Securely managing the Internet of Things for healthcare

May 24, 2016
Rapid technology advancement of ancillary devices leaves endpoint security a threat to be addressed

Our hospitals are increasingly looking to network-connected healthcare aides, with the expectation that this new tech can proactively advance patient care and improve outcomes.  Just imagine, “smart beds” that automatically detect if they’re occupied (or if the patient is ambulating), or track the quality of the patient’s sleep.  Or think of the value of wearables and implants that measure a patient’s vital statistics, continuously logging data and report, in real-time, any abnormalities to the appropriate clinical staff.  Add network-connected infusion pumps, imaging machines, blood-glucose sensors, and myriad of devices can automatically and collaboratively share valuable data with the patient’s electronic health record (EHR), and you begin to realize the impact.

The Internet of Things (IoT) holds great promise for improved health and wellbeing.  But new devices, with all their potential upside, also bring the need for a clear understanding of the challenges and risks.  Careful network planning is a must if adoption is going to be successful.

Of course, networked devices are prevalent in hospitals today – a growing number of nurses and doctors have already transitioned away from clipboards and paper to Wi-Fi-enabled communications devices and tablet computers.  The goal is to have the right people leveraging the right technology in order to provide better healthcare.

However, in the rush to introduce Internet-connected devices – the much-spoken-of “Internet of Things” – some hospitals are opening themselves up to additional risk.  Left unsecured, these devices represent an additional point of exposure for the network.  Traditionally, some industries are more prone to attack than others – banking and finance for example – but recent events clearly demonstrated that healthcare is fast becoming the target of choice for hackers.  Why may you ask?  It's pure economics: the black market value of a private medical record can be worth vastly more than stolen financial data.  The FBI have reported that partial EHRs are being traded for as much as $50, compared to just $1 for a stolen credit card or social security number[i].

Security: It’s a Business Issue, not a Technical One

Hacks continue to dominate the headlines, as vulnerabilities are increasingly exposed in industries that have previously been, to an extent, cruising under the attacker’s radar.  Healthcare providers, as the holders of highly sensitive – and highly marketable – information, have now become high-value targets.

As the use of connected devices in healthcare expands, so too does the risk of a “Med jack.”  This attack vector sees hackers exploiting old and insecure operating systems as launch points to move laterally through the borderless internal network.  Typically, these attacks target back-end EHR and financial systems, but there are some hackers with more nefarious motives.  Hack are known to have been attempted where critical systems such as drug infusion pumps and cardiac implants are manipulated; the U.S. Department of Home Security have investigated as many as two dozen separate deadly security flaws in hospital equipment and medical devices[ii].  It’s one thing to hold ransom patient data, but things are taken to a whole new level when actual lives can be threatened.

The network represents one of the largest avenues of attack, and every reasonable effort must be made to secure it.  On some legacy networks, anyone can connect devices without being prompted for authorization.  In the most extreme cases, network administrators admit they have no idea exactly what devices are accessing their network at any given time.  Going forward, hospitals must ensure that hackers can’t simply access an active Ethernet port, or surf the Wireless network until they find a vulnerable node.

Attacks come in many forms and have evolved over time.  From the so-called “Sneakernet” attacks using floppy disks and then USB keys, to infected devices brought in from home by oblivious patients or employees.  Now, the major challenge is that Internet-connected devices and end-user applications are evolving faster than the legacy network.  The traditional approach of securing the Internet gateway with a firewall is no longer enough.  With conventional technologies, once a device is connected to the network with an IP address, all other devices on the same network segment are visible and exposed to a potential hacking attack.

Software-defined networking can deliver a crucial element of a multi-layered, defense-in-depth security strategy.  In these environments, traffic dynamically flows across the network, leveraging the shortest path to its destination.  The network can be easily segmented into areas – zones – that remain invisible to devices at the edge.  One physical network can support numerous virtual networks on the fly.  Network connectivity is extended as approved devices attach and are authenticated, and dynamically retracts as those devices disconnect.

Reducing the number of attack points, the size of the network attack profile and obscuring network elements can provide important security benefits.

Secure Segmentation is Crucial

Traditionally, segmentation is done through virtual LANs, used in combination with routing and filtering, and data can then be directed to flow from approved devices to pre-defined applications.  While this methodology works, it lacks scalability – especially in the context of IoT, and can also be exploited using the IP Hopping attack vector.

There is a solution that solves both the scalability and security issues: secure network segmentation.  This approach leverages a natively secure technology to deliver massively scalable segmentation, automatically isolating flows and zones, and establishing the necessary control and enforcement points.  No communication can occur between zones without explicit configuration, and data flows are containerized end-to-end across the network to neutralize the risk of IP Hopping attacks.

This capability is known as “Stealth Networking,” and each unique combination of flows defines an individual service that can be treated independently, given special privileges or specific restrictions.  Operating the network in Stealth mode provides the isolation needed to secure key healthcare applications and services.  If it cannot be seen or accessed, then it cannot be hacked; sounds simple, yet Stealth Networking delivers a highly effective ability to reduce the threat of cyber attacks.

Delving deeper into the healthcare scenario, surely the network that delivers MRI data to the patient EHR database should be isolated from the network that supports connectivity between the payment card system and the financial backend.  Obviously, both need to be securely partitioned from the Guest Wi-Fi.  The list of applications and services that should be securely separated from each other is potentially endless.  Hence, the need for a secure segmentation solution that supports mass scalability.  Securely segmenting the network, and isolating unrelated services from each other, creates a new layer of protection against a single intrusion exploiting uncontrolled lateral access.

The U.S. National Security Agency knows a thing or two about finding and preventing, unauthorized network access.  Rob Joyce, head of NSA’s Tailored Access Operations – the group charged with infiltrating the networks of foreign adversaries – has some pretty sage advice: “Don’t assume a crack is too small to be noticed, or too small to be exploited.”[iii]  Joyce continues: “With any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation…there’s so many more vectors that are easier, less risky and quite often more productive than going down that (zero day) route.”  This includes, of course, known vulnerabilities for which a patch is available but the operator has not installed.  High on the NSA’s defensive checklist is segmentation: “Segment networks and important data to make it harder for hackers to reach your jewels.”

There are obvious defensive measures such as limiting access privileges for important systems, patching and updating systems, implementing application whitelisting, and removing hardcoded passwords and legacy protocols that transmit passwords in the clear.  However, segmentation is a crucial tool in preventing unopposed lateral movement if (or when) a new or existing vulnerability is exploited.  The network design must, by default, prevent lateral movement between application zones.

If segmentation was important in the relatively modest networking scenario of yesterday’s healthcare, just imagine what it means for an IoT-enabled tomorrow.  As the number and diversity of network-connected devices exponentially grow, so too does the potential number of attack vectors.  Scalable, secure segmentation, in combination with a centralized access policy and enforcement engine, will come to characterize the software-defined network perimeter.

Segmented, elastic connectivity is key to the concept of dynamically extending service access only when specifically required and authorized.  Devices, whether they are printers, IP video surveillance cameras, SIP terminals, traditional computers, or the plethora of new medical devices, will only have access when authentication has been established, and the network is extended only for the duration of this validated session.   Automatically retracting network access from the edge reduces exposure.

Yes, Automation Ties It All Together

Implementations where security requires too much effort or results in complexity often fail, simply because the human element gets in the way the need for a quick fix often overrides best practice.  How many times have shortcuts and the human element led to system failures?  Automating the connectivity of Internet-connected devices can be used as the catalyst to ensure that security is simpler, and therefore easier to implement and maintain.

Again, scalability is a key consideration for the mass these new IoT-enabled devices, the majority of which involve purely machine-to-machine transaction.  With no human intervention to drive attachment or provide credentials, the network must be smart enough to automate – at massive scale – secure connectivity.

It’s not just about automating mass connectivity at the edge; healthcare operators need to make sure their system correctly assigns devices and users into secure network segments, having enforced the appropriate policy.  That way, administrators can prevent devices from becoming lost in various uncontrolled network connectivity.  Thankfully, automation has now reached a level of sophistication where complex workflows can – by, for example, the simple act of authenticated attachment – dynamically establish secure network zones and facilitate application-specific solutions.  None of this requires pre-configuration: services can be dynamically extended as and when needed, securely segmenting the infrastructure, and avoiding the security risks associated with static configuration. 

Enabling New Innovations

The pace of advancements in medical device technology is at an all-time high, but unfortunately, so is the increase in security breaches, despite very conscious efforts on the part of the industry to close potential gaps.  A 2015 report cited by Government Health IT indicates more than 34 percent of U.S. healthcare customer records have already been breached – the highest figure of any industry[iv].  The top 10 breaches alone affected more than 111 million records.

Unfortunately, the adverse publicity that naturally attaches to these incidents can act as an inhibitor of innovation.  In some cases, a healthcare organization may hold back on leveraging the latest technology for fear of not being able to effectively secure it.  Such hesitation would delay improvements in patient care and could adversely affect outcomes.

As the Internet of Healthcare Things takes hold, it is of paramount importance to find ways of enabling the rapid adoption of innovative solutions.  It is equally important, obviously, to solve this challenge in such a way that network security is not compromised; indeed, it can and should be enhanced.

About the Author:

Jean Turgeon is vice president and chief technologist for Avaya.

References:

[i] Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain, FBI Cyber Division, April 2014.

[ii] DHS Investigates 24 Potentially Deadly Cyber Flaws in Medical Devices, Computerworld, October 2014.

[iii] NSA Hacker Chief Explains How to Keep Him Out of Your System, Wired.Com, January 2016.

[iv] Healthcare Leads All Industries In Data Breaches, GovHealthIT.Com, September 2015.