Why Is Your Hospital’s Cyber Security So Insecure?

Even though we don’t always know when we are wrong, somebody knows, and they are not shy about telling us.  This is particularly true with regard to spouses and significant others.  The phrase my wife uses to let me know when I am wandering too far from my sandbox is, “I know, but”.  So I suggested to her that when she talks to me she should begin  by saying, “This conversation may be recorded for training and quality purposes.”  The person being trained is me.

I went to Google Search and typed the five letters, ‘men ar”.  The first hit is “Men are from Mars, Women Are from Venus.”  Five letters. A direct hit for your search.  Google did not reply with ‘men are idiots’ or ‘men argue’ even though fifty-percent of the population believe those responses are equally valid.  Google knows what you were looking for, sometimes even before you know.

Sit. Roll over.

There are windmills, and there are windmills (Man of la Mancha).  Businesses, including hospitals and health systems, believe their enterprise is secure from cyber attacks.  Other people believe the earth is flat and that we never landed on the moon.

Believing something does not make it true.  Most healthcare executives believe their data is secure against attacks.  They sort of have to believe it.  If they did not believe it, they would have a major effort underway to secure it.  With all due respect, however, I bet I can prove that your hospital’s cyber security is not secured against 80% of the cyber threats to your system.

2016.   MedStar.  Big hack.  Very vulnerable.

You don’t have to believe me; just read today’s news headline about WikiLeaks. Amid a trove of documents released by WikiLeaks that allegedly contains “the entire hacking capacity of the CIA” is chilling evidence that everyday devices like smart TVs and cell phones have potentially become critical tools in the effort to spy on American citizens.”

“When we think of a security hack, when we think of risks, we think of computers, phones, and tablets.  Things connected to the internet. Things with IP addresses.  Things WITHOUT IP addresses (and there are more of these than you think). All Internet of Things (IoT).  All Wi-Fi enabled devices can be hacked. Hackers can steal data, conduct espionage, and cause physical damage.”

The CIA was hacked.  Hillary was hacked. Russia hacked the U.S.  Logic should tell us that the level of encryption used by the CIA is many times better than that used in the private sector.  If the CIA can be hacked, it is beyond naive to believe that the enterprise data of hospitals–and payers–are safe.  We learned last year that putting your server in a bathroom does not work.

There are only two types of businesses.  Those that have been hacked and those that have not been hacked yet.  Your Chief Information Security Officer should be telling your board, “We have not been hacked yet.”

In fact, everyone – every public and private sector organization needs to operate like the Department of Defense does.  When it comes to how they see their networks, systems, and devices they work under “assumed breach”.  They look at it that way because their vast experience and money spent on protecting everything because they’ve already been breached.  It is hard to swallow that even the most knowledgeable security professionals – who are doing their best work – are still vulnerable – but they and their systems are.

But if you accept that you’ve already been hacked, you have a better chance of protecting yourself than if you live in denial.

Most of us have no idea that things that do not have an IP address are just as vulnerable to hacking as laptops.  Those things include all the following:

  • medical devices like heart monitors
  • implantables
  • smart TVs
  • thermostats
  • wheelchairs
  • elevators
  • HVAC systems
  • security cameras
  • energy systems
  • copiers
  • printers
  • VIOP phones
  • smart refrigerators
  • smart lightbulbs
  • elevators
  • motion detectors
  • alarms
  • window and door sensors
  • programmable coffee machines
  • personal devices used by your staff, patients and visitors that are connected to your Wi-Fi

Every single thing in a hospital that uses software to communicate to something else can be hacked.  The average hospital has more than 100,000 unsecured entry points that are vulnerable. Large health systems have more than 1,000,000 vulnerabilities, most of which do not have an IP address.

But what if you could fix all those problems right now?  What if you could protect all your systems, your patients, and your employees today with minimal effort and for minimal cost?

What if everything that was vulnerable and open to attack could be made invisible to any type of cyber-attack?  A technology to do this exists.  I saw it.

The tool discovered all the IoT vulnerabilities listed above for a health system.  The tool was demonstrated using a few of the system’s security cameras.  One minute the cameras were present on the display of the hospital’s IoT devices.  A few clicks later those cameras disappeared from the screen.  Those cameras still functioned but now they were invisible to anyone trying to hack the system.  The technology can discover all of your system’s vulnerabilities.

And even better, if someone breaches a device in your system, you know it the moment it happens and you can turn off the hacked device.  You don’t have to read about it in the Washington Post.

The technology works at health systems as large as the VA.  People who believe they’ve built a foolproof cyber plan should be waiting to be proved wrong.  If you want to learn more, let me know. Within twenty minutes you will see your risk in a real demo. And better yet, you will see how to take that risk to zero.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s