Health IT Security: What's Next
While recent high-profile health data breaches like the Anthem, CareFirst, Excellus, and Premera hackings have the industry focused on cyber threats, Avi Rubin is focused on threat vectors in the not-too-distant future.
Rubin is director of the Health and Medical Security Lab at Johns Hopkins, which was established about six years ago with funding from the Office of the National Coordinator for Health Information Technology. His latest research focuses on security for healthcare IT systems, based on a $10 million grant from the National Science Foundation that is shared between himself and three other professors at Dartmouth (David Kotz), University of Illinois at Urbana-Champaign (Carl Gunter), and University of Michigan (Kevin Fu).
Health Data Management spoke to Rubin about cybersecurity and the challenges in securing health IT.
HDM: Many surveys and studies find that healthcare is lagging behind other industries, such as financial services, when it comes to cybersecurity. Do you share that view?
Rubin: In the financial services industry, they’ll have many more professional staff devoted to security than in healthcare systems. Just by devoting more resources to the problem and monitoring their systems more carefully, financial services are much more secure than healthcare. Of all the industries I’ve seen, healthcare seems to be the most behind in terms of securing their IT.
In this environment, there’s so much low-hanging fruit that needs to be fixed. The healthcare industry must realize that it needs to throw more money at the problem and take it more seriously. Maybe now with all the breaches that we see in the news all of the time and with the sensitivity of health data for things like medical identity theft we’ll begin to see a change. But, I think there’s a big awareness gap in what needs to be done.
HDM: With the growth of mobile health and patient-generated data, is that an area of particular risk?
Rubin: I don’t think it’s any more vulnerable than anything else. The patient-generated data can be protected on servers the same as the data that’s generated by health providers. I think what’s a bigger deal is that patient access to their medical data requires the data to be online all the time, which makes it hard to encrypt. I do think, however, that when it comes to mobile devices that Android is more vulnerable than Apple right now. But, all of them can be compromised and have been repeatedly. So, if you start relying on mobile devices for your security and that device is compromised you’re in big trouble.
HDM: Last week, you were the opening session keynote speaker at the AMIA 2015 Annual Symposium held in San Francisco. What was your main message to that audience?
Rubin: I spoke about software security in general and how it affects healthcare. And, then, I showed some examples of recent hacks that have happened. Software is what’s exploited by malware to take over systems and to steal data. So, if you look at the Target or Anthem breach, a lot of them are happening because software has bugs in it and the attackers are able to exploit those bugs to get their code running. We need techniques to make software more reliable and to not depend so much on it for our security.
HDM: And, how do we do that?
Rubin: I don’t think there’s a silver bullet. We’re at a point now where we require systems that depend on a lot of software, which has bugs and there will be exploits. I think we need to fund more research on how to protect software systems. It’s a lot easier to point out what the problems are than what the solutions are. I don’t have a magic solution to it.
HDM: Having said that, do you have any recommendations and best practices that healthcare organizations should adopt now to bolster security?
Rubin: The most immediate thing I would say to an organization is to hire the best security people that they can and to increase their budget for IT security. The next thing I would say is encryption. All of the data at rest should be encrypted and any data that’s communicated somewhere else needs to be done over encryption protocols. So, that’s where I would start. The harder things are software security. But, that requires a lot of expertise.
HDM: What about phishing? People seem to continue to fall prey to this threat. What is it that people do not understand?
Rubin: Unfortunately, people are still easily fooled by emails that appear to be from someone they know or trust. I just don’t think people realize how important it is not to click on links and reveal their passwords and personal information. Another problem with phishing is getting people to websites where malware can infect their computers and take control of their machines.
HDM: When it comes to the funding from NSF, what is it that you are specifically examining on the cyber front?
Rubin: It’s for building next-generation technologies for healthcare IT; everything from encrypting electronic medical records using advanced cryptographic mechanisms to providing security for medical devices that are going to be on the Internet, like infusion pumps that will be connected to patients. It’s for looking at logs in the access of systems in the hospital to try and figure out if all the accesses are where they’re supposed to be or if there’s an intruder in the system or someone doing something they shouldn’t be. So, it’s really all of the above. National Science Foundation money is not given for producing products right away or for walking into a hospital and trying to change things. It’s really to do science and research that will create capabilities that future systems will be able to benefit from.
We’re looking at what could you do in a hospital if you added cryptography to beacons that allowed you to track where devices are in the hospital. That‘s not technology that’s available today. But, we’re building it and hoping that future hospital systems will be able to use encrypted beacons to locate and track medical devices.
HDM: As I’m sure you’re aware, the FDA recently alerted users of a computerized infusion pump, which communicates with hospital information systems via a wired or wireless connection over facility network infrastructures, that it has serious cybersecurity vulnerabilities that could enable hackers to access hospital networks, putting protected health information and patient safety at risk. What are some of the issues that you are seeing?
Rubin: We’re future looking, not looking at the pumps that are out there today. What we did in my lab was we built what we call a Sentinel, which is a shield that sits in front of an infusion pump and monitors the communication bus on the device to try and see if there is any traffic that does not meet the profile then it raises an alarm that it might be under attack from the Internet and basically takes it back to a more secure state. What we’d like to do is to produce science that people who want to build next-generation infusion pumps could utilize in order to make their systems more secure.
HDM: The FBI in September issued an alert warning about the cybersecurity risks that networked medical devices pose. According to the agency, these Internet of Things (IoT) devices—which connect to the web automatically sending and/or receiving data—include wireless heart monitors and insulin dispensers. Are medical device manufacturers to blame for not designing them with security in mind?
Rubin: I think that was true a while ago. But, I’ve met with some manufacturers recently who are taking security very seriously. I think in the next generation we’re going to see much more sophisticated security in these devices. I think they were kind of hit unaware as to what the security issues were with the older generation systems because they were just building them to work. And, once they connected them to the Internet and people started attacking them, they were quickly made aware of what the security problems are. It’s important not to forget about security whenever you build a system. With medical systems, oftentimes the people that are building them are not security experts.
HDM: There are so many challenges currently facing healthcare organizations in securing their systems it’s interesting that you are looking into the future, although maybe the solutions to today’s problems are just over the horizon.
Rubin: You need to have people doing all of the above. A lot of people are looking at today’s systems and trying to come up with solutions. We like to look five years out and ask: what is the science that needs to happen in order to make future systems more secure?