufacturers have deployed cloud-based apps that manage the real-time transfer of clinical trial data. Both of these are cutting edge, life changing, yet vulnerable. Medical devices can be launch points into networks. Today's security protocols or the capabilities built into them may not be as resilient as we need them to be. Too many devices are old, using first-generation Bluetooth or even older communication technologies, but they’re still in use worldwide.

The cybersecurity challenges facing the healthcare sector are real, formidable and growing. Historic security perimeters no longer exist, replaced by APIs that must be hardened, workflows that need securing and authentications taken to a more advanced level.

 

4 Growing Healthcare Cyber Security Threat Surfaces:

This article will dive into the first two healthcare threat surfaces; mHealth and pHealth. Part two of this blog with cover the remaining two.

 

mHealth: Protecting Mobile Medical Apps
from Bad Actors

The mobile health sector is exploding with no sign of abating. With the worldwide usage rates of smartphones at all-time highs, established healthcare providers, Big Pharma, device manufacturers and startups are utilizing apps to take patient care to new levels of efficiencies and convenience.

Some mobile medical apps are connected accessories to regulated medical devices. These life-altering mHealth apps can literally keep people alive. Other apps connect people to healthcare platforms, where private patient data is stared and shared. A popular and growing segment within the healthcare sector are consumer healthtech apps, such as biometric health monitoring solutions tied into connected watches, which are largely driven by start-ups.

A Few Examples of Popular mHealth Apps:

  • Epocrates - Doctors use this app to lookup drug information, calculate BMI, etc.
  • Kareo - Allows medical professionals to manage telemedicine, billing and reimbursement
  • Glucose Buddy - Comprehensive diabetes management app for patients

However, behind the high-tech veil of helpfulness lies a concerning statistic; up to 75% of the 7 million+ mobile applications that have been released worldwide through the Apple App Store and the Google Play App Store are unsecured, according to a report published by Positive Technologies.^^^ Surprisingly, this includes healthcare-related apps such as fitness trackers, medical device monitors and healthcare networks.

Many of these apps protect health information (PHI) including names, addresses, conditions, medical records, image scans, medicines prescribed, and patient financial information. All this data can potentially be hacked. Malicious code can be injected into an app or information can be extracted from those apps unless the apps are protected.

 

 

Extra layers of security can safeguard common consumer healthcare apps that people access from their phones and devices, or it can be applied to specialty apps that manage connected medical devices such as glucometers, insulin pump monitors and inpatient systems such as MRI systems, physiological devices such as ventilators and infusion pumps.

When these extra levels of security are added to applications, the apps are hardened, making them resistant to hacking. Shielded apps are protected against tampering, reverse engineering and against removing sensitive data from the apps. A knockout combination.

4 Security Layers within App Protection:

  1. Obfuscation - Scrambles code to make it hard for hackers to read.
  2. Environment Checks - Controls where an app can execute, which makes dynamic analysis hard for an attacker.
  3. Anti-tamper (aka binary integrity checks) - Builds trust into the app code by ensuring it executes as the developer intended without modification.
  4. Real-Time Insights - Always-on cloud connectivity to alert app owners to what’s happening to the app once live in market.

 

mHealth Use Case:
Mobile App Security in Record Time

Recently we helped a Singapore mobile app developer who came to us with a seemingly impossible ask; could we help add extra layers of professional-grade security in less than a day for a government entity that wanted to offer a social distancing solution for its citizens. Well, we said we could – and we delivered. In record time (just 5 hours) we shielded their COVID-19 tracking app so they could publish it on the Google Play Store.

 

pHealth: Passwordless Authentication for Healthcare

Passwords are the most commonly used method of securing access to medical portals, systems and applications, but their security is only as good as the person creating and using the password.

Let’s look at the problems we are trying to solve with password alternatives:

Passwords Cause User Frustration and Costly Support Calls

We all know that passwords cause problems. Nobody likes passwords. Most users are frustrated with passwords because they easily forget them; and businesses incur extra customer support costs when customers lose their passwords and dial customer service to retrieve them. For example, healthcare support departments deal with password resets frequently. According to Forrester Research, the average help desk labor cost is about $70 per password reset.

Passwords are Often Shared, Re-Used, and Too Simple

Passwords are sometimes shared, and this can be a problem. Simple passwords such as 12345678 can be easily guessed. Password re-use is very common and are a main source of many attacks. That’s why in healthcare password monitoring is a recommended practice.

Passwords are Ransomware Targets

In healthcare, ransomware attacks often focus on stealing credentials to access data. Cybersecurity research firm, Corvus, estimates there was a 350% increase in ransomware attacks on healthcare entities in Q4 2019 vs Q4 2018.^* And 91% of ransomware attacks are the result of phishing exploits. These can be avoided, to a large degree, by removing passwords.

Passwords are a Compliance Nightmare

Healthcare professionals are often the biggest password compliance violators. A study by Hassidim et al. was published in Healthcare Informatics Research claimed that "73% of respondents reported using another staff member’s password to access an EHR at work. Over 57 percent of respondents estimated they have borrowed someone else’s password an average of 4.75 times. Furthermore, 100 percent of all medical residents reported obtaining another medical staff member’s password with their consent. And a little over half of surveyed nurses reported using another staff member’s password." +++

Passwords are Inconvenient and Clunky

Shocking as this may be to information security professionals reading this article, but password sharing in healthcare is rampant. Why? There are a number of reasons, but one reason cited often is that time is of the essence in critical care situations – and it’s inconvenient to log out and into systems -- which takes precious minutes away from patients. Sharing can be seen as caring, which doesn’t make it less safe. Additionally, healthcare providers say they don’t always have sufficient access under their own user IDs to perform necessary functions within certain medical programs.

Password Alternatives to Keep Healthcare Secure

Security managers in healthcare delivery organizations (HDOs), system integrators, compliance officers and business leaders want to increase security by using the most secure applications possible, eliminating account sharing and being HIPAA compliant. Policies alone don’t change human behavior. Some healthcare facilities have implemented multi-factor authentication in combination with providing faster access, such as single sign-on based on proximity or a radio-frequency ID badge. This is a step in the right direction. But is there more that can be done?

Verimatrix Passwordless Authentication offers a method to improve existing authentication systems by either securing passwords or replace them completely, while still offering a safe way to authenticate the users. Passwordless Authentication enables a smoother way to offer user access to services on any device through authentication on a mobile app. Passwordless Authentication also works with U2F keys – and can be utilized both for authentication as well as authorization. Our solution augments existing password-based system’s authentication by adding passwordless options based on a mobile app.

Passwordless Authentication supports digital signatures, biometric authentication and multiple other authentication methods. This is a solution that many pay TV operators, telcos, and top tier banks have already implemented and have been using for year, and many in healthcare are now recognizing the benefit from this technology as well.

Key Features of Passwordless Authentication:

  • Adds a mobile app-based authentication to existing authentication systems and apps (no costly replacements needed)
  • Seamlessly integrates biometric and PIN-based authentication into mobile apps
  • Doesn’t store any user information
  • Supports multiple authentication and authorization methods under the same integration API
  • Allows service providers to choose their own deployment strategies and use cases

Verimatrix Passwordless Authentication uses built-in Public Key Infrastructure (PKI), providing digital signatures and proof of transactions.

 

pHealth Use Case:
Out of Band Authentication

Verimatrix was recently approached by a company offering telehealth services through social media channels. They needed a secure method for authenticating their users, a feature that wasn’t available within the social media platforms.

Verimatrix Passwordless Authentication was suggested to the company as a key component in a solution stack being put together by trusted IT integrator that had been working with the telehealth company for many years. We provided a mechanism for verifying Out-of-Band users, and we tied that verification back to the originating channel, which enhanced the existing authentication methods.

An Out of Band challenge typically involves an additional security entity, such as a smartphone, during the user authentication process. For example, a healthcare patient might be required to check a smartphone for a verification code and then enter that code in the app. In this instance, the smartphone runs a unique client application to gather the verification code. This is just one example of a secondary method for out-of-band authentication. There are other methods that can be deployed as well.

A Complex Yet Elegant Authentication Approach

For this telehealth company, Verimatrix proposed an Out of Band authentication process that is slightly more complex than how it’s explained above, a solution that employed “strong authentication” techniques typically used by leading financial institutions to secure payments. Basically, Verimatrix made it harder for criminals looking to circumvent their way around common Out-of-Band authentication techniques. For example, a determined hacker might try to get the patient's phone number changed with the mobile carrier account, substituting her own pirate phone number in place of the patient’s number. In this case, the technology's effectiveness depends on the carrier adhering to strict policies against making changes to an account without phone confirmation.

Verimatrix prefers to work with top-tier security partners whenever possible to deploy the highest caliber security possible, safeguarding workflows in a way all can be proud of.

 

Recap of mHealth and pHealth Security

The healthcare industry was already facing a barrage of hacker attacks -- jabs, hooks and uppercuts – through the end of 2019 and into the first few months of 2020. Then the Coronavirus pandemic blew the roof off everything – expanding the threat surface, accelerating the pace of attacks, and amplifying the risks to both healthcare organizations and the patients they serve.

Given the inevitability of hacks and breaches, the time to act has been propelled forward -- sooner rather than later. Fighting back is now more of a duty than an obligation. Winning the round, and the fight, is more than just a possibility.

Whether you are a healthcare IT systems integrator, CTO, or head of medical risk and compliance, you might want to consider adding powerful new tools to your medical security arsenal such as Application Shielding and Passwordless Authentication from Verimatrix. Products that protect digital content, applications, and devices with intuitive, people-centered and frictionless security.

Security made for people, like you.

Note: This article covered two common threat surfaces in the healthcare industry; mHealth and pHealth. Next month, we will explore tHealth and rHealth.

 

Sources:

^ US FDA Patient Engagement Advisory Committee Meeting, 1:12:00 - 1:23:12
http://fda.yorkcast.com/webcast/Play/57a12d7dfedd403cade78222ceae86ef1d

* Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware
https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/

** 28 Health System Cyberattacks, Data Breaches So Far in 2020
https://www.beckershospitalreview.com/cybersecurity/28-health-system-cyberattacks-data-breaches-so-far-in-2020.html

*** Banner Health Settlement Approval Brings Data Breach Saga to a Close
https://portswigger.net/daily-swig/banner-health-settlement-approval-brings-years-long-data-breach-saga-to-a-close

+ Cybercriminals Targeting Critical Healthcare Institutions with Ransomware
https://www.interpol.int/en/News-and-Events/News/2020/Cybercriminals-targeting-critical-healthcare-institutions-with-ransomware

++ CISA Alert About Ongoing APT Group Attacks on Healthcare Organizations
https://www.hipaajournal.com/cisa-issues-fresh-alert-about-ongoing-apt-group-attacks-on-healthcare-organizations/

^^ Hospital Cyberattacks Linked to Increase in Heart Attack Mortality
https://www.darkreading.com/threat-intelligence/hospital-cyberattacks-linked-to-increase-in-heart-attack-mortality/d/d-id/1336306

^^^ Three quarters of mobile apps have this security vulnerability that could put your personal data at risk
https://www.zdnet.com/article/three-quarters-of-mobile-apps-have-this-security-vulnerability-that-could-put-your-personal-data-at-risk/

^* Corvus Security Report
https://tinyurl.com/y8vr7o5q

+++ 73 Percent of Medical Professionals Share Passwords for EHR Access
https://healthitsecurity.com/news/73-percent-of-medical-professionals-share-passwords-for-ehr-access