Healthcare Under Siege Panel By Bikash Chatterjee
August 2016- At Blackhat 2016, TrapX™, Executive Vice President Carl Wright moderated an expert panel entitled “Healthcare Under Siege” The panelists included the following members of both industry and regulatory agencies:
- Ronald Mehring, CISO, Texas Health Resources
- Jason Cook, CISO, BT Americas
- Ann Barron-DiCamillo, former director US CERT
- Titus Bickel, senior analyst healthcare Intel, DHS
- Suzanne Schwartz, director for science & strategic partnerships EMCM, FDA
- Roberto Suarez, director corp product security, Becton, Dickinson & Company
I chose this particular panel discussion because the healthcare sector is my area of expertise. Health Care makes up almost 18% of the US’ GDP. In 2015 almost 33% of all data breaches were healthcare related. Today the black market value of credit card information is approximately $1-2. However, healthcare records have a black market value of $20-40 per record, so it is unlikely the number of healthcare attacks will go down anytime soon. The panel explored the current state of cybersecurity part with particular emphasis on healthcare institutions and medical devices. For healthcare institutions which are being rocked by both ransomware and data breaches the panel discussed several challenges which are hampering efforts to protect HIPAA information. The panel unanimously felt a paradigm shift was required if healthcare institutions were to try and gain a foothold against APTs. Today cybersecurity is an afterthought with most healthcare institutions IT departments focusing on system uptime and maintenance rather than staying ahead of cyber threats.
According to the Office of Civil Rights (OCR), there were 253 healthcare breaches that affected 500 individuals or more with a combined loss of over 112 million records in 2015. This number does not include the number of ransomware attacks which have grabbed the headlines recently because these attacks do not technically constitute a HIPAA breach. The panel felt strongly that the industry needed to develop a plan for vulnerability with the assumption that vulnerability does exist, rather than assuming it does not exist. There are solutions that are both cost effective and scaleable and can provide tangible protection to many healthcare networks, however the emphasis is just not there.
One of the realities is InfoSec is new to the healthcare industry. There is very little standardization, strategy or collaboration discussion going on amongst healthcare institutions. Cyber criminals are highly collaborative. The FDA is working to try and improve this. The National Health Information Sharing and Analysis center (NHISac) and the health Information Trust Alliance (HITRUST) are introducing threat intelligence security platforms. These platforms will allow its members to communicate back and forth about threats information, and also enables members to share threat information with each other.
The discussion on the regarding the security associated with medical devices was much more high level. The former FDA officer attempted to portray the current classification scheme requirements as adequate and appropriate to manage cyber threats. Class II and III devices both require a clear cyber security strategy as part of their regulatory filings. The panel indicated the industry was on top of this but the author’s experience could not be more different. While it is true that many large multinationals have a growing emphasis on cybersecurity the deployment and maturation of these efforts is quite variable. Smaller and emerging medical device companies and the growing interest in combination products are highlighting the weakness as it relates to device cybersecurity.
The discussion did not drop below the high level discussion and offered few tangible solutions. However, the challenges are becoming clear and as the industry moves towards embracing big data and growing public pressure for data transparency, the need for a cogent InfoSec strategy as primary component of healthcare industry will definitely move from an afterthought to the forefront of the industry.