Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

March 2017

HIPAA Challenges: Preventing and Preparing For IoT Attacks
By Chris Apgar, CISSP
For The Record
Vol. 29 No. 3 P. 8

Did you know that a printer or a surveillance camera can be used to attack your network or that of another company? That's what happened on October 21, 2016, when a large number of Internet of Things (IoT) devices were used to direct bogus traffic at targeted servers belonging to Dyn, a major provider of domain name system services to other companies. The attack impacted several major websites, including Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, and the PlayStation network.

How did it happen? Many of the devices used in business and clinical care settings connect to the internet and, thanks to advances in technology, have what is called embedded systems. Alan Grau, president of Icon Labs, wrote in IEEE Spectrum magazine, "For the most part, the gadgets that make up the Internet of Things are what we call embedded systems—that is, dedicated computers that perform specific functions within more complex systems. For instance, they might control the operation of a machine within a water-processing plant, manage the lighting of a smart home, or monitor an organ in the human body. Limiting the function means they can be small, fast, and efficient."

Many of those embedded systems lack the security to block malicious attacks, leaving them vulnerable to situations similar to the Dyn incident last year.

In the world of getting products and gadgets to market as soon as possible, security often takes a back seat in the design of IoT devices and systems. This is true for a number of the new mobile apps, wearables, smart refrigerators, and other technologies. These days, there are numerous HIT companies, whether startups or existing vendors, vying for customers. Security by design is more of a concept than a reality.

Fortunately, that approach is changing as it becomes evident the risks are great. For example, investors have become reluctant to plop down money on a product knowing they may lose a princely sum should a security incident occur.

Where to Start
How can the problem be remedied? The first step is to assess the devices connected to the internet. This includes printers, security cameras, medical devices, biomedical equipment, and business systems. It may even include hospital power plants. It may not be possible to mitigate all of the risks these devices pose, but identifying them can help develop a recovery plan should something go wrong.

Newer devices that support software upgrades may be modified to add a firewall. Often, that entails asking the vendor for an upgrade. On older devices that don't support software upgrades, such as power plan control systems and biomedical devices, it's a matter of recognizing the risk. In any case, it will take some time for technology and the health care industry to address all of the risks associated with IoT.

No Phishing
The scams associated with the proverbial Nigerian prince asking for personal information to transfer a large sum of money out of the country are mostly in the past. Today's attacks are much more sophisticated. One of the biggest forms of attack that lead to malicious software being installed on IoT devices is phishing, a process in which users are encouraged via e-mail to visit seemingly innocuous websites. A surprising number of staff click on malicious links that look legitimate.

Nevertheless, a substantial staff training effort can deter phishing expeditions. Such initiatives should include scheduling mock phishing attacks through vendors such as PhishMe.

It is believed the 2015 attack on health insurer Anthem involved sending what appeared to be legitimate e-mails to employees who were encouraged to click on the web address of WellPoint, Anthem's former name. The malicious link was spelled "wel1point," a bit of deception easily overlooked by recipients. The attack had nothing to do with an IoT device, but it nevertheless demonstrates the damage that can be caused by a phishing attack. Health care organizations won't be able to prevent everyone from clicking on malicious links, but they can limit exposure through education and mock phishing exercises.

Know Your Devices
Some newer IoT devices come with built-in security such as encryption, password protection, biometric identification, and firewalls. As with any other transaction, health care organizations must vet their vendors before and after purchasing a product. For example, an organization with a longstanding relationship with a printer supplier should assume that those devices connected to the internet don't pose a risk. Too often, security is not top of mind when initially contracting with a vendor for new devices nor is much thought given to the risks posed by previously purchased products.

It's not necessary to conduct a lengthy vetting process or a complex vendor auditing process, but organizations must implement a robust risk management program and pay attention to the devices being acquired.

On November 15, 2016, the Department of Homeland Security (DHS) issued guidance on how to secure an IoT environment. Shortly thereafter, the National Institute of Standards and Technology (NIST) issued recommendations that complement the DHS document. For the nontechnical crowd, the DHS guidance is a bit more approachable but both sets of recommendations represent important starting points when it comes to addressing the risks associated with IoT devices.

The advice issued by the DHS and the NIST can help health care organizations strengthen their risk management programs, including assessing the up-front risks associated with implementing IoT devices.

Measures in Place
While attacks can't always be prevented, failing to be prepared is inexcusable. Preparation should include having a list on hand—as part of the security incident response plan—of vendors that can assist when an attack occurs. For example, forensics vendors and those schooled in shutting down a distributed denial of service (DDoS) attack can be invaluable.

Besides having a good defense in place, health care organizations must implement fully tested (the time to test plans is before an attack occurs) security incident response, disaster recovery, and business continuity plans. In addition, staff must be trained on their duties in the event of an attack, especially members of the security incident response team. A quick response to an IoT attack helps mitigate the risk and potential harm.

An IoT attack can come in several forms, including a DDoS attack, such as was used in the Dyn incident; the disablement of a power plant; or illegal access to PHI.

Don't ignore the value of encryption. If PHI is encrypted when it's transmitted or stored in the EHR, it's difficult for hackers to gain access. And encryption is often something within an organization's control. It's easy to encrypt mobile devices and portable media, and many EHRs have the capability to encrypt at-rest or stored data.

When conducting a periodic risk analysis, take notice of where PHI is stored and whether it should be encrypted. If the organization is pursuing EHR incentive dollars, it's important to note examining the risk to stored PHI is mandated in meaningful use stage 2.

In the end, sound risk management, staff training, and incident response planning are key to preventing and responding to attacks associated with IoT devices. A risk management program is neither a one-time event nor static. Risks are constantly changing as new attack methods are being developed.

Staff training is too often overlooked. Staff who see the same dry PowerPoint training every year as part of their HIPAA refresher course will soon tune out. General training isn't enough. Training needs to highlight phishing and other attack vectors that may have an adverse impact on the organization's security.

Attacks will continue, and because measures to prevent IoT breaches are not a sure thing, health care organizations must develop and test plans that can be executed quickly. If critical systems fail, the incident response plan must tie directly into solid disaster recovery and business continuity plans.

— Chris Apgar, CISSP, is CEO and president of Apgar & Associates.