Do No Harm
Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States
1. Auflage August 2021
400 Seiten, Softcover
Praktikerbuch
ISBN:
978-1-119-79402-8
John Wiley & Sons
Weitere Versionen
Discover the security risks that accompany the widespread adoption of new medical devices and how to mitigate them
In Do No Harm: Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States, cybersecurity expert Matthew Webster delivers an insightful synthesis of the health benefits of the Internet of Medical Things (IoMT), the evolution of security risks that have accompanied the growth of those devices, and practical steps we can take to protect ourselves, our data, and our hospitals from harm.
You'll learn how the high barriers to entry for innovation in the field of healthcare are impeding necessary change and how innovation accessibility must be balanced against regulatory compliance and privacy to ensure safety.
In this important book, the author describes:
* The increasing expansion of medical devices and the dark side of the high demand for medical devices
* The medical device regulatory landscape and the dilemmas hospitals find themselves in with respect medical devices
* Practical steps that individuals and businesses can take to encourage the adoption of safe and helpful medical devices or mitigate the risk of having insecure medical devices
* How to help individuals determine the difference between protected health information and the information from health devices--and protecting your data
* How to protect your health information from cell phones and applications that may push the boundaries of personal privacy
* Why cybercriminals can act with relative impunity against hospitals and other organizations
Perfect for healthcare professionals, system administrators, and medical device researchers and developers, Do No Harm is an indispensable resource for anyone interested in the intersection of patient privacy, cybersecurity, and the world of Internet of Medical Things.
Preface xviii
Introduction xxi
Part I Defining the Challenge 1
Chapter 1 The Darker Side of High Demand 3
Connected Medical Device Risks 4
Ransomware 4
Risks to Data 7
Escalating Demand 10
Types of Internet-Connected Medical Devices 11
COVID-19 Trending Influences 12
By the Numbers 13
Telehealth 15
Home Healthcare 15
Remote Patient Monitoring 16
The Road to High Risk 16
Innovate or Die 19
In Summary 26
Chapter 2 The Internet of Medical Things in Depth 27
What Are Medical Things? 28
Telemedicine 29
Data Analytics 30
Historical IoMT Challenges 31
IoMT Technology 36
Electronic Boards 36
Operating Systems 37
Software Development 38
Wireless 39
Wired Connections 43
The Cloud 43
Mobile Devices and Applications 46
Clinal Monitors 47
Websites 48
Putting the Pieces Together 48
Current IoMT Challenges 48
In Summary 50
Chapter 3 It is a Data-Centric World 53
The Volume of Health Data 53
Data is That Important 55
This is Data Aggregation? 57
Non-HIPAA Health Data? 59
Data Brokers 60
Big Data 63
Data Mining Automation 68
In Summary 70
Chapter 4 IoMT and Health Regulation 73
Health Regulation Basics 73
FDA to the Rescue? 77
The Veterans Affairs and UL 2900 81
In Summary 83
Chapter 5 Once More into the Breach 85
Grim Statistics 86
Breach Anatomy 89
Phishing, Pharming, Vishing, and Smishing 90
Web Browsing 92
Black-Hat Hacking 93
IoMT Hacking 94
Breach Locations 95
In Summary 95
Chapter 6 Say Nothing of Privacy 97
Why Privacy Matters 98
Privacy History in the United States 101
The 1990s Turning Point 103
HIPAA Privacy Rules 104
HIPAA and Pandemic Privacy 104
Contact Tracing 106
Corporate Temperature Screenings 107
A Step Backward 107
The New Breed of Privacy Regulations 108
California Consumer Privacy Act 108
CCPA, AB-713, and HIPAA 109
New York SHIELD Act 111
Nevada Senate Bill 220 111
Maine: An Act to Protect the Privacy of Online Consumer Information 112
States Striving for Privacy 112
International Privacy Regulations 113
Technical and Operational Privacy Considerations 114
Non-IT Considerations 115
Impact Assessments 115
Privacy, Technology, and Security 115
Privacy Challenges 117
Common Technologies 118
The Manufacturer's Quandary 119
Bad Behavior 121
In Summary 122
Chapter 7 The Short Arm of the Law 123
Legal Issues with Hacking 124
White-Hat Hackers 125
Gray-Hat Hackers 125
Black-Hat Hackers 127
Computer Fraud and Abuse Act 127
The Electronic Communications Privacy Act 128
Cybercrime Enforcement 128
Results of Legal Shortcomings 131
In Summary 132
Chapter 8 Threat Actors and Their Arsenal 135
The Threat Actors 136
Amateur Hackers 136
Insiders 136
Hacktivists 137
Advanced Persistent Threats 138
Organized Crime 138
Nation-States 139
Nation-States' Legal Posture 140
The Deep, Dark Internet 141
Tools of the Trade 143
Types of Malware 144
Malware Evolution 146
Too Many Strains 147
Malware Construction Kits 148
In Summary 148
Part II Contextual Challenges and Solutions 151
Chapter 9 Enter Cybersecurity 153
What is Cybersecurity? 154
Cybersecurity Basics 154
Cybersecurity Evolution 156
Key Disciplines in Cybersecurity 158
Compliance 158
Patching 160
Antivirus 161
Network Architecture 161
Application Architecture 162
Threat and Vulnerability 162
Identity and Access Management 163
Monitoring 164
Incident Response 165
Digital Forensics 166
Configuration Management 166
Training 168
Risk Management 168
In Summary 169
Chapter 10 Network Infrastructure and IoMT 171
In the Beginning 172
Networking Basics: The OSI Model 173
Mistake: The Flat Network 175
Resolving the Flat Network Mistake 177
Alternate Network Defensive Strategies 178
Network Address Translation 178
Virtual Private Networks 179
Network Intrusion Detection Protection Tools 179
Deep Packet Inspection 179
Web Filters 180
Threat Intelligence Gateways 180
Operating System Firewalls 181
Wireless Woes 181
In Summary 182
Chapter 11 Internet Services Challenges 185
Internet Services 186
Network Services 186
Websites 187
IoMT Services 189
Other Operating System Services 189
Open-Source Tools Are Safe, Right? 190
Cloud Services 193
Internet-Related Services Challenges 194
Domain Name Services 195
Deprecated Services 197
Internal Server as an Internet Servers 197
The Evolving Enterprise 198
In Summary 199
Chapter 12 IT Hygiene and Cybersecurity 201
The IoMT Blues 202
IoMT and IT Hygiene 202
Past Their Prime 203
Selecting IoMT 203
IoMT as Workstations 204
Mixing IoMT with IoT 204
The Drudgery of Patching 206
Mature Patching Process 207
IoMT Patching 208
Windows Patching 208
Linux Patching 209
Mobile Device Patching 209
Final Patching Thoughts 210
Antivirus is Enough, Right? 210
Antivirus Evolution 211
Solution Interconnectivity 211
Antivirus in Nooks and Crannies 212
Alternate Solutions 213
IoMT and Antivirus 214
The Future of Antivirus 215
Antivirus Summary 215
Misconfigurations Galore 215
The Process for Making Changes 216
Have a Configuration Strategy 217
IoMT Configurations 218
Windows System Configurations 218
Linux Configurations 219
Application Configurations 219
Firewall Configurations 220
Mobile Device Misconfigurations 220
Database Configurations 221
Configuration Drift 222
Configuration Tools 222
Exception Management 223
Enterprise Considerations 224
In Summary 224
Chapter 13 Identity and Access Management 227
Minimal Identity Practices 228
Local Accounts 229
Domain/Directory Accounts 229
Service Accounts 230
IoMT Accounts 230
Physical Access Accounts 231
Cloud Accounts 231
Consultants, Contractors, and Vendor Accounts 232
Identity Governance 232
Authentication 233
Password Pain 233
Multi-factor Authentication 236
Hard Tokens 236
Soft Tokens 237
Authenticator Applications 238
Short Message Service 238
QR Codes 238
Other Authentication Considerations 239
Dealing with Password Pain 239
MFA Applicability 240
Aging Systems 240
Privileged Access Management 240
Roles 241
Password Rotation 242
MFA Access 242
Adding Network Security 242
Other I&AM Technologies 243
Identity Centralization 243
Identity Management 244
Identity Governance Tools 244
Password Tools 244
In Summary 245
Chapter 14 Threat and Vulnerability 247
Vulnerability Management 248
Traditional Infrastructure Vulnerability Scans 248
Traditional Application Vulnerability Scans 249
IoMT Vulnerability Challenges 249
Rating Vulnerabilities 250
Vulnerability Management Strategies 251
Asset Exposure 251
Importance 252
Compensating Controls 252
Zero-Day Vulnerabilities 252
Less-Documented Vulnerabilities 253
Putting It All Together 253
Additional Vulnerability Management Uses 254
Penetration Testing 254
What Color Box? 255
What Color Team? 255
Penetration Testing Phases 256
Scope 256
Reconnaissance 256
Vulnerability Assessments 257
The Actual Penetration Test 257
Reporting 258
Penetration Testing Strategies 258
Cloud Considerations 258
New Tools of an Old Trade 259
MITRE ATT&CK Framework 259
Breach and Attack Simulation 259
Crowd Source Penetration Testing 260
Calculating Threats 260
In Summary 261
Chapter 15 Data Protection 263
Data Governance 264
Data Governance: Ownership 264
Data Governance: Lifecycle 265
Data Governance: Encryption 265
Data Governance: Data Access 267
Closing Thoughts 268
Data Loss Prevention 268
Fragmented DLP Solutions 269
DLP Challenges 270
Enterprise Encryption 270
File Encryption 271
Encryption Gateways 271
Data Tokenization 272
In Summary 273
Chapter 16 Incident Response and Forensics 275
Defining the Context 276
Logs 277
Alerts 278
SIEM Alternatives 279
Incidents 280
Breaches 281
Incident Response 281
Evidence Handling 282
Forensic Tools 283
Automation 283
EDR and MDR 284
IoMT Challenges 284
Lessons Learned 285
In Summary 285
Chapter 17 A Matter of Life, Death, and Data 287
Organizational Structure 288
Board of Directors 288
Chief Executive Officer 289
Chief Information Officer 289
General Counsel 290
Chief Technology Officer 290
Chief Medical Technology Officer 290
Chief Information Security Officer 291
Chief Compliance Officer 291
Chief Privacy Officer 291
Reporting Structures 292
Committees 293
Risk Management 294
Risk Frameworks 294
Determining Risk 295
Third-Party Risk 296
Risk Register 297
Enterprise Risk Management 297
Final Thoughts on Risk Management 298
Mindset Challenges 298
The Compliance-Only Mindset 298
Cost Centers 299
Us Versus Them 300
The Shiny Object Syndrome 300
Never Disrupt the Business 301
It's Just an IT Problem 301
Tools over People 303
We Are Not a Target 303
The Bottom Line 304
Final Mindset Challenges 304
Decision-Making 304
A Measured View 305
Communication is Key 306
Enterprise Risk Management 307
Writing and Sign-Off 308
Data Protection Considerations 308
In Summary 309
Part III Looking Forward 311
Chapter 18 Seeds of Change 313
The Shifting Legal Landscape 314
Attention on Data Brokers 314
Data Protection Agency 316
IoT Legislation 317
Privacy Legislation 318
A Ray of Legal Light 318
International Agreements 319
Public-Private Partnerships 319
Better National Coordination 320
International Cooperation 322
Technology Innovation 323
Threat Intelligence 323
Machine Learning Revisited 323
Zero Trust 324
Final Technology Thoughts 325
Leadership Shakeups 325
Blended Approaches 326
In Summary 327
Chapter 19 Doing Less Harm 329
What IoMT Manufacturers Can Do 330
Cybersecurity as Differentiator 332
What Covered Entities Can Do 332
Cybersecurity Decision Making 333
Compliance Anyone? 334
The Tangled Web of Privacy 335
Aggregation of Influence 335
Cybersecurity Innovators 337
Industrial Control Systems Overlap 338
What You Can Do 339
Personal Cybersecurity 339
Politics 341
In Summary 342
Chapter 20 Changes We Need 343
International Cooperation 344
Covered Entities 344
Questions a Board Should Ask 345
More IoMT Security Assurances 346
Active Directory Integration 347
Software Development 347
Independent Measures 348
In Summary 348
Glossary 351
Index 367
Introduction xxi
Part I Defining the Challenge 1
Chapter 1 The Darker Side of High Demand 3
Connected Medical Device Risks 4
Ransomware 4
Risks to Data 7
Escalating Demand 10
Types of Internet-Connected Medical Devices 11
COVID-19 Trending Influences 12
By the Numbers 13
Telehealth 15
Home Healthcare 15
Remote Patient Monitoring 16
The Road to High Risk 16
Innovate or Die 19
In Summary 26
Chapter 2 The Internet of Medical Things in Depth 27
What Are Medical Things? 28
Telemedicine 29
Data Analytics 30
Historical IoMT Challenges 31
IoMT Technology 36
Electronic Boards 36
Operating Systems 37
Software Development 38
Wireless 39
Wired Connections 43
The Cloud 43
Mobile Devices and Applications 46
Clinal Monitors 47
Websites 48
Putting the Pieces Together 48
Current IoMT Challenges 48
In Summary 50
Chapter 3 It is a Data-Centric World 53
The Volume of Health Data 53
Data is That Important 55
This is Data Aggregation? 57
Non-HIPAA Health Data? 59
Data Brokers 60
Big Data 63
Data Mining Automation 68
In Summary 70
Chapter 4 IoMT and Health Regulation 73
Health Regulation Basics 73
FDA to the Rescue? 77
The Veterans Affairs and UL 2900 81
In Summary 83
Chapter 5 Once More into the Breach 85
Grim Statistics 86
Breach Anatomy 89
Phishing, Pharming, Vishing, and Smishing 90
Web Browsing 92
Black-Hat Hacking 93
IoMT Hacking 94
Breach Locations 95
In Summary 95
Chapter 6 Say Nothing of Privacy 97
Why Privacy Matters 98
Privacy History in the United States 101
The 1990s Turning Point 103
HIPAA Privacy Rules 104
HIPAA and Pandemic Privacy 104
Contact Tracing 106
Corporate Temperature Screenings 107
A Step Backward 107
The New Breed of Privacy Regulations 108
California Consumer Privacy Act 108
CCPA, AB-713, and HIPAA 109
New York SHIELD Act 111
Nevada Senate Bill 220 111
Maine: An Act to Protect the Privacy of Online Consumer Information 112
States Striving for Privacy 112
International Privacy Regulations 113
Technical and Operational Privacy Considerations 114
Non-IT Considerations 115
Impact Assessments 115
Privacy, Technology, and Security 115
Privacy Challenges 117
Common Technologies 118
The Manufacturer's Quandary 119
Bad Behavior 121
In Summary 122
Chapter 7 The Short Arm of the Law 123
Legal Issues with Hacking 124
White-Hat Hackers 125
Gray-Hat Hackers 125
Black-Hat Hackers 127
Computer Fraud and Abuse Act 127
The Electronic Communications Privacy Act 128
Cybercrime Enforcement 128
Results of Legal Shortcomings 131
In Summary 132
Chapter 8 Threat Actors and Their Arsenal 135
The Threat Actors 136
Amateur Hackers 136
Insiders 136
Hacktivists 137
Advanced Persistent Threats 138
Organized Crime 138
Nation-States 139
Nation-States' Legal Posture 140
The Deep, Dark Internet 141
Tools of the Trade 143
Types of Malware 144
Malware Evolution 146
Too Many Strains 147
Malware Construction Kits 148
In Summary 148
Part II Contextual Challenges and Solutions 151
Chapter 9 Enter Cybersecurity 153
What is Cybersecurity? 154
Cybersecurity Basics 154
Cybersecurity Evolution 156
Key Disciplines in Cybersecurity 158
Compliance 158
Patching 160
Antivirus 161
Network Architecture 161
Application Architecture 162
Threat and Vulnerability 162
Identity and Access Management 163
Monitoring 164
Incident Response 165
Digital Forensics 166
Configuration Management 166
Training 168
Risk Management 168
In Summary 169
Chapter 10 Network Infrastructure and IoMT 171
In the Beginning 172
Networking Basics: The OSI Model 173
Mistake: The Flat Network 175
Resolving the Flat Network Mistake 177
Alternate Network Defensive Strategies 178
Network Address Translation 178
Virtual Private Networks 179
Network Intrusion Detection Protection Tools 179
Deep Packet Inspection 179
Web Filters 180
Threat Intelligence Gateways 180
Operating System Firewalls 181
Wireless Woes 181
In Summary 182
Chapter 11 Internet Services Challenges 185
Internet Services 186
Network Services 186
Websites 187
IoMT Services 189
Other Operating System Services 189
Open-Source Tools Are Safe, Right? 190
Cloud Services 193
Internet-Related Services Challenges 194
Domain Name Services 195
Deprecated Services 197
Internal Server as an Internet Servers 197
The Evolving Enterprise 198
In Summary 199
Chapter 12 IT Hygiene and Cybersecurity 201
The IoMT Blues 202
IoMT and IT Hygiene 202
Past Their Prime 203
Selecting IoMT 203
IoMT as Workstations 204
Mixing IoMT with IoT 204
The Drudgery of Patching 206
Mature Patching Process 207
IoMT Patching 208
Windows Patching 208
Linux Patching 209
Mobile Device Patching 209
Final Patching Thoughts 210
Antivirus is Enough, Right? 210
Antivirus Evolution 211
Solution Interconnectivity 211
Antivirus in Nooks and Crannies 212
Alternate Solutions 213
IoMT and Antivirus 214
The Future of Antivirus 215
Antivirus Summary 215
Misconfigurations Galore 215
The Process for Making Changes 216
Have a Configuration Strategy 217
IoMT Configurations 218
Windows System Configurations 218
Linux Configurations 219
Application Configurations 219
Firewall Configurations 220
Mobile Device Misconfigurations 220
Database Configurations 221
Configuration Drift 222
Configuration Tools 222
Exception Management 223
Enterprise Considerations 224
In Summary 224
Chapter 13 Identity and Access Management 227
Minimal Identity Practices 228
Local Accounts 229
Domain/Directory Accounts 229
Service Accounts 230
IoMT Accounts 230
Physical Access Accounts 231
Cloud Accounts 231
Consultants, Contractors, and Vendor Accounts 232
Identity Governance 232
Authentication 233
Password Pain 233
Multi-factor Authentication 236
Hard Tokens 236
Soft Tokens 237
Authenticator Applications 238
Short Message Service 238
QR Codes 238
Other Authentication Considerations 239
Dealing with Password Pain 239
MFA Applicability 240
Aging Systems 240
Privileged Access Management 240
Roles 241
Password Rotation 242
MFA Access 242
Adding Network Security 242
Other I&AM Technologies 243
Identity Centralization 243
Identity Management 244
Identity Governance Tools 244
Password Tools 244
In Summary 245
Chapter 14 Threat and Vulnerability 247
Vulnerability Management 248
Traditional Infrastructure Vulnerability Scans 248
Traditional Application Vulnerability Scans 249
IoMT Vulnerability Challenges 249
Rating Vulnerabilities 250
Vulnerability Management Strategies 251
Asset Exposure 251
Importance 252
Compensating Controls 252
Zero-Day Vulnerabilities 252
Less-Documented Vulnerabilities 253
Putting It All Together 253
Additional Vulnerability Management Uses 254
Penetration Testing 254
What Color Box? 255
What Color Team? 255
Penetration Testing Phases 256
Scope 256
Reconnaissance 256
Vulnerability Assessments 257
The Actual Penetration Test 257
Reporting 258
Penetration Testing Strategies 258
Cloud Considerations 258
New Tools of an Old Trade 259
MITRE ATT&CK Framework 259
Breach and Attack Simulation 259
Crowd Source Penetration Testing 260
Calculating Threats 260
In Summary 261
Chapter 15 Data Protection 263
Data Governance 264
Data Governance: Ownership 264
Data Governance: Lifecycle 265
Data Governance: Encryption 265
Data Governance: Data Access 267
Closing Thoughts 268
Data Loss Prevention 268
Fragmented DLP Solutions 269
DLP Challenges 270
Enterprise Encryption 270
File Encryption 271
Encryption Gateways 271
Data Tokenization 272
In Summary 273
Chapter 16 Incident Response and Forensics 275
Defining the Context 276
Logs 277
Alerts 278
SIEM Alternatives 279
Incidents 280
Breaches 281
Incident Response 281
Evidence Handling 282
Forensic Tools 283
Automation 283
EDR and MDR 284
IoMT Challenges 284
Lessons Learned 285
In Summary 285
Chapter 17 A Matter of Life, Death, and Data 287
Organizational Structure 288
Board of Directors 288
Chief Executive Officer 289
Chief Information Officer 289
General Counsel 290
Chief Technology Officer 290
Chief Medical Technology Officer 290
Chief Information Security Officer 291
Chief Compliance Officer 291
Chief Privacy Officer 291
Reporting Structures 292
Committees 293
Risk Management 294
Risk Frameworks 294
Determining Risk 295
Third-Party Risk 296
Risk Register 297
Enterprise Risk Management 297
Final Thoughts on Risk Management 298
Mindset Challenges 298
The Compliance-Only Mindset 298
Cost Centers 299
Us Versus Them 300
The Shiny Object Syndrome 300
Never Disrupt the Business 301
It's Just an IT Problem 301
Tools over People 303
We Are Not a Target 303
The Bottom Line 304
Final Mindset Challenges 304
Decision-Making 304
A Measured View 305
Communication is Key 306
Enterprise Risk Management 307
Writing and Sign-Off 308
Data Protection Considerations 308
In Summary 309
Part III Looking Forward 311
Chapter 18 Seeds of Change 313
The Shifting Legal Landscape 314
Attention on Data Brokers 314
Data Protection Agency 316
IoT Legislation 317
Privacy Legislation 318
A Ray of Legal Light 318
International Agreements 319
Public-Private Partnerships 319
Better National Coordination 320
International Cooperation 322
Technology Innovation 323
Threat Intelligence 323
Machine Learning Revisited 323
Zero Trust 324
Final Technology Thoughts 325
Leadership Shakeups 325
Blended Approaches 326
In Summary 327
Chapter 19 Doing Less Harm 329
What IoMT Manufacturers Can Do 330
Cybersecurity as Differentiator 332
What Covered Entities Can Do 332
Cybersecurity Decision Making 333
Compliance Anyone? 334
The Tangled Web of Privacy 335
Aggregation of Influence 335
Cybersecurity Innovators 337
Industrial Control Systems Overlap 338
What You Can Do 339
Personal Cybersecurity 339
Politics 341
In Summary 342
Chapter 20 Changes We Need 343
International Cooperation 344
Covered Entities 344
Questions a Board Should Ask 345
More IoMT Security Assurances 346
Active Directory Integration 347
Software Development 347
Independent Measures 348
In Summary 348
Glossary 351
Index 367
MATTHEW WEBSTER is a Chief Information Security Officer with 25 years of IT and information security experience. During that time, he has worked with many sizes and sectors of organizations including Fortune 100. Matthew has built several security programs from the ground up, significantly reduced risk, and helped companies pass multiple types of security audits.
