David Finn, a former healthcare CIO who's now health IT officer at security vendor Symantec, recently agreed to join a new Department of Health and Human Services cybersecurity task force because he supports its mission of involving representatives of all healthcare sectors in the effort to tackle challenges.

"In healthcare, one of our issues is silos - within providers, and certainly across providers - and then along the continuum of partners and business associates," Finn says in an interview with Information Security Media Group. "The point of the task force - and the thing that interested and intrigued me - is that we're not going to sit down with a group of providers and say, 'How do you fix security in the hospital or the clinical setting?' And we're not going to sit down with some clinical application vendors and say, 'You guys need to fix security.' And we're not going to sit down with some security vendors and say, 'You need to fix security in healthcare.' We're bringing all those groups together."

A shift toward more collaboration on securing healthcare data, especially as more of that information is electronically exchanged, is critical, Finn says. "And that's what the task force does ... and why I want to participate."

The task force will start by examining how other sectors "have implemented strategies and safeguards for addressing cybersecurity threats in those industries," he says. It will also examine the unique cybersecurity challenges faced by healthcare entities and the difficulties that HIPAA covered entities and business associates face in securing networked medical devices and other systems that connect to electronic health records, he says. Plus, it will devise recommendations for how the sector can improve preparedness and response to cyber threats.

The creation of the task force, which includes nearly two dozen representatives of the government, technology and healthcare sectors, was mandated by the Cybersecurity Information Sharing Act of 2015. Task force members were selected based on recommendations from a panel of subject matter experts from HHS, the Department of Homeland Security and the National Institute of Standards and Technology. The group is expected to report its findings to Congress and the public next year.

Support from the Top

One of the biggest issues in healthcare information security is the lack of support for cybersecurity from CEOs and other senior leaders, Finn contends.

"What I believe is really lacking is leadership around security issues outside of IT," he says. "So, the CIO ... and certainly the CISO understand the issues, but we're not seeing the CEOs, the CFOs, chief nursing officers engaged in ways that would allow the CISO or CIO to ... escalate this and get the priorities we'd expect to see."

Although board meetings often feature detailed reports about financial as well as quality-of-care issues, Finn says, "what I don't see are security reports, where [CISOs] are presenting to the board their risk assessment, the [security] events that have occurred, what they're doing to stop and manage those incidents, and how they're training the staff to deal with those things."

In this interview (see audio player below photo), Finn also discusses:

Recent cyberattacks hitting the healthcare sector, including ransomware assaults; Cybersecurity threats facing networked medical devices; Other cybersecurity-related obstacles facing the healthcare sector.

Before joining Symantec, Finn was CIO and vice president of information services for Texas Children's Hospital, where he also previously served as the privacy and security officer. Earlier, Finn spent seven years as a healthcare consultant with Healthlink - formerly IMG - and PriceWaterhouseCoopers. Finn has more than 30 years of experience in the planning, management and control of IT and business processes.

A new report from the Information Security Forum paints a fairly pessimistic picture of enterprises' ability to protect their IT from cybercriminals over the next two years.

The report, Threat Horizons 2018, says the ability of organizations to protect IT is progressively being weakened. Businesses and society, for that matter, are becoming more reliant on complex new technologies to function, which intensifies the threat landscape, the report contends.

"We are having to be a little bit more, perhaps, critical of the way in which we look at our use of technology, and that's what you're beginning to see with some of the predictions we're coming out with now," Steve Durbin, managing director of the Information Security Forum, says in an interview with Information Security Media Group. "Let's bear in mind: These predictions are really trying to put some extra weaponry into the armory for the security professionals so we can anticipate some of the challenges that we're going to be seeing."

In the interview (click player beneath image to listen), Durbin addresses the three key themes of the report:

Technology adoption will dramatically expand the threat landscape. This includes using algorithms to maximize the efficiency of IT systems, which often results in heightened IT security risks. Organizations must be transparent about how algorithms work and how to mitigate the risks involved. "That's the important thing because we're not going to stop our dependence on these things," Durbin says. Safeguarding IT will be progressively more difficult. Cyber insurance is one way organizations can mitigate associated risks. But cyber insurance is not a panacea, and Durbin points out that in the coming years, this insurance will have limited benefits. After all, insurers cannot offer coverage for such damages as harm to brand image or loss of reputation caused by a data breach. It would be "very, very difficult for an insurer to be able to put a real price on that and, indeed, write a policy that is going to effectively be able to cover it," Durbin says. Governments will become increasingly interventionist. This includes some nations requiring domestic organizations using cloud computing providers to store data on servers within their national borders. "That it's being held in the cloud does not mean you're not responsible for it; this is the real issue," he says. "There is a need for businesses to be working very much more closely with their cloud providers, service providers. ... When we look forward two years, we don't see that threat moving away."

At the Information Security Forum, a not-for-profit organization that develops IT security best practices, Durbin focuses on strategy, information technology, cybersecurity and the emerging security threat landscape. He previously served as a senior vice president at the advisory firm Gartner.

Encryption , Privacy , Technology

FBI-Apple Aftermath: Finding the Elusive Compromise Shifting the Debate Away from Backdoors Eric Chabrow (GovInfoSecurity) • March 30, 2016    

The FBI vs. Apple legal fray pitted security against privacy, with FBI Director James Comey and Apple CEO Tim Cook championing their respective causes.

See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience

A truce, of sorts, is in place since the Justice Department earlier this week opted not to pursue a court order compelling Apple to help the FBI unlock the iPhone used by one of the San Bernardino shooters. The FBI cracked open the iPhone 5c with the help of an unidentified third party and dropped the case against Apple (see FBI Unlocks iPhone; Lawsuit Against Apple Dropped).

A senior law enforcement official told The Associated Press that the FBI managed to defeat an Apple security feature that threatened to delete the phone's contents if the FBI failed to enter the correct pass code combination after 10 tries. That enabled the government to guess the correct pass code by trying random combinations until the software accepted the right one, the AP reports.

Despite federal officials dropping their case, the battle of ideas stemming from the Apple vs. FBI battle endures. In one corner, Comey contends that Apple should have helped the FBI break into the iPhone used by Syed Rizwan Farook so authorities could gather evidence in the case. In the other corner, Cook argues that doing so would have weakened safeguards built into the iPhones, leaving potentially tens of millions of users exposed to hacks.

Balancing Act

But balancing security against privacy, at least how it's viewed today, hasn't always been a problem.

"In the earliest days of the Internet, privacy and security were at peace, mostly because they largely did not exist or even matter," former RSA Executive Chairman Art Coviello writes in the preface to a document detailing the goals of the Digital Equilibrium Project, an initiative to pull together stakeholders to identify ways to simultaneously provide privacy and security. But that age of innocence is long gone.

Digital Equilibrium Project's Art Coviello on how Apple-FBI dispute is symptomatic of broader issues.

"This blinding pace of digital adoption has far outrun the laws, social norms and diplomatic constructs that we painstakingly developed over centuries to conduct affairs in our physical world," Coviello says. "The result of that gap today is a growing tension between privacy and security."

Security Vs. Security

How can that gap be narrowed?

For starters, change the language to define the issue. Among some stakeholders, the matter isn't security vs. privacy but security vs. security. One type of security involves law enforcement protecting society from the bad guys; the other type focuses on technologies, such as smartphones, that millions upon millions of individuals rely on.

Another way to bridge the chasm is to rethink what the debate isn't about: creating a backdoor to circumvent encryption. Discussions should focus on how best to exploit technologies for public safety while safeguarding the security that the technologies furnish to users.

Cryptographers and IT company leaders, along with privacy advocates, have forwarded sound arguments explaining that if law enforcement (or intelligence agencies) are given a way to circumvent safeguards, nation-state adversaries and cybercriminals could employ them, too, to the disadvantage of individual, corporate and national security.

Comey and his cohorts would need to concede that backdoors are out of bounds. But then the two sides could collaborate to identify an array of approaches and techniques that could provide both types of security.

It's Not About Backdoors

"The real irony here is that the privacy, the security and the law enforcement communities are all actually on the same side," says Larry Clinton, president of the industry trade group Internet Security Alliance. "We are all defending against the criminal and rogue state attack community. We all need to realize that and find a way to move forward."

Greg Nojeim, senior counsel at the advocacy group Center for Democracy and Technology, notes: "We need to get over the debate about whether backdoors should be built in; it seems pretty clear they shouldn't be. We need to move on and assume a world where an increasing number of communications are encrypted. What techniques should the FBI be able to use to exploit devices and communications services, and which ones are out of bounds? That's the debate we need to have."

Look to Industry for Answers

Where can compromises be found on security issues? Veteran IT security and privacy practitioner Malcolm Harkins looks to the commercial marketplace for ideas.

Harkins, global chief information security officer at the IT security software provider Cylance, cites how some organizations employ behavioral analytics to ferret out malicious insiders while safeguarding individual privacy. When deployed properly, he says, behavioral analytics can spot anomalous behaviors in systems while anonymizing the individual performing them. Only after sufficient evidence is gathered, and presented to the human resources department, would the suspected individual be identified.

Cylance Global CISO Malcolm Harkins discusses balancing security with privacy.

Information Security Alliance's Clinton sees the Digital Equilibrium Project as a forum for identifying the tools and techniques that could be used to gather evidence in a criminal investigation while safeguarding individuals' security and privacy.

Untying the Gordian Knot

"What we need is that reasonable people from all sides are meeting and trying to work their way through the many complicated issues that will need to be addressed to untie the Gordian Knot between the security people, the privacy people and the government people," says Clinton, an organizing member of the project.

Let's hope the efforts by Coviello, Clinton and their Digital Equilibrium Project associates establish a framework to identify that illusive compromise that gives law enforcement access to the data it needs while protecting the security and privacy of individuals.

Breach Preparedness , Data Breach , Risk Management

Experts Say Vulnerabilities Are Common in Many Older Medical Devices Marianne Kolbasuk McGee (HealthInfoSec) • April 1, 2016    

A new alert from the Department of Homeland Security regarding more than 1,400 software vulnerabilities in an older line of systems used to dispense medical supplies at hospitals spotlights the challenges involved in securing legacy equipment, including medical devices.

See Also: State-of-the-Hack: The Top 10 Security Predictions

DHS' Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, on March 29 issued an advisory saying that two independent researchers, Billy Rios and Mike Ahmadi, in collaboration with CareFusion - which was recently acquired by Becton, Dickinson and Co. - have identified about 1,418 third-party software vulnerabilities in end-of-lifecycle versions of CareFusion's Pyxis SupplyStation system.

The Pyxis SupplyStation systems are automated supply cabinets used to dispense medical supplies that can document usage in real time, the alert notes.

Complex Issues

The vulnerabilities found in the CareFusion system are important to spotlight because they represent the kinds of security problems commonly lurking in medical devices and other equipment, says Kevin Fu, associate professor of the electrical engineering and computer science department at the University of Michigan and CEO of Virta Laboratories, a start-up security vendor.

"1,400 [flaws] is noteworthy because it helps the risk managers at hospitals visualize the hidden complexity of all the software wrapped behind the beautiful plastic face plates of medical devices," he says. "Think of it as an ingredient list."

The recently discovered vulnerabilities illustrate the complicated issues that healthcare entities deal with in securing all the clinical equipment used in their environments, Fu says.

"Medical devices save lives, but complex software begins to resemble a stone soup of questionable provenance," he says. "I am not surprised to hear of thousands of flaws in a single device. We should continuously measure clinical environments for the effectiveness of compensating security controls built into medical devices. Only then can we meaningfully manage the risks."

In a statement provided to Information Security Media Group, Rios says that while the vulnerabilities do not appear to present immediate patient safety concerns, "there are certainly data security and privacy risks. Patient information is on these devices and is unencrypted within the Pyxis databases on the systems."

Exploitable Flaws

In explaining the risks posed by the vulnerabilities, ICS-CERT writes: "The Pyxis SupplyStation systems have an architecture that typically includes a network of units, or workstations, located in various patient care areas throughout a facility and managed by the Pyxis SupplyCenter server, which links to the facility's existing information systems. Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system."

The SupplyStation system is designed to maintain critical functionality and provide access to supplies in 'fail-safe mode' in the event that the cabinet is rendered inoperable, according to the alert, which notes that manual keys can be used to access the cabinet if it is rendered inoperable. "An attacker with low skill would be able to exploit many of these vulnerabilities," the alert warns.

ICS-CERT notes that the vulnerabilities were found using an automated software composition analysis tool. "Because the affected versions are at end of-life-[cycle], a patch will not be provided; however, CareFusion has provided compensating measures to help reduce the risk of exploitation for the affected versions of the Pyxis SupplyStation systems," the report states.

Other Warnings

Last year, ICS-CERT and the FDA issued warnings about security vulnerabilities in certain medication infusion pumps manufactured by another vendor, Hospira. The agencies warned the flaws potentially could allow an unauthorized user to alter the drug dose the devices deliver.

In that situation, FDA took the unusual step of advising hospitals to discontinue using the infusion pumps due to the potential safety risks posed to patients. Rios was one of the independent researchers who discovered those Hospira infusion pump vulnerabilities (see Medical Device Cybersecurity Risks: Measuring the Impact).

In the case of the CareFusion Pyxis SupplyStation systems, FDA says in a statement provided to ISMG, "the device that was the subject of the ICS-CERT is not considered a medical device by the FDA," so it's not under the regulator's authority.

Steps to Take

The ICS-CERT alert notes that "CareFusion has confirmed that the identified vulnerabilities are present in the Pyxis SupplyStation systems that operate on Server 2003/Windows XP ... which are no longer supported."

As a result of the identified vulnerabilities, CareFusion has started reissuing targeted customer communications, advising customers of end-of-life versions with an upgrade path, the alert notes.

"For customers not pursuing the remediation path of upgrading devices, CareFusion has provided compensating measures to help reduce the risk of exploitation. CareFusion recommends that customers using older versions of the Pyxis SupplyStation system that operate on these legacy operating systems should consider applying compensating measures, including:

Isolating affected products from the Internet and untrusted systems; however, if additional connectivity is required, such as remote access, use a virtual private network; Monitoring and logging all network traffic attempting to reach the affected products for suspicious activity; Closing all unused ports on affected products; Locating medical devices and remote devices behind firewalls and isolating them from the business network; Ensuring all Microsoft patching and ESET virus definitions are up to date.

Becton Dickinson did not immediately respond to an ISMG inquiry about the approximate number of the older CareFusion Pyxis SupplyStation systems still in use at U.S. healthcare facilities. The company referred ISMG to a website posting advising users of the CareFusion Pyxis SupplyStation about upgrade considerations and security information for the legacy system.

Common Problems?

Rios says vulnerabilities similar to those identified in the Pyxis equipment exist in many other vendors' legacy healthcare equipment and medical devices still in use at U.S. hospitals.

"While the Pyxis [situation] provides an excellent data point about the number of vulnerabilities within a medical device, it is by no means the exception. We ran similar analysis against other devices and discovered hundreds of vulnerabilities on those devices too," he says.

"At this point, hospitals have the burden of determining what the risk is to their organization. They'll have to conduct triage activities against all 1,400 vulnerabilities to determine what the risks are to their hospital," he says.

Addressing all the security vulnerabilities in healthcare equipment and medical devices that can potentially put other IT systems and possibly patients at risk is daunting for many organizations, Rios says.

"Imagine you are a CIO for a hospital. You are purchasing devices with hundreds, possibly thousands of known vulnerabilities. The CIO can't stop using the device as they help provide patient care," he says. "There are thousands of devices within a modern hospital and you're being asked to secure the devices, protect patient data, and help deliver effective patient care. We're putting hospitals in an untenable position when it comes to securing medical devices."

An important step, Rios says, is for hospitals to isolate an affected, vulnerable device from the network. "If this were the only device that had major security issues, it wouldn't be too bad, but pretty much every device has serious security issues," he says.

The current cybersecurity situation "essentially requires hospitals to place every device - Pyxis, infusion pumps, patient monitoring, anesthesia, MRI, etc. - on its own isolated network. This makes a hospital IT and biomed network impossible to manage," he says.