If it doesn't need to be connected, don't: Nurse prescribes meds for sickly hospital infosec

Pro shares healthcare horror stories

BSides Manchester A children's nurse prescribed hospitals ways to improve their computer security at the BSides conference in Manchester, England, earlier this month.

Jelena Milosevic developed an interest in cybersecurity over the past four years while working as an on-call nurse in several hospitals across the Netherlands, where she said digital security practices were generally poor.

Security and privacy has become increasingly important for hospitals and clinics. Aging systems host troves of personal, medical, and financial information that could easily be monetized in the wrong hands. Obsolete platforms such as Windows XP – used to manage blood fridges and similar tech – as well as the introduction of Internet-of-Things gadgets threaten to expose healthcare facilities to hackers and malware.

Milosevic said hospitals might be more inclined than other organizations to succumb to ransomware, and possibly pay up, due to poor backup practices and the cost of reassembling records.

She added that the full consequences of the WannaCry ransomware outbreak are unknown. This software nasty hit the UK's National Health Service particularly hard last year, and similar strains of malware, such as Orangeworm, have posed problems for hospitals in Europe.

WannaCry was a wakeup call for health institutions in the UK and beyond. Since the infection, most hospital websites have moved from HTTP to the more secure HTTPS, according to Milosevic – a move that wouldn't have halted the virus's spread but is indicative of IT staff taking security more seriously.

Basic security of hospital websites 2017 [source: Jelena Milosevic]

A graph comparing Dutch and American hospital website security in 2017 ... click to enlarge

Hospitals are being given mixed messages about the security risk posed by internet-connected or network-connected medical kit. Manufacturers tell healthcare pros the equipment should be always connected to some backend, contrary to the advice of security clearing house ICS-CERT and others.

Milosevic criticized hardware makers for offering IoT healthcare tech that offered "no patch, no update, no antivirus and no proxy" – in other words, chronically insecure. "Don't put it on the internet if it doesn't need to be on the internet," she said, citing security researcher Dan Tentler, adding that there was often no medical need for such devices to be connected to the 'net 24/7.

Four in five healthcare institutions have no one responsible for security, she claimed. "The IT department isn't the security department, but that's what doctors and nurses think," Milosevic said. She added that information security in hospitals should be offered through an independent department. Once established, this should offer training to other hospital units and departments.

Security needs to be built from the ground up and supplemented with awareness programmes, she said. Milosevic also argued that in much the same way a doctor needs to know how a body works, medical pros should also know how their computer gear works.

"Healthcare without [basic] security is like surgery without sterile instruments," Milosevic said.

A video recording of Milosevic's presentation can be found below.

Youtube Video

Milosevic has worked for various hospitals in the Netherlands since 1995 and before that spent 10 years on the intensive care unit at the University Children's Hospital in Belgrade. For the past four years she has been a member of the I Am The Cavalry and Women in Cybersecurity, both community-based infosec advocacy organizations. ®

Narrower topics

Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block Microsoft ad trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains. Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    "I tested the DuckDuckGo so-called private browser for both iOS and Android, yet neither version blocked data transfers to Microsoft's Linkedin + Bing ads while viewing Facebook's workplace[.]com homepage," Edwards explained in a Twitter thread.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022