Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/10/2020
02:00 PM
Justine Bone
Justine Bone
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Telehealth Attack Surface

Amid the surge in digital healthcare stemming from the coronavirus pandemic, security is taking a backseat to usability.

Telehealth and telemedicine face numerous cyber threats. Currently, healthcare providers, medical device makers, and telehealth platform providers rely on a myriad of regulations and sources of guidance, including HIPAA, the Department of Health and Human Services, and Food and Drug Administration regulations and general cybersecurity best practices to manage these services. However, these regulations do not anticipate the full range of threats that can occur inside the insecure network environment of a patient's home. Additionally, many of these platforms have been deployed quickly during the pandemic and allowed to bypass existing regulations, which further exacerbates the risk environment for these services.

A new federal effort is underway to address this deficiency. The National Cybersecurity Center of Excellence (NCCoE) and National Institute of Standards and Technology (NIST) recently began working with leading industry vendors and subject matter experts to undertake a comprehensive analysis of telemedicine services to map out the attack surface, identify the key potential points of failure, and devise new telemedicine cybersecurity standards for the industry to follow. This process is still in the early stages, but once completed it will be an effective road map for healthcare providers and technology developers as telemedicine use expands.

In the meantime, let's examine the key area of risks related to these digital services.

Human Endpoints: Patients and Doctors
Digital healthcare services have a broad attack surface, ranging from the online platforms to the healthcare providers, third-party tools, and services such as cloud storage and VPNs, remotely accessible medical devices, and the patients' own home networks. However, the most likely point of a security breakdown is at the two human endpoints: patients and doctors. In the latter case, many doctors may not be receiving sufficient security training for the telehealth platforms they are expected to use. Basic security measures such as two-factor authentication and session timeouts can be an obstacle or inconvenience, which could lead some medical practitioners to ask the IT department to disable them. Additionally, given the rapid rollout of telehealth during this pandemic, there is a significant possibility that some doctors will use their own personal laptops or cellphones to carry out virtual consults.

On the patient side, the situation is more complex. Many of the current cybersecurity standards upon which healthcare providers rely are best suited for a protected network environment, such as a hospital or medical office. Patient homes are just the opposite. Healthcare providers are sharing sensitive data through an insecure network with multiple users, and with other endpoints that are very susceptible to compromise by malware, including general Internet of Things devices and connected appliances. Unlike remote employees, healthcare providers cannot require patients to take security precautions such as tunneling traffic through a VPN or adding a device firewall. Therefore, telehealth and telemedicine services face a considerable challenge in trying to keep data secure as it travels through this high-risk environment.

Portable Medical Devices
Remote medical devices also pose unique challenges. In addition to operating within an unprotected patient home network, the devices themselves are more vulnerable to attack because they are resource limited and patients have unmonitored, unrestricted physical access to them. Unlike large devices such as MRI machines, the small portable medical devices that end up inside patient homes — such as an insulin pumps or heart monitoring systems — have limited processing power, data storage, and battery life. As a result, cybersecurity solutions that we would otherwise turn to, such as strong authentication and encryption, may not be suitable options for those devices. They may also lack the form factor needed for other basic security steps — such as password protection — as they often lack a display screen and keypad.

Privacy Risk vs. Disruptive Attacks
Cyberattacks on the healthcare industry have been a problem for years but the COVID-19 outbreak has exacerbated many of these risks, particularly when it comes to ransomware. However, despite the fact that these disruptive attacks are increasing, the healthcare industry has remained largely focused on the issue of patient privacy in order to prevent information theft or accidental exposures. The same is also true with telehealth and telemedicine. In the emerging field of digital healthcare, providers are mostly concerned with privacy risks while not fully accounting for other types of attacks such as device ransomware and the deliberate disruption or sabotage of services. Internet-connected medical devices provide a unique attack vector, one that could be exploited to cause significant harm to patients.

Although targeted attacks on patients are certainly possible, they are unlikely. What is more realistic is that criminals will target the back-end infrastructure and third-party technology ecosystems that support telehealth and telemedicine services in order to gain scale and access to large datasets of highly monetizable information. These targets could include telehealth web application servers, third-party support services, back-end servers for remote medical devices, and hospital networks. The increasing number of attacks on consumer-grade Wi-Fi routers could also be used to compromise health services, whether intentionally or unintentionally, by criminal actors.

Next Steps
In the haste to roll out telehealth services, some traditional security processes have been skipped or streamlined in order to reduce the time to market. This has raised the level of risk for these services. It is important for service providers to address these issues by going back and applying security hardening and turning on key security features. Cybersecurity protections like end-to-end encryption, strong access authentication, multifactor authentication, and active monitoring are all essential must-haves. However, these are not always realistic in certain areas of telemedicine, particularly when it comes to the use of smaller Internet-connected medical devices for remote patient monitoring. For these devices, other security measures need to be investigated, including firmware-based defenses and hardware-level safety controls, which can prevent the devices from being forced by an attacker to act in an unsafe manner.

The NCCoE program is a critical first step in defining the full scope of risks and threats related to telehealth services. It will also play an important role in improving patient health and security.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Justine Bone is CEO of MedSec, a cybersecurity company which is exclusively focused on the healthcare industry, including hospitals and medical device manufacturers. MedSec is serving as a subject matter expert for the NCCoE/NIST Securing Telehealth Remote Patient Monitoring ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DorKnafo
50%
50%
DorKnafo,
User Rank: Author
6/18/2020 | 9:57:28 AM
The next frontier?
Interesting article. So much attention on telehealth these days, haven't heard much, yet, about security risks. 
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...