Cyber security Archives

Soitron IT expert: Some hospitals open their door to hackers themselves.

We talked to Soitron IT expert Martin Čaprnka about what modern IT in a hospital should look like and how to build it with a limited budget.

Many hospitals today are struggling with lack of personnel and desolate buildings. What about their IT in the light of these challenges?

The situation with their IT is very similar. When you see the old and unfit buildings in which they often reside, their communication infrastructure is in a similar condition. It often looks like 20 to 30 years ago. Problems are just plastered over. Staff do not have the time or money to do the overall renovation the communication infrastructure would deserve.

What does IT infrastructure look like in a typical Slovak hospital?

I’ve seen a few them. Some were in a rather woeful state. In one of them, the boiler room was in a better state than the room in which the data and telecommunication equipment was housed. With leaks and mould on the walls, uninterrupted operation could not be guaranteed. Wiring is often undersized for both power and data. I was in one hospital where we would have to turn half of the hospital upside down if we wanted to install another wireless access point.

Let’s say I’m the hospital director and I’m deciding how to best allocate my budget. What’s the benefit of investing in IT infrastructure compared to, for example, training people, renovating the building, and so on?

This can be viewed from several perspectives. Firstly, what do I need to provide for patients and doctors? For instance, I may have a portable X-ray machine and need to send the images somewhere. Or I may need to register patients, store data, and so on. These are the services that hospitals want to provide.

Secondly, how do I keep the technology operating? This is what I have to have in mind when building the whole infrastructure. In the event of a failure, I must be able to keep at least critical systems in operation, the functioning of which may depend on infrastructure: for example, patient monitoring.

And finally, security. Cyberattacks don’t avoid hospitals. The network should therefore be built from the ground up to be secure. Of course, it is more complex than that, and security should be addressed on other tiers as well. However, the more you neglect this aspect, the easier the attacks will be because the communication infrastructure is the foundation of all other systems.

Some hospitals already have Wi-Fi. Is patient data safe?

Some hospitals are more advanced. They have implemented segmentation and use separate secure networks, i.e., one network accessible by visitors or patients and another one not accessible by ordinary people, so that sensitive data is protected.

But of course, sometimes it is the other way around. Several facilities use devices that you can readily buy in supermarkets. I wouldn’t use them even for my home. Such devices are not patched at all, or perhaps are only patched after a year. In this way, they open the door to potential attackers. Not to mention that if Wi-Fi is designed and installed incorrectly, it does not serve its purpose at all. So, it is quite common that there is Wi-Fi in a hospital, but you cannot connect to it because it has not been set up for a large number of users.

Can medical devices run on Wi-Fi?

It is more secure to connect them by cable. However, some devices, such as those that do not monitor patients, can certainly run on a wireless network as well. This includes devices that assist in service tasks, such as an automatic drug dispenser. In this case, a Wi-Fi connection allows the device to monitor the medication the patient takes and prepare it for them. Should this system fail, it is not a critical problem. The system just makes the work for the staff easier.

A typical example of Wi-Fi use is the localization of portable devices such as X-ray machines, sonographs, and so on. It allows staff to quickly find out where each device is and how to get it to where it needs to be as quickly as possible. Again, it saves time.

What common IT problems you see most often?

Undersized network and transmission capacity. In such cases, there is nowhere to connect a new device. The second major problem is security. There is often lack of continuity when the systems are built. If the chief IT expert happens to leave, nobody has a clue how the whole thing is built. Another common problem is lack of redundancies. Critical elements the entire communication depends on often don’t have two power supplies in place, or two physical paths available to prevent the whole system from collapsing in the event of a failure.

Can a hospital on a limited budget significantly improve its IT infrastructure?

In public hospitals this is probably difficult, but in private hospitals this is accounted for. They want to differentiate themselves from past practices and build modern hospitals. IT infrastructure can also be built for reasonable money. We have witnessed it mainly in the private hospitals we have worked with.

If I’m the hospital director who wants it, where should I start?

Start with an audit. First, look at the building. Are the premises suitable? The next thing you should look at is what your hospital provides, i.e., how the departments are structured, how you need them to communicate with each other, what services you provide to patients, and what role the data communication plays. Once the whole hospital has been mapped, a plan of how to build the infrastructure from zero to the final state is designed, and then you can start building it, sort of like with building blocks.

Can it be done part by part?

Definitely. Actually, this is how it’s usually done. It would be ideal to have the whole thing built in one go, but usually hospitals identify critical parts to start with. These investments may sometimes take up to five years, but if you want to get somewhere, you must take the first step. After all, once you fix the problems with unsuitable premises or structured cabling, you benefit from it right away. And you also have the conditions prepared for the future.

Give us an example of a hospital in Slovakia with a good IT infrastructure.

A very good example are the new private hospitals. Since they are filled to the roof with technology, we often have to build an extremely stable and secure network for them. This was also the case of the New Generation Hospital in Michalovce.

However, we can also find good examples in some public hospitals that have made several investments. They have undergone renovations, and some of them have built completely new departments that look like those in the Dr House TV show. And I am happy to say that this is happening all over Slovakia.

STANISLAV SMOLÁR

With commonly used computer network protection tools, organizations are either unable to view encrypted communication or can only achieve the desired visibility with great difficulty and at a disproportionately high cost. A better way is to integrate some new components into the existing essential security technology.

Today data encryption is an integral part of Internet communication, allowing us to safely shop or perform banking transactions online. Without encryption anyone could view the transferred data and easily access, for instance, passwords or personal data. Nowadays, almost all website operators are gradually starting to use security certificates.

Measurements by the Soitron Security Sensor system show that at least 60% of the communication in today’s organizations is encrypted. Typically, however, it is around 80%, which corresponds to the global estimates of 80% of all internet traffic being encrypted in 2019. For the sake of comparison, two years ago only less than half of the Internet was encrypted.

Blinded administrators

With more and more websites and services being encrypted, the encryption methods are also changing and new, improved protocols for protecting the network communication are emerging (e.g., CAA, DANE, TLS 1.3, eSNI, and DoT).

The newer and more modern protocols are designed to protect data against any inspection, even if for legitimate purposes. If we also take into account the significant increase in the network capacity and thus also the volume of data transmitted, we realize that today companies and public organizations face a tsunami of strongly encrypted communication.

Audits also often lead to a significantly compromised encryption quality. For instance, a study entitled “The Security Impact of HTTPS Interception” showed that only one out of twelve devices received a satisfactory rating.

What does it mean for IT departments?

In short, it means new challenges in administration and securing IT against cyber threats. Older security tools that didn’t count with encrypted communication inspection do not provide administrators with the necessary operation visibility, thus opening new possibilities for hackers to spread malicious code or send instructions for already infiltrated malware.

In addition, some (especially mobile) applications reject even legitimate inspections of security certificates in organizations. Attackers now successfully exploit the weakened capabilities of immature security solutions to scrutinize encrypted communication.

According to the cloud service provider Zscaler, last year the number of phishing attacks hidden in encrypted communications increased by 400% year-on-year. In general, in about half of the cyber-attacks encrypted traffic was exploited to spread malware. There is no reason to believe that this proportion would decrease in the future.

An inspection with no reading

The good news is that there are ways to make seemingly invisible and well-encrypted communication at least partially transparent. A number of security technology vendors have come up with solutions based on Encrypted Traffic Analytics (ETA) that is able to identify potential threats concealed in encrypted data with great accuracy and without compromising the user convenience.

They are not trying to crack the encryption and “read” the entire content of the communication; something like that would be technically difficult and not acceptable in terms of privacy protection. The purpose of technologies for gaining visibility into an encrypted environment is to detect any abnormal behaviour based on, for example, behavioural analyses of network communication and alert you to any suspicious communication. An advantage is that this approach also helps to identify unknown threats that have not yet been described. There are no signatures available, and we know nothing about them.

With the share of the encrypted Internet traffic approaching 100% in the next few years, the cracks in existing security architectures will only grow. This does not mean that IT departments have to throw away and replace their existing resources. Rather, sooner or later, they will need to add new tools which are able to identify threats in their data traffic which would otherwise be invisible to the naked eye. The sooner they do this, the fewer threats they expose themselves to.