H-ISAC Hacking Healthcare 8-13-19 - Health-ISAC - Health Information Sharing and Analysis Center

TLP White: In this edition of Hacking Healthcare, we take a look at how medical device cybersecurity is increasingly generating interest. We then give you a breakdown of the UK’s massive bet on A.I. in healthcare. Finally, we explore the Department of Defense’s interest in the Zero Trust model of cybersecurity and why you might be interested.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

Hot Links –

1. Medical Devices Take Center Stage.

The increasing scrutiny on the cybersecurity of medical devices got a boost last Thursday with the Medical Device Village at DEF CON[i] in Las Vegas. Whereas the previous year’s installation was relatively sparse, this year’s iteration was completely transformative. Visitors were able to walk through a 2,600sqft “hospital” complete with a mock radiology department, pharmacy, and an intensive care unit that were professionally recreated by students at CalPoly.[ii] All of these “rooms” were filled with various medical devices to be hacked.

The interest in significantly expanding the Medical Device Village comes at an opportune time. With the healthcare sector investing heavily in acquiring and integrating state of the art technologies in IoT and other connected devices, taking stock of the underlying cybersecurity and privacy aspects is increasingly coming to the fore. The organizers of the village were upbeat about the strides the healthcare sector has made with regards to securing devices, but they were quick to stress that much more needed to be done. The organizers were keen to point out that a) many medical devices have never been evaluated by security researchers; b) that many older devices were designed with basic-to-no-security; and c) that too often healthcare providers do not configure their devices properly prior to implementation.[iii]

2. NHS Receives Funding for National Cyber Lab.

The United Kingdom may be going all in on developing AI for the healthcare sector. New Prime Minister Boris Johnson has wasted little time in declaring that the government will set aside £250 million pounds for a National Artificial Intelligence Lab. The lab will reportedly be under the NHSx, which houses public and private sector experts to lead the digitization of the UK’s health service. The UK’s Health Secretary Matt Hancock shared his delight and confidence that AI could help turn the NHS into a “truly predictive, preventive and personalized health and care service”[iv]

While this investment will certainly bring benefits once it gets up and running, there are significant concerns. Some health experts are dubious that other healthcare projects won’t be affected by cuts, as the NHS is already “cash-strapped”.[v] Additionally, the NHS doesn’t have the cleanest bill of health when it comes to cybersecurity and implementing new technologies.[vi] Furthermore, there is speculation that, while well intentioned, NHS may not ensure its investment relies on a robust and inclusive data set that fully represents the breadth of the UK’s population.[vii] Failure to do so will further lend support to criticism that emerging technologies are skewed against minorities.[viii]

3. DoD Launches Zero-Trust Program.

The Pentagon has made its first concrete steps toward initial testing of Zero Trust network architectures and technologies by announcing the creation of a test facility and pilot program.[ix] The Defense Information Systems Agency (DISA) will be tasked with building out the research facility that will be located at Fort Meade. Once completed, the facility will house a joint DISA and Cyber Command pilot program.

Historically, approaches to cybersecurity operated with a significant level of trust given to internal actors on a network, including both hosts and users. In contrast, Zero Trust operates with a “never trust, always verify” mindset. By accepting the limitations of perimeter defense and embracing a data-centric model of cybersecurity the Zero Trust framework is positioned to counter the increase of insider threats and the growth of sophisticated actors able to bypass common cybersecurity systems.

Embracing this philosophical change in cybersecurity strategy may be necessary as current strategies continue to come up short. The Zero Trust model holds promise in this regard by limiting the movement of malicious actors who have gained access to a network by adding additional authentication requirements, making use of encryption, implementing micro-segmentation, and comprehensively applying principles like least privileged access. Additionally, Zero Trust may improve detection and incident response through its prioritization of visibility and analytics.