From ward to theatre, the NHS is increasingly populated with connected, specialist devices; and several recent analyses suggest that these devices are becoming collateral casualties of the broader battle for cybersecurity. What are the unique challenges of device protection in healthcare, and are there strategies for IT managers in NHS organisations to usefully follow?
A recent meeting of US government officials has heard that medical devices are becoming increasingly victim to malware attacks. These attacks have not, according to the panel’s experts, led specifically to incidences of patient harm, but members of the group made clear that a regime in which important devices in the provision of care (vital signs monitors, for example) are regularly taken out of service for malware removal is not conducive to high quality care. It is also, of course, an expensive drain on the time and financial resources of IT teams.
There is no evidence that hackers are specifically targeting medical establishments; but it is clear that as healthcare becomes inexorably more technologically enabled, the sector must apply the same discipline to IT protection as other businesses do.
Healthcare’s bespoke challenges
It is worth asking whether healthcare is in any way different to other businesses. There are certainly some unique challenges. PCs, laptops and now tablets and smartphones are the staple of commercial businesses. A thriving ecosystem of economically priced defensive technologies has developed around commerce to protect even small businesses from malware attacks. Healthcare, on the other hand, is rather like the aerospace or industrial utilities sectors, for example, in which highly customised and expensive devices are the norm.
Stuart Aston, Microsoft UK’s Chief Security Advisor, says, “You could draw an analogy between healthcare and industrial SCADA (supervisory control) technologies; embedded devices with a very long service lifespan. When those devices were procured it often wasn’t envisaged that security updates would be a regular part of day to day maintenance; yet that’s exactly the case. Patching is a crucial hygiene factor for anyone managing ICT infrastructure; not just for Microsoft software but for everyone’s. But neither users nor suppliers appreciated security updates as a factor in the procurement, delivery or management of those devices in the past.”
These devices are now also highly connected (across standard IP networks). Says Aston, “The assumption in the past was that medical devices are largely disconnected from the outside world, whereas we see more and more cases now where malware will find ways, perhaps with the help of an unwitting member of staff, of breaching services even when they are offline”. Unfortunately, specialist devices often run on highly customised versions of operating system software, which may not be compatible with off-the-shelf antivirus.
Furthermore, as these devices are expensive, they will have a lifecycle of ten years or more; compared to the traditional PC lifecycle of two to three years at most. This means that older devices, required to remain in service, will be running on old operating systems, and will sometimes be irredeemably ill-equipped to deal with the modern threat-space. Says Aston, “Windows XP is now an old technology, indeed support for XP will end in 2014. How do you expect it to defend you against threats from the last minute? We’ve built more defences into the Windows 7 and 8 platform to make it harder for the bad guys to attack.”
This is compounded, certainly in the NHS, by many years of competing investment priorities and layered legacy ICT systems which mean that most IT managers are dealing, day-to-day, with a hotch-potch of stretched services. The ideal is, of course, a unified infrastructure; but with NHS Trust IT estates stretching across hundreds of square miles and often encompassing more than 10,000 devices in any one regime, making step-changes to infrastructure whilst “keeping the lights on” can be financially challenging.
A daily hygiene regime
The first step is a concerted effort to put malware protection near the top of the technology agenda. In the words of Microsoft’s current biannual Security Intelligence Report, “Effectively protecting users from malware requires an active effort on the part of organisations and individuals.” IT managers should implement the following recommendations wherever possible:
- No device should be without comprehensive malware protection.
- All devices should be regularly patched. Aston says, “Most compromises that we see use an already known - and already patched - attack vector. You can defeat 99.9% of malware with existing patches.”
- Implement clear acceptable use, security and download policies across all staff.
- To minimise the human factor, apply the security benefits of Windows 7 (AppLocker, User Account Control, ASLR, Data Execution Prevention and more…) – see the Enhanced Mitigation Experience Toolkit tool for an easy execution of all these elements.
- Minimise the opportunity for attack by disabling Autorun features, removing unused software and carefully controlling any ‘run-as-administrator’ privileges.
These recommendations must be embedded into common daily practice. To extend the medical metaphor that has become everyday parlance, Aston notes, “If you found a disease that was rampant inside a medical organisation, you would try to understand the method of transmission in order to similarly understand what controls could you institute to prevent that transmission. In many cases, good hygiene will prevent the transmission of the majority of disease. Malware propagates in a very similar way: good basic hygiene prevents the vast majority of malware propagation.”
MSRA: Best practice security assessment...
Some of these pointers – although not all – are as applicable to medical devices as they are PCs. A good starting point is the Microsoft Security Risk Assessment (MSRA), a standardised set of tactical security assessments, conducted by one of a selection of approved Microsoft Partners, some of whom are also healthcare specialists with ample experience and knowledge of the challenges faced by NHS organisations.
Aston says, “MSRA is a very good way of understanding your security position as regards Microsoft systems and software. After the process, you need to determine whether that security posture is convergent with your appetite for risk as a business – which in the case of healthcare is likely to be low. Mitigation may require technical or procedural measures, or indeed a combination of the two. MSRA is a way of establishing where you are on a standardised roadmap based on a commercially sound attitude towards risk.”
...and an optimisation model you can believe in
That will not, however, solve the fundamental problem of outdated systems. Windows XP is still the workhorse operating system in many NHS Trusts; and whilst it has performed outstandingly, it is now over a decade old. The best defences are offered by a current operating system across the estate; namely Windows 7 or the upcoming Windows 8.
Luckily, help is available; and the good news is that any investment in infrastructure security will invariably yield additional maintenance and productivity benefits as well. Tactically, there is a range of migration tools (e.g. XP to Windows 7), delivered by Partners, which will make the migration process as trouble-free as possible.
Strategically, Microsoft’s tried-and-tested Infrastructure Optimisation (IO) model yields a modern and efficient Desktop Management policy built around a migration of applications to Windows 7 (or indeed, 8), which unlocks the automation of maintenance processes and policy-driven security, plus support for services much in-demand from clinicians; like flexible working and follow-me identity management.
Both Microsoft’s IO model and Optimised Desktop Platform model have been fully updated to include the inbuilt benefits of Windows 8 (launching now) and Windows Server 2012 (just launched in the UK); and both frameworks are also available in healthcare-specific versions from specialists in the Partner network.
Healthcare – and the NHS in particular – face unique fiscal, staff and technology challenges to security. Yet whilst outdated equipment and lengthy refresh cycles are a given, the rules of best practice security management are equally timeless. An infrastructure improvement programme will certainly yield quantifiable benefits, but in the meantime, rigorous patching and a devotion to risk analysis make for a compelling substitute.
by Nick Saalfeld, Microsoft UK