Under the title “Protecting Large-Scale Network Infrastructure with Complex User Groups,” Cris Ewell, Ph.D., CISO of the University of Washington Medical Center (UW Medicine), opened the second day of the Health IT Summit in Beverly Hills, held November 9 and 10 at the Sofitel Hotel Los Angeles at Beverly Hills.
“We have a problem,” Ewell began, speaking both of the data and IT security challenges facing UW Medicine, and patient care organizations across the U.S. “We look at the environment of the U of Washington—I have 2 million devices connecting to my system every year; I have an 80-gigabyte pipe. Lots of broadband coming into the university. We’ve got 200,000-plus medical devices. 40,000 employees on the medicine side; 26,000 more on the university side. And of all those devices, I probably only control about 30 percent of them. And of course, as we read in the papers, we’re seeing attacks all the time.”
Ewell framed broadly the cybersecurity issues facing patient care organizations in the U.S. right now. “Back in 2009, we were losing a lot of stuff—a lot of paper,” he said. “But now, we seem to have figured out how to secure our paper and devices better. But unfortunately, in place of that, our adversaries have figured out that healthcare is a great target for compromising our system and gaining unauthorized access to our data. So what are we looking for? Theft of credentials is a top issue,” he said. “We had about 1.3 billion credentials exposed in 2017; and that’s a terrible credential. And I’m seeing the outcome of that. Our users have very poor practices, in using passwords across accounts. And our adversaries are getting in and compromising our system. One stat I read is that 98 percent of web traffic logging in, is using compromised credentials.”
Importantly, Ewell noted, “The majority of your traffic on your site is adversaries trying to compromise credentials on your site. Most of the activity? Phishing. It is highly successful, because it is easy and low-cost. And we do training, and testing. And I do studies on this, since we’re a research institution, and I still see our students, faculty members, clinicians, and staff, clicking on links—the day after a phishing training. I will admit that the adversaries are becoming really, really clever about mimicking our website, etc. And our clinicians are very, very busy. Imagine if you’re a resident and you get an email saying, I need you to read this clinical journal article and discuss it with me. And what will that busy resident do? They’ll click on the link.
“And then you get to the breach element itself,” he continued. “And they aren’t necessarily after the target for their number-one access. I see tremendous lateral movement going on with these adversaries. We have a very big student population at U of Washington, and they’re on similar networks. And the adversaries will go to the easiest point to get in; so they’ll go into student networks; then compromise those credentials, use them to get into a domain that’s harder to get into, and then try to get to the crown jewels of the organization.”
Looking at what specifically to be concerned over, Ewell told his audience, “The three big categories I most worry about are organized crime, hostile nation states, and even hacktivists. And we’re seeing very advanced tactics. And it’s really easy to promise medical devices. And we’re seeing them use these credentials to get in, and then write custom code. We’re actually tracking several right now throughout the university. And these individuals are actually on shift work, and we can see two shifts working—it’s mostly Europe and Asia. And we can see that type of work, and different types of code working. And so we’re seeing this level of sophistication, and you’re going to see that also.”
Now, what to do about legacy systems? “In one of our labs, one of the DNA sequencers was compromised. We still have Vista systems,” Ewell noted. “in fact, the DNA sequencers still run on Vista, and none of them are being patched. And Alumina, in their manual, basically said, you can’t patch. And you can’t even install anti-virus or anti-malware systems. Or you can install it, but after your DNA sequencing. And the difficulty with a lot of these medical devices is that they were designed for one function. So how do we balance the functioning of the device with the need to protect access to data?” As a result, he said, “We’ve had about a dozen medical devices impacted by malware over the past year.”
Where are the physical vulnerabilities? In infusion pumps, and in the Pyxis medication management system, Ewell said. “We found one device system that had over 1,400 vulnerabilities on the system. And the reality is that we have to live with outdated software, for the life of the software. And the sequencers: they cost from $80,000 to $400,000, and we have 30 of them. It’s unlikely we’ll get a check for $400K to replace them all at once. And then diagnostic imaging modalities: MRIs, etc. And how do we actually patch these devices so they’re not vulnerable?”
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.