Healthcare Industry Cybersecurity Report

New US government report: "Report on Improving Cybersecurity in the Health Care Industry." It's pretty scathing, but nothing in it will surprise regular readers of this blog.

It's worth reading the executive summary, and then skimming the recommendations. Recommendations are in six areas.

The Task Force identified six high-level imperatives by which to organize its recommendations and action items. The imperatives are:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.

  2. Increase the security and resilience of medical devices and health IT.

  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

  4. Increase health care industry readiness through improved cybersecurity awareness and education.

  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

  6. Improve information sharing of industry threats, weaknesses, and mitigations.

News article.

Slashdot thread.

Tags: , ,

Posted on June 12, 2017 at 9:06 AM • 25 Comments

Comments

Bob PaddockJune 12, 2017 9:45 AM

"Increase the security and resilience of medical devices and health IT."

Seems this report's version of a 'medical device' is a PC on a hospital floor collecting data.

Nothing about body worn devices and their lack of power in both CPU cycles and energy to run useful encryption. Nothing about 'Alarm Fatigue' etc. real world issues that directly impact people's health.

Yes, Cybersecurity is important, however the Medical Establishment has far more fundamental problems that need addressed from the things I've personally witnessed, before it kills again.


Bob PaddockJune 12, 2017 10:06 AM

@vas pup

Yes, thinking outside the box is always good (there is no 'box' in a Holographic Universe btw) however that type of thing has been going on in the DIY Mind Machine community for about thirty years now. It is just now that the Mainstream Medical Establishment is starting to revive Electromedicine in place of pharmaceuticals. That is a Good Thing.

https://earthpulse.com/mind_brain_effects has links to several government documents on 'Mind Control' and improving the brain.

The work of Dr. Michael A. Persinger on his 'God Helmet' gets into the effects of magnetic fields on the brain. The book "The Body Electric" by the late Dr. Robert Becker is MUST reading for anyone wanting to learn about Mind Machines and other body related phenomena.


To keep things security related we have The Mind Has No Firewall by Timothy L. Thomas in the US Army War Collage Magazine Parameters, Spring 1998, pp. 84-92.

Jeff MaddoxJune 12, 2017 11:13 AM

I worked as a security consultant in Healthcare for the most frustrating year of my life. The people in the hospital chain (a charity chain by the way) were motivated to protect the information of their patients as much as their health but were stymied at every turn by cost issues and medical software and instrument vendors. The vendors charge incredible sums for the software and equally exorbitant costs for upgrades and invoked support cancellation if we patched operating systems or upgraded data bases. In 2014 we had dozens of apps that only ran on SQL Server 2003 and the cost to update to run on a newer version was in the millions. Medical instrumentation that only talked HTTP across the Internet to the vendor and, again, blocking it would cost you the support contract. Systems with default passwords that we were forbidden to change (shades of the Cuckoo's Egg in 2014)and if we did, the tech would refuse to work on it or we did not have the access to change them. Every stupid security failing you could imagine, brilliantly highlighted by a software company that ran their app on SUSE Linux and send patches out as soon as SUSE published them. It was like a breath of fresh air after being buried in a coal mine for 9 months. But that was one, only one.

oliverJune 12, 2017 11:55 AM

You see me shocked, shocked that there is insecurity going on in this hospital... :-)
Seems to me that HIPPA is not working, great?

albertJune 12, 2017 12:16 PM

@Bob, @vas,

'Creativity' and 'thinking outside the box" are difficult or impossible to define in quantitative terms. The popular press quickly descends into BS when faced with this sort of research.

In addition, it looks like there are few or no barriers to military applications, which worries me. In spite of the best intentions of the military command (which I believe are sincere), abuse can and does happen. Given the increased use of military hardware by civilian police, abuse is guaranteed to occur.

Finally, research needs to be done on the harmful effects of such devices. For example, the effects of microwaves on the brain have been extensively studied since the 60's, and extensively suppressed.

Bob, I agree with your point: "...Medical Establishment has far more fundamental problems...".

Sadly, no research is being done in the areas of Eastern or Oriental medicine, such as acupuncture, acupressure, reflexology, and other forms of body work. The Scientific Establishment is locked in to the hardware approach and electricity, and they don't know about the bio-energetic systems that don't use electricity at all, but a form of 'subtle' energy that controls the important healing systems in plants and animals, which is undetectable with ‘scientific’ instruments. The irony is that subtle energy is quite easily detected -and manipulated- by simple methods that are within every humans capabilities. These methods are known by Eastern or Oriental cultures, and have been used for centuries. A greater irony, for godless science, is the fact that -everything- we need to survive as humans has been provided for us, and -in- us, right here on Earth.

No 'advanced technology' required.*

@Jeff,
"...cost to update to run on a newer version was in the millions...", hence the highest 'health' care costs in the world.

Microsoft lock-in ensures that software costs will push the limits of customers budgets. Vendors can charge whatever they want, because software patents protect their monopolies. It's a mess, and it's going to get worse.

----------
* 'advanced' only in years, not in knowledge. Big difference.
. .. . .. --- ....


neillJune 12, 2017 12:18 PM

@Jeff Maddox

it's the pressure time/cost wise that all other admins work under ... they can not loose time running around asking for passwords ... otherwise they get fired, too, for working 'too slow'

hence they are happy just to type in 'admin' or 'password' to get in, won't be their (well protected) personal computer that's at risk

we're all guilty of that, when asked to choose, to select the cheaper option

Bob PaddockJune 12, 2017 12:39 PM

@Jeff Maddox as you probably know.

"The vendors charge incredible sums for the software and equally exorbitant costs for upgrades "

A lot of that blame falls on the FDA for their approval fees. I know one small innovative pharmaceutical company that invented a vaccine for 'everything'; I think they rediscovered the work by Enderlin (spelling?) from the 1800's.

The FDA told them that to just file the paper work, too open the envelope in other words, the FDA wanted $1,000,000. It goes down hill from there.

See section Sec. 201 on device fees: S.934 - FDA Reauthorization Act of 2017.

Bob PaddockJune 12, 2017 1:12 PM

@albert

"Sadly, no research is being done in the areas of Eastern or Oriental medicine, such as acupuncture, acupressure, reflexology, and other forms of body work. The Scientific Establishment is locked in to the hardware approach and electricity, and they don't know about the bio-energetic systems that don't use electricity at all..."

There are studies, the problem is no 'accepted' journal such as BMJ will publish them.

Lots of work goes in the area of Parapsychology, where they have to publish in their own journal due to the fear of the Establishment pulling funding. On the record most say they don't believe in such things. Talk to them at the lunch break and they tell you they will help you unofficially anyway that they can, anonymously.

When Bio-Energies can be shown to flow in natural Silk rather than copper wire makes the Establishment's head hurt. The former USSR did a lot of the research as is still ways ahead of Western Med.

If you know of any hardware to objectively measure such things I'd sure like to see a schematic.

The fundamental problem is that our instruments only measure the things that we know how to measure. Doesn't mean other things do not exist.

For example take this Scalar Detector Design, that particular unit was destroyed in a fire, as the type of thing the Mainstream says doesn't work while the Industrial Military Complex uses the technology. See the patents by Raymond C. Gelinas on Curl-Free Magnetic Vector Potential assigned to Honeywell. I have reason to believe the are used in submarine communication systems.

It has been shown that electromagnetic fields can be broken down into constituent potentials that most common instruments won't detect. How much of bio-energies are working in this realm? Aharonov-Bohm Effect et.al.

keinerJune 12, 2017 2:29 PM

@Bob Paddock

Ehhm, development of a small molecule to become a drug is about 200 million to 300 million $ (biologics might be more or less, depends), why whining for the stamps to get approval?

If the product really is a revolution you can make 1 billion per year. So where is the problem with your product?

Bob PaddockJune 12, 2017 3:17 PM

@keiner

I gave the link to the FDA costs approved by Congress for 2018 to 2022 in one of the links above.

My point is the Pay To Play keeps the little innovative people out of the field.
The established players like Bayer and Janssen Pharmaceuticals subsidiary of Johnson & Johnson like it that way.

Can't make a billion a year if you don't have the funding to pay off the FDA. In the medical field people fund evolutionary things, not revolutionary things. Medial Tourism is a growing industry for such reasons. The problem is there needs to be a balance to prevent those with no morals from preying on the vulnerable sick person. That is what the FDA was meant to be, not a profit center, not an Enforcer for the Pharmaceutical Industry.


albertJune 12, 2017 3:25 PM

@Bob Paddock,

Actually, it's best to start with Don Hotson's paper:
http://blog.hasslberger.com/docs/HotsonIE86.pdf (part 3)
Read parts 1 & 2 first; linked in the pdf.

The paper presents the physical mechanisms for para-phenomena.

I'm building a device for quantifying bio-energy. These devices have been around for decades and are simple to build. They -cannot- be explained by standard electrical theory, in fact they are antithetical to it. The circuits make no sense to an electrical engineer. But they work. I can't give you any references as few are available, and there's a lot of quackery in the field. I'll post it on my blog when I get it to work.

Funny about the Russians; they don't seem to have the inherited prejudices of the Euro-Americans.

I'm anxious to hear your opinion of Hotsons paper.

Sorry for being OT, but -this- is the future of medicine.

The usual disclaimers apply.

@keiner,

Big Pharma* runs the FDA. They control the competition that way.

---------
*Big Chem is part of it. Actually, Big Pharm is part of Big Chem. They both make chemicals.

. .. . .. ---- ...

NickJune 12, 2017 4:02 PM

"One method for achieving a more secure environment may be cloud computing. Hosted cloud service providers and hosting companies (ranging from the vendors themselves to larger healthcare systems) have made significant advancements in security controls and technologies. These approaches may operate on a lower-cost model than an organization building everything itself; these models can be an appealing, cost-effective, and feasible alternative for many small and medium-size health care organizations.
In fact, some major cloud service providers and EHR vendors already market secure cloud computing environments that may align with HIPAA requirements. By moving to a secure cloud environment, health care providers will have increased security and the ability to effectively use their clinical resources to support patients without having to worry about maintaining their on-premises infrastructure and systems."

Sponsored by AWS?

AnonJune 12, 2017 4:57 PM

>> may align with HIPAA requirements

I feel so much more "secure" knowing it **MAY** conform to HIPAA! /sarcasm.

Instead of doing something to some arbitrary standard, why not just make it as secure as possible all the time?

Forget locking the door - just install a bunch of cameras to capture the theft.

Fred PJune 12, 2017 5:41 PM

I came from a relatively high-security field to medical over 15 years ago; the change was a large shock. That said, HIPAA helped a bit. Some of the most obvious, worst bits of lack of security appear to have been removed after HIPPA - for example, I stopped seeing new devices that were (by design) accessing patient data without passwords, or with hard-coded passwords.

More significant has been the recent guidance on software security from the FDA; (https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf somewhat more general reference: https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm ) While I only see a tiny fraction of a percentage of medical software, what I've seen is relatively encouraging; one product I've been working on is going through its second independent security review.

That said, even if all new medical devices are as good as that project (or, ideally, better), as noted in the report, many medical devices have multi-decade lifespans. Lead times on some devices can be years, and new development projects can have a high chance of failure due to reasons that may have nothing to do with software. There will be a lot of software out there with low security for decades to come.

Bob PaddockJune 12, 2017 9:01 PM

@albert

"The paper presents the physical mechanisms for para-phenomena."

Some of what there about the field of Parapsychology is wrong, not in any important way, others are outdated. Come hang out with me at the Rhine Research Center someday to discuss the wrong parts. All of the stuff about the Solar System can be explained by the Electric Universe theory. There is a conference on that coming up shortly. A paper published last week explains the orbits far more accurately than anything else to date, removing about ~ten pages from those PDFs. https://arxiv.org/pdf/1705.07138.pdf

"It turns out that, in effect, the equations of QM act as if time is quantized." from your PDFs.

There has been some speculation that each frame of 'Reality' is separated by linear time of the Kolmogorov scale of 10^-58. Boyd et.al.

Radin [from your papers] /Bem show in standard Presentiment model of Bem et.al. the view is the brain is showing a reaction to an event that has not yet occurred in linear time. Newer work explaining Presentiment have to do with neural 'noise' of the brain actually representing Chaotic (Strange) Attractors, that attract the event from the Multiverse [different term was used by Hotsons].

"The circuits make no sense to an electrical engineer. But they work."

Yep. Look up 'Mind Machines You Can Build' by G. Harry Stine

"Sorry for being OT, but -this- is the future of medicine. ... I'll post it on my blog ..." Not sure where to find that, the .com in your post?. Just do a web search for my name and anything Wired Science related and we can move this conversation elsewhere.


Ergo SumJune 12, 2017 9:49 PM

They can talk about recommendations, security, training, HIPAA, HITECH, etc. The data brokers had already have your health records and that isn't going to change. Like the Milliman IntelliScripts, whose quoted purpose is:

Milliman Underwriting Intelligence begins with our market leading prescription history solutions. Milliman IntelliScript delivers complete and current prescription histories that allow insurers to make instant underwriting decisions with confidence.

Source: http://www.rxhistories.com/Solutions/

How a data broker can openly obtain your prescription history in the world of HIPAA, HITECH, and other federal regulations is beyond me.

Oh, yeah, Milliman probably signed a business associate agreement (BAA) with the pharmacies and sells the data for health insurance companies. Another word, there are at least three business entities, like pharmacies, Milliman and health insurance companies that will make money on your data. The letter one for increasing your rates through the roof. At least in the US...

PS: I am so glad that got out of the health insurance IT business after 15 years...

keinerJune 13, 2017 2:18 AM

@Bob, @albert

...and I thought car industry and this Trumpel guy run the USA :-D

Back on topic: If you can afford 200 mio to 300 mio for developing a drug, the 1 mio for the FDA is just a tip for the waiter. Get to the point and get over this "all feds are bad" attitude. It's childish as is your president. Sorry to say.

And btw: FDA is just beginning to regulate software and security issues wrt medical devices. And that's absolutely necessary, if you read the post by Jeff Maddox.

But as the NSA is interested in health data from all around the world, there will be no improvement in security of health data. Guarantee...

albertJune 14, 2017 12:14 PM

@keiner,

The FDA is seriously underfunded, that's why the let the drug companies do the 'testing'.

The FDA is run by former (or future) drug/chemical company execs.

Read about the new commissioner here:
https://www.washingtonpost.com/news/to-your-health/wp/2017/03/10/trump-selects-scott-gottlieb-a-physician-with-deep-drug-industry-ties-to-run-the-fda/

Result: No real regulation, just theater for the Unwashed Masses.

You should take those 'research' figures with a pound of salt. Drug companies make their obscene profits by fear and intimidation. And they are 'legally' supported by lawmakers.

. .. . .. --- ....


UCantJune 14, 2017 3:28 PM

I don't have anything healthy to say. How much turnkey contract is involved in US Healthcare? Like everything. I believe in those bullet points but do outpatient clinics actually pay for full-time IT overwatch? Some guy remotes in to the firewall appliance; little topology and sitrep on the scores of contractors. The HIPAA stuff changed because clinics had their cloud storage bomb. Where is this data going? Yeah, bet.

Ironic, Windows just gave me SecurityHealthService.exe. Maybe they could drop in a DHHSHost.exe also:)

albertJune 15, 2017 3:45 PM

@Y'all,

It's rather obvious that the Big Banks run the country. They prefer Big Business to succeed, but they profit on failures as well. Discounting minor differences (like social issues), the neo-cons and the neo-libs march in lockstep toward the same goals: Complete elimination of gov't regulation. Complete privatization of all gov't functions, without any reduction in gov't expenses. This allows companies to suck in tax dollars directly through their government contracts. Privatization always exponentially increases costs. -Always-.

It'll be interesting to see how long the system can sustain this devolution. America will be a very dangerous place when the Middle Class disappears. Very dangerous indeed.

. .. . .. --- ....

UCantJune 16, 2017 12:50 PM

@albert
This is true, and consider how monolithic, or conversely, cross-agency webbed US agencies are. Not streamlined and federal judges turn agencies into lampreys: fines are chunks coming out of the gills of the shark, not solving problems. Poorly written laws, sentences open-ended to allow for judicial precedence, and poor legal maintenance. This country does not write articulate laws unless it comes to violent crimes, and that is also questionable.

I am thinking of a toxic medical culture, whereby people in the business are fully aware of contractors that want to ride the money-train. It starts with med suppliers wanting to get clinics bundled, and that frustration eventually extends into IT. There has to be a knee-jerk pushback, but when they don't want to hire IT fulltime and treat the admin like the printer guy, this is what happens.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

← Friday Squid Blogging: Sex Is Traumatic for the Female Dumpling Squid Chelsea Manning Profiled in New York Times Magazine

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.