The news keeps getting worse for hospitals falling victim to cyberattacks. Attackers just encrypted data at Methodist Hospital in Kentucky, holding it for ransom. NBC reported that two other hospitals were also recently victims of ransomware attacks. This all comes on the heels of Hollywood Presbyterian Medical Center paying ransom to get its computer systems back up and running earlier this year.
While many hospitals focus on prevention, such as training its employees to not click on bad links or download suspicious-looking attachments, it’s time to face the sobering reality that resources must be allocated to detecting and containing breaches. Thanks to embedded systems and the Internet of Things (IoT), you can no longer limit damage of someone mistakenly clicking on a phishing email by simply taking his computer offline.
Always-on connectivity holds great promise for healthcare, as doctors are increasingly relying on mobile apps, wearable devices, and tablet computing to provide higher quality care to patients. While that would make Hippocrates proud, it is leading healthcare IT down a dangerous road – arguably more dangerous than the crisis with insecure personal computers (PCs) two decades ago. Why?
- Today, all of these devices are connected to the Internet. The computers in our routers and modems are much more powerful than pre-Y2K PCs, and the Internet of Things will put computers into all sorts of devices.
- The industries producing these devices are even less capable of fixing the problem than the PC and software industries were back in the 1990s.
Now let’s turn to embedded systems and IoT. There are several layers complicating the ability to patch software to plug security gaps.
- Layer 1: Specialized computer chip makers, such as Broadcom and Qualcomm create these chips, cheap in price, that generally have a version of the Linux operating system as well as other open source and proprietary components. Engineering is at a minimum.
- Layer 2: These computer chip makers then sell their wares to system manufacturers (usually Original Device Manufacturers) who build routers, servers, and more. They don’t do any real engineering, either.
- Layer 3: The system manufacturers then sell its work to a brand-name company that sells to actual end-user customers. They will add a user interface and some features before selling the product.
There is no true incentive or expertise to patch the software once it’s shipped. Layer 1 is busy making the next generation chip, while Layer 2 is upgrading its product to work with the next chip. Maintaining older chips and products aren’t a priority. To add insult to injury, the software is old, even when the device is new. For example, one survey of common home routers found that the software components were four to five years older than the device.
The result is hundreds of millions of devices have been sitting on the Internet, unpatched and insecure, for the last five to ten years. Hackers are starting to notice. The Internet of Things will only make this problem worse, as the Internet – as well as our homes and bodies – becomes flooded with new embedded devices that will be equally poorly maintained and unpatchable.
U.S. Director of National Intelligence James Clapper recently stated that, “Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems.”
We can help you navigate the next generation of software and safeguard your data so you can focus on saving lives. US Cyber Vault is the world’s most secure cloud platform for healthcare. Building on decades in cloud security, US Cyber Vault protects against threats, provides a secure data and computing environment, and is supported by an incident response team of intelligence experts with guaranteed day-zero breach detection. Request a free trial today.
Written by Rob LaMear, CEO, US Cyber Vault
Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community. Receive our next issue by signing up here.