Hospitals and medical records have been offering low-hanging, soft and juicy fruit to cyber criminals. It is time to sharpen up. The human immune system exemplifies the potency of distributed defence.
When you think of the pain – the inconvenience, the anger, the possible loss – caused by a stolen credit card, it is somehow even worse to be told that hackers typically only charge 10 to 15 cents for stolen card numbers. Talk about adding insult to injury! But did you know that your medical records might fetch anything from $30 to $500?
These figures emerged in a CBSN On Assignment news program about New York’s Erie County Medical Center ransomware attack. Rather than pay the $44,000 ransom, the hospital was reduced to pencil and paper for six weeks before going back online. And this has been just one of a number of recent high profile hospital cyber-attacks.
Getting them where it hurts
The hijacker points his gun at the driver’s head, not at the car to be stolen –aiming the threat where it hurts. Medical data and hospital services are highly sensitive, as the enormous sums spent on treatment, medical insurance and litigation against medical malpractice attest. Even if there is little exploitable data in one’s own medical record, the hospital that allows such data to be leaked will face severe penalties – from government, from being sued, and in terms of reputational damage.
You might, therefore, expect cybersecurity to be a very high priority in hospitals. The need is indeed recognized by the majority of medical administrators. But it is not so easy to propagate a sense for security across the whole organization, because so much energy is being directed towards one particular very strong human need: to preserve and optimise life and health. Medical staff say they are focused on patient care and don’t have time to worry about cybersecurity – it is seen as secondary to the literally vital job they are doing.
In terms of results and medical reputation, medical staff would far rather see money spent on leading edge medical scanning technology than on a security upgrade – but that is only half the problem. Most successful hospitals can afford to spend more on security, but it is a well known fact that security is as much about people management as it is about technology. If staff feel they are too busy to stick to security policies, there is little value in a sophisticated authentication process. Also, some hospital administrators think that meeting state and federal regulations provides adequate security – but those present minimal standards that don’t address the size of the threat.
Criminals are aware of these weaknesses in healthcare security, and they also know that a typical hospital network offers a very big attack surface. An enormous number of devices are connected, including mobile phones, tablets, desktop computers and servers; plus a population of patients and visitors with their own devices; plus networked medical devices and monitors that can communicate with medical staff – each offering an opportunity to injecting malware into the network.
That is the double problem: hospitals are both a highly lucrative and a soft target for cybercrime.
Why now?
From X-ray machines to blood pressure monitors, hospitals are creating new efficiencies while simultaneously generating more data than ever before. And the complexity is growing as hospitals inter-connect and telemedicine gains momentum. Millions of patient records are now increasingly stored in the cloud – adding another entry point for hackers. Numerous organizations share cloud resources at risk from malware Trojans whose ability to self-morph, makes them very difficult to detect by conventional signature techniques.
Traditional security models focused on protecting only the network perimeter. But the growing number of devices on the hospital network and the cloud vulnerabilities, mean that perimeter protection becomes far too simplistic for today’s complex, data-intensive world. Firewalls and other boundary-based security solutions fail to address threats from within a network. They also do not have the ability to detect malware that has managed to infiltrate the network, nor can they effectively combat internal attacks once detected.
The more nebulous the edge, the greater the need for security awareness to be distributed throughout the system.
The immune system
Cybersecurity can learn a lot from our own immune system. It is neither wholly resident in the skin, as perimeter protection, nor is it centralised in the brain. Instead immunity is distributed throughout our bodies. When our protective skin is penetrated – whether by a hard object or by disease – local defences will be triggered even before a warning is sent to the brain to register pain.
The result of this distributed attack awareness is remarkably intelligent, it adds up to a self-learning defensive system analogous to today’s more sophisticated artificial intelligences. This is not the intelligence of a massive number-crunching central brain, but closer to the emergent intelligence of a swarm of ants, where simple rules and reactions distributed across the whole colony enable the swarm to behave and defend itself in a remarkably sophisticated manner.
That is why today’s most advanced security strategies combine strong encryption and authorisation with a greater use of distributed security hardware.
A distributed security approach
Distributed security provides a multi-layered defense with protection both at the perimeter and within the network, as well as at individual servers and devices connected to the network. Distributed security scales out as the data center grows and doesn’t require expensive upgrades to perimeter security appliances as network bandwidth increases.
There are two ways to distribute security: a software and a hardware approach. The software-only approach is attractive because it is simple to install and runs on existing servers – but that in itself becomes a disadvantage. With multiple virtual machines (VMs) being spun up on each server, it is possible for malicious applications to be hiding in one VM and invisible to security software on another VM or an adjacent server. It also adds to the servers’ load to be managing networking and security functions rather than their expected application workloads – and effective security demands very rapid responses, with minimal latency and jitter.
So it makes a lot of sense to follow the immune system in installing security across the network and not just in the brain. Smart network adapter cards are now available that continuously monitor traffic passing through and provide highly encrypted telemetry metadata to a centralized workstation. If any issue is identified, specific traffic flows or servers can be shut down before the entire network suffers.
Combine this distributed network awareness with self-learning intelligence and you enable an AI system that learns network behavior under normal conditions and, if anything atypical happens, flags a warning. Having distributed hardware security “agents” throughout the data center provides AI based security with early warning of attacks, as well as a sure way to shut off attack traffic at individual nodes in accordance with agreed security policies.
A final advantage is that, while the system is growing, one can simply install more of these smart adapters at the same time, instead of having to add, upgrade or rebuild existing edge security devices.
Healthcare, heal thyself?
Articles on cyber security love to open with statistical data on the magnitude of the threat. Is it better bedside manners to offer the patient some comfort before outlining the threats?
A recent study by Hiscox suggests that small businesses in UK alone are the target of around sixty five thousand attempted cyber attacks every day, of which some UK company becomes a victim every nineteen seconds – at an average clean up cost of over twenty five thousand pounds sterling. Symantec announced twenty four thousand malicious mobile apps being blocked every day… and so on.
Are there any corresponding figures for the number of viruses, bacteria and other health threats that the average human body fights off every a day? It would be an interesting comparison.
Whether or not, it is certain that healthcare could learn something from the very bodies it is dedicated to protecting. A lesson in distributed security.