Security and availability in healthcare

Posted on 2020-10-08 by Matt Strahan in Business Security

Imagine you’re laying on a hospital bed in an emergency room. The doctors and nurses are rushing around in seemingly organised chaos. You hear beeping and shouting as they investigate and prepare. Imagine the fear you feel, the uncertainty of this life or death situation. Imagine, then, you hear a voice of a doctor: “Damn I can’t remember my password!”

When considering security in healthcare it sometimes feels like you’re going into an entirely different domain. One of the biggest mistakes in cyber security is to treat every organisation the same way, a one size fits all approach. Healthcare has such a different set of rules and requirements to most businesses that it’s hard to even slightly entertain that illusion.

When asked about security in healthcare, most people’s minds go to the security of their patient data. They think about their privacy, about those sensitive answers they give the doctor. When you think about mental health practices, patient records can be as personal as your diary, and the exposure of those records would be violating. Is that the worst case when it comes to healthcare cyber security though?

Doctors need to be able to do their jobs

IT systems becoming so ingrained into hospitals has saved lives, without question. The increase in speed and effectiveness, the error checking and greater integrity of data, and the increase of capacity and capability allows doctors and hospitals to do more with better outcomes. In this world where the stakes are literally life and death, though, cyber security can literally kill people.

Just recently, a new study showed that ransomware caused “as many as 36 additional deaths per 10,000 heart attacks”. The curious thing about this study was that it wasn’t necessarily the ransomware that caused the attacks, but the additional security controls that were put in place in response to the ransomware.

The implication of this is that the additional security controls made it harder for the doctors and nurses to do their jobs - save people’s lives and bring them back to health. Are these then the right security controls to implement?

Availability above all

Unlike most organisations that are concerned with confidentiality of data, especially personal information, in healthcare availability of medical services must trump all. It must be a constant concern when implementing cyber security strategies and systems. Any security control must be carefully designed and implemented to ensure that at all times the right people have access to the right information and services with minimal disruption.

This means that security controls that could be appropriate for other organisations could end up being catastrophic for healthcare staff. Token, app, and SMS based two factor authentication could, for example, be a huge blocker for someone on their feet who may have left their token at their desk or in their locker. Similarly, fingerprint based biometrics might be infeasible when someone is wearing gloves. If you have a rule that says “all access to patient data must require two factor authentication”, something that is easy to implement in a back office of a healthcare environment but much harder in patient areas, where does that leave you?

In this case, even the rules must be considered carefully and some creativity could be used. The security controls might have to be tailored to the specific environment so that they work for the users. This could even mean the complete bypass of authentication in certain cases. If you have a system in the surgery maybe that system could have the data for the patient automatically delivered without the surgeon needing to login. No authentication from the users required - they just have the data, and only that data, that they need. Instead of a full functioning system, you have access to a kiosk style terminal.

The requirements for high availability of systems, services, and data must permeate through the IT practices as well. When, for instance, you are considering a patch management programme, the idea of bringing down a critical system in a 24/7 practice might cause issues should it end up impacting services. I have been in healthcare environments where there was huge resistance to patching for this very reason. At the end of a penetration test we started talking about unpatched systems, and the response was “we can’t patch those, they’re too critical!” The result, though, was critical vulnerabilities, that, if used, could cause those systems to crash. It was a catch 22!

The extreme availability requirements for critical users and critical systems in a healthcare environment changes the game for cyber security and means that the IT staff and cyber security practitioners must think differently and sometimes more creatively. When even small issues can become life-or-death, we need to make sure we keep in mind that the reason we’re there is not necessarily to protect patient data but it’s as much there to make sure the right people can access that data at the right time.

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by Online Marketing on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn