Feds seek silver bullet tools to secure healthcare infrastructure. Critics say just do security basics
In the world of healthcare, the right equipment or tool can be a life saver.
There are dozens of examples — mechanical ventilators for patients who can’t breathe on their own, dialysis machines that filter toxins from the blood of those with end-stage renal disease, defibrillators to treat cardiac arrest or correct arrhythmia, insulin pumps to manage blood glucose levels of those with diabetes, and more.
But according to the Advanced Research Projects Agency for Health (ARPA-H) within the U.S. Department of Health and Human Services, what the healthcare industry lacks are effective tools to protect its digital infrastructure.
In a press release earlier this month, ARPA-H announced the Digital Health Security (DIGIHEALS) project, which will “solicit proposals for proven technologies developed for national security and apply them to civilian health systems, clinical care facilities, and personal health devices.”
This, according to ARPA-H Director Dr. Renee Wegrzyn, is because current “off-the-shelf software tools fall short in detecting emerging cyberthreats and protecting our medical facilities, resulting in a technical gap we seek to bridge with this initiative.”
Bidders should focus on “cutting-edge security protocols, vulnerability detection, and automatic patching,” according to the press release.
All of which sounds like it should be a bipartisan layup. Who doesn’t want healthcare systems to be protected from cyberattacks? In this industry, software risk is not just a business risk — if hospitals or clinics can’t function, it’s a life-or-death risk.
Obvious need
And the need for better security is obvious. Healthcare facilities are a perennial prime target for ransomware attacks. IBM’s Cost of a Data Breach Report 2023 found that “since 2020 healthcare data breach costs have increased 53.3%. For the 13th year in a row, the healthcare industry reported the most expensive data breaches [compared to other industries], at an average cost of $10.93 million.”
Even so, the DIGIHEALS announcement has gotten mixed reviews from cybersecurity experts. Several comments on a story in Wired magazine (reposted on Ars Technica) contend that the problem isn’t a lack of tools or protocols but the failure of the healthcare industry to use and apply those that already exist.
One comment from “enilc” declared, “So many of these issues arise from unpatched firmware/software and sloppy security protocols and enforcement. Until current procedures get up to the bare minimum across the board, additional research and theorizing amounts to navel-gazing.”
Another, from “ibethepaul,” contended that, “The reason things aren’t secure isn’t because we don’t know how to make them secure. It’s because investing resources into security doesn’t generate income. Security concerns are brushed aside by upper management until it’s too late, and you’re just scrambling to deal with the fact you’ve already been breached. Then they blame the [software developers] for not building the security they were never given the time or resources to build.”
Indeed, there are multiple existing automated tools that are well-established as effective in testing software throughout what is called the software development life cycle. They include static and dynamic analysis for testing code as it is being written and then as it’s being run, software composition analysis for finding and fixing known vulnerabilities and possible licensing or attribution conflicts in open source software, fuzz testing to see how an application reacts to malformed input, and eventually penetration testing to see if a software product can withstand attacks similar to what malicious hackers would attempt.
But according to DIGIHEALS Program Manager Andrew Carney, “Automated techniques reduce the soundness or scope of testing to enable scaling analysis up to real-world software. Tools use different strategies to explore the state space, but exhaustive testing is not an option. This means vulnerabilities will be missed.”
Carney added that the problem goes beyond tools. “For the tools we do have, proper deployment and use is critical. That requires a population of security experts that simply doesn’t exist today. We are hundreds of thousands of skilled cybersecurity professionals away from where we need to be.”
That sounds like a lack of qualified employees is as big a problem, or worse, than a lack of effective tools.
Carney said the hope is to “use new technology as a force multiplier. Empowering the existing cybersecurity workforce to efficiently and effectively secure healthcare infrastructure through new technologies is one way ARPA-H is addressing the labor shortage.”
Focus on fundamentals
Still, multiple security experts say if the healthcare industry focused more on security fundamentals than on a campaign to develop the next silver bullet, it could become a much more difficult target for hackers in less time. They contend that the healthcare industry, in general, hasn’t invested enough time and money in the basics.
The most recent Building Security In Maturity Model (BSIMM), an annual report on software security initiatives within nine industry verticals from the Synopsys Software Integrity Group, noted that there were 44 participants from the financial sector and only 11 from healthcare.
According to the report, “In our decade-long experience with the BSIMM, we’ve seen large financial services firms reacting to regulatory pressures by starting software security initiatives much earlier than insurance and healthcare firms.”
Sammy Migues, founder and principal of Imbricate Security and a coauthor of the BSIMM since its beginning, said there is nothing about the software and cybersecurity problem that is unique to healthcare “except the nature of modern healthcare itself. Many industries are 100% dependent on the internet for just-in-time things, and some parts of the business stop when the internet stops. However, lots of those industries have ‘internet outage’ risk management in place, such as extra stock, preplanned deliveries, manual processes, phone trees, and much more.”
That kind of risk management, such as “how can we do X without the internet” tabletop exercises seems to be lacking in healthcare, he said, perhaps because the industry has focused on compliance with regulatory standards but failed to realize that, as any cybersecurity expert will tell you, compliance is not security.
“The healthcare industry at large is typical of a group that managed to the ‘security test’ and now doesn’t collectively — despite many IT and AppSec-savvy individuals in the space — understand why that isn’t good enough,” Migues said.
He said it comes from a “check-the-box” mentality that asks, in essence, “I have certifications for ISO 27002, SOC2, etc., am using a HIPAA [Health Insurance Portability and Accountability Act]-certified provider, and follow HIPAA privacy, security, breach notification checklists! How did this breach happen!?”
Manage to the need
“Well, it’s because you managed to the test instead of to the need,” Migues said. “None of this is rocket science.”
Andrew Kilbourne, managing director with the Synopsys Software Integrity Group, agreed. “With regard to medical facilities, I have found that industry to be very cost-conscious. I previously worked in the medical space selling into hospitals and they could never find money, so they did just what they needed to do to get by, and in this case I am certain, to be compliant.”
And Masato Matsuoka, security solutions manager with Synopsys, said evidence indicates that the vulnerabilities in the healthcare digital infrastructure are more a people problem than a technology problem.
He cited a 2021 report from Risk Based Security (since acquired by threat intelligence firm Flashpoint) showing that the healthcare industry led all others in the number of attacks, and that the top attack vector was phishing — trying to trick an employee into clicking a malicious link or providing credentials to access a system.
The solution to that is better employee awareness training, since there is no technology in the world that can trump a careless or clueless employee.
Carney said DIGIHEALS doesn’t have specific tools in mind for this project — just the results it is seeking. “Ultimately, these tools need to maximize our capacity for care and quality of patient outcomes without increasing practitioner burnout,” he said. “How we achieve that is an open question, but it will likely require new ways of working with automation.”
How much money is available to fund proposals? Carney would say only that “resources available will depend on the quality of the proposals received and the availability of funds.”
Nor is there a set timeline for new technologies to be developed. “We will focus on the real problem we’re trying to solve, be clear-eyed about why a solution today is impossible, be technically credible about how to get to a possible solution, and find checkpoints that tell how we know this solution is getting somewhere and when the program has reached the endpoint,” he said.
User friendly, please
Whatever the solution, it’s likely that for it to be effective it will have to be much easier to use than what is on the market today. Tim Mackey, head of software supply chain risk strategy within the Synopsys Software Integrity Group, said there is a natural conflict between simplicity and security. “We want healthcare to be simple and streamlined for the people receiving care and the loved ones who are attempting to manage their care, but cybersecurity says you should lock everything down,” he said.
“It’s hard to have both, particularly when you’re dealing with elderly patients. Imagine trying to explain an authenticator app to someone’s grandparent. There are many initiatives out there, and this ARPA-H effort is but one. Secure deployment by default needs to be there, but unless and until someone figures out how to solve the human component of this, we’re out of luck.”