Why Is Your Hospital’s Cybersecurity So Insecure?

Businesses, including hospitals and health systems, believe their enterprises are secure from cyberattacks. Other people believe the earth is flat and that we never landed on the moon.

Believing something does not make it true. Most healthcare executives believe their data is secure against attacks. They sort of have to believe it. If they did not believe it, they would have a major effort underway to secure it. With all due respect, however, I bet I can prove that your hospital’s cyber security is not secured against 80 percent of the cyber threats to your system.

2016. MedStar. Big hack. Very vulnerable.

You don’t have to believe me; just read the latest headline about WikiLeaks. Amid a trove of documents released by WikiLeaks — which allegedly contains “the entire hacking capacity of the CIA” — is chilling evidence that everyday devices like smart TVs and cell phones have potentially become critical tools in the effort to spy on American citizens.

“When we think of a security hack, when we think of risks, we think of computers, phones, and tablets. Things connected to the internet. Things with IP addresses. Things WITHOUT IP addresses (and there are more of these than you think). All Internet of Things (IoT). All Wi-Fi enabled devices can be hacked. Hackers can steal data, conduct espionage, and cause physical damage.”

The CIA was hacked. Hillary was hacked. Russia hacked the US. Logic should tell us that the level of encryption used by the CIA is many times better than that used in the private sector. If the CIA can be hacked, it is beyond naive to believe that the enterprise data of hospitals — and payers — are safe. We learned last year that putting your server in a bathroom does not work.

There are only two types of businesses. Those that have been hacked, and those that have not been hacked yet. Your Chief Information Security Officer should be telling the board, “We have not been hacked yet.”

In fact, everyone — every public and private sector organization — needs to operate like the Department of Defense. When it comes to how they see their networks, systems, and devices, they work under “assumed breach.” They look at it that way because their vast experience and money spent dictates they should act as if they’ve already been breached. It is hard to swallow that even the most knowledgeable security professionals — who are doing their best work — are still vulnerable, but they are. And so are their systems.

But if you accept that you’ve already been hacked, you have a better chance of protecting yourself than if you live in denial.

Most of us have no idea that things that do not have an IP address are just as vulnerable to hacking as laptops. Those things include all the following:

• Medical devices like heart monitors
• Implantables
• Smart TVs
• Thermostats
• Wheelchairs
• Elevators
• HVAC systems
• Security cameras
• Energy systems
• Copiers
• Printers
• VoIP phones
• Smart refrigerators
• Smart lightbulbs
• Elevators
• Motion detectors
• Alarms
• Window and door sensors
• Programmable coffee machines
• Personal devices used by your staff, patients and visitors that are connected to your Wi-Fi

Every single thing in a hospital that uses software to communicate to something else can be hacked. The average hospital has more than 100,000 unsecured entry points that are vulnerable. Large health systems have more than 1,000,000 vulnerabilities, most of which do not have an IP address.

But what if you could fix all those problems right now? What if you could protect all your systems, your patients, and your employees today with minimal effort and for minimal cost? What if everything that was vulnerable and open to attack could be made invisible to any type of cyber-attack? A technology to do this exists. I saw it.

The tool discovered all the IoT vulnerabilities listed above for a health system. It was demonstrated using a few of the system’s security cameras. One minute the cameras were present on the display of the hospital’s IoT devices; a few clicks later those cameras disappeared from the screen. Those cameras still functioned, but now they were invisible to anyone trying to hack the system. The technology can discover all of your system’s vulnerabilities.

And even better, if someone breaches a device in your system, you know it the moment it happens, and you can turn off the hacked device. You don’t have to read about it in the Washington Post.

The technology works at health systems as large as the VA. People who believe they’ve built a foolproof cyber plan should be waiting to be proved wrong. If you want to learn more, let me know. Within 20 minutes you will see your risk in a real demo. And better yet, you will see how to take that risk to zero.

[This piece was originally published on Paul Roemer’s blog, Disrupting Patient Access & Experience. To follow him on Twitter, click here.]