Although Congress, regulators and healthcare leaders are doing “many correct things,” the current state of “voluntary practices, where we take our time, have not proven sufficient to transcend the market failures,” Josh Corman, founder of the voluntary organization of security professionals I am the Cavalry, explained to the Senate Health, Education, Labor, and Pensions Committee on May 18.
The course of the pandemic and the strain on healthcare reinforced that cybersecurity is indeed a patient safety risk. Corman puts it simply: the sector is “over-dependent on underdeveloped technologies.”
“Our dependence on connected technology was growing faster than our ability to secure it, in areas affecting public safety, human life and national security,” said Corman.
Connecting to technology brought promise of immediate adoption with obvious benefits. But it’s hard to determine the delayed consequences of said choices.
The reality is that there’s an awareness and adoption gap. Healthcare “organizations are target-rich but cyber-poor,” said Corman. “They lack the resources to do minimum hygiene.”
Despite a significant number of resources available from the government and from a range of security leaders, there simply isn’t “sufficient reach to these cyber-poor [organizations]. They don’t participate. They don’t have CISOs yet and don’t participate in Health-ISACs or other information sharing groups,” he explained.
Noting that one of the biggest obstacles to healthcare is education, Health-ISAC President and CEO Denis Anderson concurred. And many of those entities don’t know the benefits of the services provided by threat-sharing groups, including the host of free services and resources.
It’s vastly different from the financial services sector, where the Department of Treasury provides a great deal of support, including proposed checklists for financial firm audits, Anderson explained. Once the sector became aware of those resources, it became a “tsunami” of people joining the ISAC.
Right now, “it’s just not effective,” she added. “But I do believe that if we can educate, that would be a huge, great thing to do.”
As it stands, many don’t know what those groups are, or the agencies that can get them the help they need. Corman noted that once these entities are engaged, it’s possible to work with them at their current skill level “with empathy, to get them to crawl, walk, run.”
Some strong progress has been made across the sector and the government, but “much more substantive action” is needed to “stem the bleeding in the foreseeable future,” he explained. For one, “one of the top ways to reduce risk is to reduce complexity.”
“It’s not always defending indefensible things: It’s having a more defensible, simpler infrastructure,” he added.
But it’s not going to be effective if guidance is only given as advice, or as a voluntary action. Years after the release of multiple voluntary federal guidelines, adoption of these security standards are low and the majority of healthcare organizations are still struggling to keep pace.
If Congress wants action, entities must be incentivized to do so: “we need sticks and carrots,” said Corman. The comments echo an earlier declaration from Christian Dameff, MD, emergency room physician and security researcher from the University of California San Diego Health.
“If we’re going to offer safe harbors, they should be tethered to an attestation about your current state of practice against such a framework tool,” Corman added.
Hackers set the pace
On top of these tech challenges, the threat landscape has evolved to an untenable situation, with “the adversaries setting the pace” and are “now nearly unstoppable” given their business model, with the use of ransomware-as-a-service to create a highly professionalized, multi-party coordination, he explained.
The ransomware revolution began with the target of Fortune 500 companies in the hopes of gaining access to intellectual property to later sell for a profit. But with the ease of payments through Bitcoin and the ability of holding access hostage, everyone has become a target.
In healthcare, “unavailability became universally monetizable.” Corman explained that as more hackers “got away with it” and were rewarded with waves of organizations paying the ransom demands for access, the use of ransomware exploded.
Essentially, hackers’ “bold actions went unchecked long enough,” and perhaps, if more was done during the early ransomware waves in 2016, the situation might have been more manageable.
The attacks on designated critical infrastructure provide a prime example of this. These attacks “used to be off limits,” as it’s “technically an act of war when perpetrated by a nation state.”
“The state-tolerated, and sometimes state-directed, flirted up to and crossed lines that we need to reestablish,” said Corman. “That is more than just the job of Congress here. But we have allowed and tolerated the intolerable. Unless we do significant things against the adversaries and to shore up minimum hygiene for the defenders, we should expect more of this.”
“It’s not tenable for an individual, nor a nation. And with the threats of further attacks from Putin and other nation state adversaries, we need bold action, and we need it now,” he added. “Any crisis of competence in the public to trust these baseline functions is unacceptable. We need to be better.”
Federal actions: what’s working and what’s needed
In the past it seemed like people would have to die first before “anyone would listen,” Corman explained. But the Food and Drug Administration has taken bold steps to raise the bar on the minimum cyber hygiene requirements for medical devices and the launch of safety commission for medical devices, purely for cybersecurity reasons, to ensure no one would die.
The move “sent a shot over the bow to the industry of 10,000 medical device makers that the dependence we place on connected technology should be worthy of that trust.”
The latest congressional proposal, Protecting and Transforming Cyber Health Care (PATCH) Act, has also given the industry — and Corman — reason to hope. The bill contains some of the most important elements needed to support the sector with addressing risks to their attack surface.
Provider organizations struggle with the use of unsupported software, hard-coded passwords tucked into medical devices, supply chain risks, and a host of devices. Instead of just referring to best practices, Corman aims to address bad practices. At the moment there are at least three.
This includes the use of unsupported and end-of-life software, “in service of national critical functions and critical infrastructure: it’s dangerous and especially egregious for internet-facing [tech].” Corman works with the “cyber poor” on their internet attack surface, the things reachable from the outside.
For Corman, the use of these highly vulnerable technologies “should start to become the definition of negligence.”
Congress should work to target the cyber poor, let them know the federal support provided and how to work with those groups and the government, while ensuring the advice they’re being given is applicable to their specific situation, he concluded.