Interview: Cisco on the cyber dangers lurking in healthcare
The healthcare industry may have had the spotlight cast in its direction after the major cyber attacks like WannaCry that struck this year, but in reality they face the same threats as anyone else, and the stakes are much higher.
What is the state of cybersecurity in healthcare? We talked to Anthony Stitt, Cisco’s A/NZ general manager of security, about data privacy, automation and shocking findings from the Midyear Cybersecurity report.
As with any sector, healthcare risks data loss, service disruption, privacy issues and public backlash in the wake of a cyber attack, Stitt says. But healthcare data pushes up the stakes.
“Healthcare data is understandably sensitive and is often governed by separate regulations in comparison to other sectors. Any disruption to services potentially fatal. In the age of public healthcare, the government underwrites security, so issues can be very embarrassing and create public distrust," Stitt says.
However, he believes that data is difficult to monetise – a disadvantage for cyber criminals, whose crimes are motivated by money. Data is not as universally valuable to everyone.
“Historically, this has meant attacks on data are much less common and as a result healthcare organisations have not had to deal with the issue of cybersecurity as frequently. Therefore, they’ve learnt to be complacent.”
Holding data to ransom is a way of monetising that data – especially when a criminal can do it at scale. The WannaCry ransomworm was a clear example of how ransom demands are spreading to capture large chunks of an organisation’s network.
“The antidote for malware, especially worm-like propagation is: 1) vulnerability patching and 2) network segmentation. Healthcare organisations often have clinical machines, management software, ERP systems and other connected devices (like CCTV), which are not tolerant to frequent patching. In some instances these machines are owned and/or managed by third parties, who explicitly forbid untested patching,” he explains.
“These machines are responsible for life-giving capabilities and patching can often introduce instability. Further, many healthcare networks are not segmented well. Segmentation takes time, increases complexity and requires more IT staff to manage. When the CEO of a healthcare organisation is faced with investing more in IT staff or investing in some new life-saving machine, you can understand why they make the frontline health investments over security enhancements. Especially, given that historically they have not been attacked as frequently as other industries.”
But change is sweeping the sector: IT and network are now mission critical – even for the smallest businesses and GPs.
“We’ve seen numerous examples of small businesses being attacked by ransomware and extorted. This is less about using the data externally and more about an easy route to monetisation for criminals, with some victims not being able to recover their data," Stitt says.
Cisco concentrates on making security simple, open and automated to the same visibility previously reserved for larger businesses.
“The days of “set and forget” though, are over. We call this a protection-only mindset and countless public breaches attest that this approach doesn’t work. Unfortunately, the industry is filled with vendors are service providers selling their wares as “silver bullets” to the problem," he explains.
“Further, operational security matters. Systems need to be reviewed periodically. Adjustments are required. There needs to be a process of visibility, review, adjustment (protect –detect-respond).
“Without that, businesses are simply proverbial zebras in the herd hoping the lions don’t pick them off. Good security requires people and if a business can’t afford the people to do it well, it must outsource.”
He says that outsourcing is a good option for business leaders because it allows service providers to aggregate smaller businesses. But that aggregation also attracts criminals, such as in the case of ‘Operation Cloud Hopper’, a cyberespionage campaign that targeted managed IT service providers.
The data that is at stake represents critical life data for patients, but Stitt says that threats are outside patients’ control. To an extent, so are vulnerabilities.
“For example, are you really going to stop going to your local GP because you think they might vulnerable to data theft? Of course, you could ask if they keep the data in-house, or use some kind of SaaS application or utilise a hosting provider elsewhere. Larger private businesses will be regulated by the Privacy Act, which you could always ask if that is the case too,” he explains.
“So, you’re left with “asset value”. What is the value of your data? It might be less than you think. In the wrong hands, it is often signficantly more than you think. You could chose your healthcare provider based on how you feel about this question. What would be the impact to you if some or all your healthcare data was exposed?”
Earlier this year Cisco released its Midyear Cybersecurity Report, which found that IoT devices feature standard chipsets that are designed for functionality, not security.
“Cisco has invented an architecture (Digital Network Architecture, or DNA) to deal with this, zero-trust networking, where the network treats all traffic as untrusted. This is the future of networking and segmentation. Know every device on the network, explicitly give it access based on what you know about it and what your policy says it should have access to,” he explains.
“Zero trust architectures are a great start. There is also a responsibility of equipment manufacturers to make their devices secure. This includes secure coding, minimum functionality (sometimes called minimum viability) and starting with security rather than bolting it on at the end or late in the development process."
The Midyear Cybersecurity Report also highlighted that operational security is struggling under the weight of too many alerts, a lack of investigation and a lack of mitigation. Spot solutions have created complex security technologies that are difficult to manage.
“These technologies have, in many cases, declined in efficacy over time - take anti-virus for example. With these declines in efficacy, the focus has shifted from protection to detection and response. Unfortunately, detection and response is all about people, and about how systems work together, amplifying weak signals, or simplifying the job for investigators,” Stitt explains.
“Cisco blocks billions of attacks every day, more than the number of google searches made every day, it gets rid of 99.9% of the issues but the 0.1% of attacks will hit you eventually; especially if you have no way to detect and remove them.”
“Moreover, we use our cloud to store attack meta-data, including where we first saw it, so even unknown attacks can be blocked after the fact. Cisco calls this retrospective security and we do it hundreds of thousands of times a month, we do it automatically, we block the execution of previously unknown malware on infected machines without our customers having to do anything. Cisco does this, currently, at an average of 4 hours from the initial infection.”
Looking to the future, Stitt sees the cybersecurity industry as an arms race that’s tipping back in favour of the defender.
“Collectively, we are making it more expensive for the attackers and as a result they are getting more focused and professional. One may see this as bad but raising the stakes is ulitmately a good thing. We will see a shift to SaaS (software as a service) and I think this will raise the stakes further be aggregating data and protection at a large scale,” he says.
He also says the security vendor landscape is large and fragmented, so consolidation will be a big part of the future.
“Cisco’s primary route to market here is via our security Enterprise Licensing Agreement, and these are one of the fastest growing procurement models in our portfolio, both here and globally,” Stitt says.
Stitt sees an increasing importance on privacy and law enforcement in the digital world.
“Right now, we don’t really have equivalent law enforcement online versus in the physical world. Online, every criminal is at your digital doorstep, whereas this is not the case in your home or at work. I doubt we will ever completely close this gap, although Governments will increasingly enforce the rule of law online.”
“I believe we must, and will, change our attitude to online security and what is required to be safer. The idea that every person, business and organisation needs to be a vigilante responsible solely for their own protection is ludicrous. This often governs talk about t online security. If your network is breached by criminals it’s your fault, whereas if your home or business is physically broken into, you’re a victim of a crime,” Stitt concludes.