Under the title “Protecting Large-Scale Network Infrastructure with Complex User Groups,” Cris Ewell, Ph.D., CISO of the University of Washington Medical Center (UW Medicine), opened the second day of the Health IT Summit in Beverly Hills, held November 9 and 10 at the Sofitel Hotel Los Angeles at Beverly Hills.
“We have a problem,” Ewell began, speaking both of the data and IT security challenges facing UW Medicine, and patient care organizations across the U.S. “We look at the environment of the U of Washington—I have 2 million devices connecting to my system every year; I have an 80-gigabyte pipe. Lots of broadband coming into the university. We’ve got 200,000-plus medical devices. 40,000 employees on the medicine side; 26,000 more on the university side. And of all those devices, I probably only control about 30 percent of them. And of course, as we read in the papers, we’re seeing attacks all the time.”
Ewell framed broadly the cybersecurity issues facing patient care organizations in the U.S. right now. “Back in 2009, we were losing a lot of stuff—a lot of paper,” he said. “But now, we seem to have figured out how to secure our paper and devices better. But unfortunately, in place of that, our adversaries have figured out that healthcare is a great target for compromising our system and gaining unauthorized access to our data. So what are we looking for? Theft of credentials is a top issue,” he said. “We had about 1.3 billion credentials exposed in 2017; and that’s a terrible credential. And I’m seeing the outcome of that. Our users have very poor practices, in using passwords across accounts. And our adversaries are getting in and compromising our system. One stat I read is that 98 percent of web traffic logging in, is using compromised credentials.”
Importantly, Ewell noted, “The majority of your traffic on your site is adversaries trying to compromise credentials on your site. Most of the activity? Phishing. It is highly successful, because it is easy and low-cost. And we do training, and testing. And I do studies on this, since we’re a research institution, and I still see our students, faculty members, clinicians, and staff, clicking on links—the day after a phishing training. I will admit that the adversaries are becoming really, really clever about mimicking our website, etc. And our clinicians are very, very busy. Imagine if you’re a resident and you get an email saying, I need you to read this clinical journal article and discuss it with me. And what will that busy resident do? They’ll click on the link.
“And then you get to the breach element itself,” he continued. “And they aren’t necessarily after the target for their number-one access. I see tremendous lateral movement going on with these adversaries. We have a very big student population at U of Washington, and they’re on similar networks. And the adversaries will go to the easiest point to get in; so they’ll go into student networks; then compromise those credentials, use them to get into a domain that’s harder to get into, and then try to get to the crown jewels of the organization.”
Looking at what specifically to be concerned over, Ewell told his audience, “The three big categories I most worry about are organized crime, hostile nation states, and even hacktivists. And we’re seeing very advanced tactics. And it’s really easy to promise medical devices. And we’re seeing them use these credentials to get in, and then write custom code. We’re actually tracking several right now throughout the university. And these individuals are actually on shift work, and we can see two shifts working—it’s mostly Europe and Asia. And we can see that type of work, and different types of code working. And so we’re seeing this level of sophistication, and you’re going to see that also.”
Now, what to do about legacy systems? “In one of our labs, one of the DNA sequencers was compromised. We still have Vista systems,” Ewell noted. “in fact, the DNA sequencers still run on Vista, and none of them are being patched. And Alumina, in their manual, basically said, you can’t patch. And you can’t even install anti-virus or anti-malware systems. Or you can install it, but after your DNA sequencing. And the difficulty with a lot of these medical devices is that they were designed for one function. So how do we balance the functioning of the device with the need to protect access to data?” As a result, he said, “We’ve had about a dozen medical devices impacted by malware over the past year.”
Where are the physical vulnerabilities? In infusion pumps, and in the Pyxis medication management system, Ewell said. “We found one device system that had over 1,400 vulnerabilities on the system. And the reality is that we have to live with outdated software, for the life of the software. And the sequencers: they cost from $80,000 to $400,000, and we have 30 of them. It’s unlikely we’ll get a check for $400K to replace them all at once. And then diagnostic imaging modalities: MRIs, etc. And how do we actually patch these devices so they’re not vulnerable?”
Meanwhile, Ewll noted, “A document was produced for the British Parliament about the WannaCry attack. It’s a fantastic read. And the fact is, the National Health Service people knew about the vulnerability of the system before the attack. 34 percent of their healthcare system was impacted. Imagine if we had had 34 percent of the U.S. healthcare system impacted. They had 595 general practitioners’ systems impacted. Eight organizations. Over 19,000 patient appointments were cancelled, and many organizations were turning patients away. That’s a real problem: there’s impact to patient care that we’re now seeing, from these attacks. And that report is a great one to give to your board, while asking, how do we start turning these things around?”
Ewell noted that, “here in the U.S., Hollywood Presbyterian Hospital [executives] paid $17,000 in bitcoin to get themselves out of trouble. Meanwhile, about $143,000 that was gained by the WannaCry attack” in U.S. healthcare. But, he quickly added, “as a state government organization, we at the University of Washington will never pay. And the researcher or physician or whatever” who has made the mistake that has led to the malware attack—“you’re out of luck. But unfortunately, some people are paying for these things. And even if you think you can pay for this, your money is just a key. You may not get your system back.”
“Another problem,” Ewell said later on in his presentation, “is too much connectivity, and doing it too soon. I would love to say that I contact everyone, contact our department. But that’s just not the case. We’re seeing it from the point of, too soon, and not knowing how to protect the devices, or just too much connectivity. Every single medical device comes very connectible now. So we put them all onto a separate network. But many have to communicate with an EMR. So we need to resolve that.”
It will be years before the healthcare industry catches up to the sophistication of the financial services industry with regard to data and IT security, Ewell told his audience. But there are things that healthcare leaders can and should be doing now. “How do we protect all this stuff? I’m very big on creating a risk management protection framework for your whole organization,” Ewell said. “Start picking a framework and implementing it. You can’t just go down a HIPAA checklist or a NIST framework and think you’re protected, because you aren’t. And I’ll never stand up here and say, I know where 100 percent of the assets of the University of Washington are. I have high confidence about where most of our data assets are; but not all. But it’s a method and a process we keep working on every year. And it’s about really understanding where the devices are.”
Meanwhile, he said, “With regard to networks, we have to create an entirely different architecture for protecting data. How do we start creating virtual networks, and really start segmenting networks, to allow for systems to talk to each other as necessary, but no more. Unfortunately, clinical information systems weren’t set up to accommodate this. So, how can we do things differently within our networks in healthcare, to make sure that if an adversary gets access to one server, they can’t get access to your entire system? And, in terms of data protection, I think encryption is very good, but it has to be done well. Some organizations make the mistake of storing encryption keys on the same server. We have to do better at key storage and key management,” he added.