“Everything with a power point is probably connected, or will be shortly,” says Christopher Neal, chief information security officer (CISO) of Ramsay Health Care.
“Increasingly that connectivity is critical to patient care,” he told the Gartner Security and Risk Management Summit in Sydney on Monday.
Even if those connected devices aren’t transmitting patient medical data, increasingly they’re conveying information about their own health.
Yet those medical devices can be incredibly vulnerable.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
Neal saw this first-hand in the medical village at the DefCon cybersecurity conference earlier this month. Hackers were let loose on the kind of equipment you’d expect to find in hospital patient rooms.
“The most fun I saw was [when] a guy sat down at an ultrasound machine,” he said.
“Within about 30 seconds of connecting he had shell, unrestricted Powershell access to that system through a vulnerability in the file manager that’s on the platform.”
The US Food and Drug Administration (FDA) has been issuing cybersecurity guidelines for several years. Australia’s Therapeutic Goods Administration (TGA) issued its own Medical device cyber security guidance for industry last month.
“There’s good guidance, but any systems built with that guidance are probably three to four years away from market, and most of this gear’s built to last 10 to 15 years,” Neal said.
“Anything you’re buying today has not been built secure-by-design, most likely. This is a problem that’s going to live in healthcare for another 15 to 20 years.”
YOU CAN’T SECURE IT IF YOU DON’T KNOW IT’S THERE
Ramsay is Australia’s largest operator of private hospitals, with 30,000 staff and around 9,500 beds. Their set-up seems typical for a health care provider.
When he started there, Neal found a “not wonderful understanding of where IT systems are at, what’s connected”. There were “varying levels of support and understanding” of what devices are in place, with no centralised fixed asset list.
Each hospital also runs as its own entity, with its own chief executive officer. That works against consistency across the organisation.
While the architecture of the corporate network is flat, each hospital’s medical networks are meant to be compartmentalised using DMZ networks.
“If you don’t know about it you can’t secure it,” Neal said, so he launched a project to map all the devices across the organisations 74 hospitals.
A trial run with three hospitals took three months to complete, so clearly automation was needed. Neal chose the Forescout device visibility and control platform.
“Did we find a lot more equipment with default credentials, default configuration, sitting not on the corporate network but in those DMZs? Yes, we found a lot of that,” he said.
“I see visibility as the foundation to being able to start stitching things together.”
Ramsay isn’t ready to move to a zero trust model for cybersecurity, however. Being able to make that move “depends on IT maturity more generally, how the organisation broadly sees and values IT”.
According to Neal, at Ramsay “there’s an IT and organisational maturity that’s a long way off”.
“For a very mature IT organisation, you can probably get it done in two or three years,” he said.
“Looking to do it any faster than that in any large-ish organisation you’re more likely to break things than fix them.”
Date: August 27, 2019
Source: ZDNet