Cyber Security Responses to Growing Exposure From IoT Connected Medical Devices
An Interview with Xu Zou, CEO of cyber security firm ZingBox
1 in 3 Americans were victims of healthcare data breaches in 2015, according to Bitglass’ report, as part of an 80 percent increase in hacks last year. As that number continues to grow, healthcare organizations are focusing on mitigating the issue. The Pulse spoke with Xu Zou, a veteran of the networking and security industry, to hear firsthand about the challenges facing healthcare providers and how his company, ZingBox, is pioneering medical device security.
The Pulse: What are the greatest cybersecurity threats in healthcare and what should executives be most concerned with? How should people prioritize identity management, records management and ransomware?
Zou: Those three are all definitely top concerns with healthcare customers. On top of that, the medical device security is critical. We see more hospitals and many insurance companies paying attention to medical device security for a couple of reasons:
- More medical devices are now directly connected to the EHR system, or in other words are directly connected to the existing IT infrastructure inside of the hospital, which means they have access to the full set of information within a hospital.
- As a result, they become low-hanging fruit for hackers because those medical devices, once they go through the FDA process, do not have state of the art security protection embedded. To most people’s surprise, many devices are actually not protected at all, so hackers can basically walk into the hospital through the devices.
- There is concern because not only can hackers steal patient records through connected medical devices, but they can also cause life-threatening damage to patients by manipulating them. Therefore, devices being compromised becomes much more severe than just a laptop, making it one of the top concerns in the industry.
The Pulse: What is the main way that hackers gain access? Do they typically hack an administrative user who would have full access or somebody who is using the devices regularly?
Zou: Identity management becomes important to that issue. Right now, because of the nature of the healthcare industry, there is serious mobility within healthcare. Doctors and nurses move all the time, patients and their relatives come and go, so the whole identity and password management is indeed more complicated and vulnerable compared to other verticals. That’s why hackers are taking advantage of that to get credentials from a doctor, nurse or part-time consultant. More than half of attacks are launched from within the hospital due to compromised credentials. There can be other ways; for instance, sometimes doctors or nurses may click on a phishing site or download malware on their phone or PC, and then from there the hackers can get into the EHR system or medical devices. Those are the primary ways for hackers to get inside.
The Pulse: How have threats evolved with more technology and further information sharing and integration with systems, particularly when information is sent outside of the hospital setting to a post-acute or outpatient provider?
Zou: Information sharing is unfortunately making the system even more vulnerable because different users need the same set of information for different purposes. For example, systems may require third party monitoring for maintenance purposes. Information sharing is indeed happening among different departments (IT, clinical staff, researchers, administrators), however, there are a few challenges:
- The interface for different groups requires a diverse set of information to engage with the system, which means that everything is streamlined and more challenging for each individual user; personalization has yet to happen.
- Security is key; how do you monitor the whole information flow and control the right access to each piece of information, and who should consume that information? How do we prevent that information from being leaked? That whole piece is still very much a work in progress and has not been adequately addressed.
The Pulse: There are many vendors, like a revenue cycle management or billing vendor, who are outside of the environment but still have access to sensitive data. Therefore, even if you can control your population, you start to have to manage external vendors as well. How do you recommend healthcare providers approach identity management for those vendors where they have less control?
Zou: Generally, small to medium sized hospitals outsource to third parties for remote management and device maintenance. It is very difficult to control the environment because once you open a link to someone outside of the hospital, that in itself can be a potential path for hackers. From that link, hackers can move laterally to other departments. In order to maximize security, not only do you need more stringent identity management but you have to have a system that monitors the whole communication flow between inside the hospital and the vendors outside of the hospital who are taking advantage of this channel. The entire communication path must be monitored independent of the third party, which is key.
The Pulse: If you had to give healthcare providers a report card for right now, where are they at right now? On a spectrum of preparedness, what is your perspective on how administrators have responded?
Zou: To give you a simple fact, last year healthcare was the number one vertical that was attacked by hackers; way more than bankers or the credit card industries. There are clear reasons behind it. The ROI for the hackers is high because a patient record on the black market is worth ten times as much as a credit card, so they have a higher motivation to attack healthcare. On the other side, it is easier for hackers to break into healthcare than other industries. With that, we can see that healthcare’s IT sophistication is behind other verticals, even compared to retailers. The whole retail industry responded very quickly to Target, however, right now we have seen some early adopters in healthcare but the majority is still lagging behind. There are some bright spots; there is more education now and more conversation talking about healthcare being compromised and patient records getting stolen, so there is some momentum. Some of our larger hospital customers have started actively planning some security infrastructure enhancements to be better prepared, which is encouraging compared to last year. 2017 will probably be the year that big healthcare customers start to be more proactive with security infrastructure.
The Pulse: Compared to the other topics, how have hospitals reacted to connected devices? What should be core to their strategy?
Zou: Healthcare is quite unique compared to other verticals because in a typical hospital, the number of connected medical devices is four times as much as the number of typical IT devices, such as laptops, servers and phones. That means the number of medical devices on the network is way more than the number of traditional devices, and unfortunately they are not secured at all today because they are all outdated.
Therefore, healthcare has a unique need to come up with a strategy to improve its cybersecurity resilience. By now, most healthcare customers rely on traditional IT security infrastructure with an enterprise firewall and antivirus, and unfortunately those solutions are not designed to secure medical devices.
We need to get started on visibility because in the security world, you cannot secure what you cannot see. To get started, the IT team and the clinical engineering team need to work together. To give you an idea of how that works, consider that today, most clinical engineering and IT teams do not see the connected medical devices at all. IT and security teams can only see an IP address but do not know what is behind that IP address (whether it’s a laptop or an infusion pump, for example). The clinical team knows the device but does not know where it is on the network. Our technology gives the two teams a connected view to start with visibility so they know what they need to secure first.
Co-Founder and CEO of ZingBox
Xu is the co-founder and CEO of ZingBox, the enterprise IoT security startup. Before starting ZingBox in 2014, Xu was senior director of Aerohive Networks (NYSE: HIVE), where he launched Aerohive’s cloud based Bring-Your-Own-Device (BYOD) security product. Prior to Aerohive, Xu was senior director of Aruba Networks (NASDAQ: ARUN), where he managed Aruba’s industrial & Carrier product line. Xu joined Aruba through the acquisition of Azalea Networks, where Xu was founding member and VP of Software. Before Azalea networks, Xu was senior engineer of Airespace, an enterprise wireless startup acquired by Cisco system in 2005. Xu holds BS CS from Tsinghua University and EMBA from Wharton School, University of Pennsylvania. Xu also holds multiple international patents on security and networking.