+353-1-416-8900REST OF WORLD
+44-20-3973-8888REST OF WORLD
1-917-300-0470EAST COAST U.S
1-800-526-8630U.S. (TOLL FREE)

Do No Harm. Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States. Edition No. 1

  • Book

  • 400 Pages
  • August 2021
  • John Wiley and Sons Ltd
  • ID: 5839415

Discover the security risks that accompany the widespread adoption of new medical devices and how to mitigate them

In Do No Harm: Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States, cybersecurity expert Matthew Webster delivers an insightful synthesis of the health benefits of the Internet of Medical Things (IoMT), the evolution of security risks that have accompanied the growth of those devices, and practical steps we can take to protect ourselves, our data, and our hospitals from harm.

You'll learn how the high barriers to entry for innovation in the field of healthcare are impeding necessary change and how innovation accessibility must be balanced against regulatory compliance and privacy to ensure safety.

In this important book, the author describes:

  • The increasing expansion of medical devices and the dark side of the high demand for medical devices
  • The medical device regulatory landscape and the dilemmas hospitals find themselves in with respect medical devices
  • Practical steps that individuals and businesses can take to encourage the adoption of safe and helpful medical devices or mitigate the risk of having insecure medical devices
  • How to help individuals determine the difference between protected health information and the information from health devices - and protecting your data
  • How to protect your health information from cell phones and applications that may push the boundaries of personal privacy
  • Why cybercriminals can act with relative impunity against hospitals and other organizations

Perfect for healthcare professionals, system administrators, and medical device researchers and developers, Do No Harm is an indispensable resource for anyone interested in the intersection of patient privacy, cybersecurity, and the world of Internet of Medical Things.

Table of Contents

Preface xviii

Introduction xxi

Part I Defining the Challenge 1

Chapter 1 The Darker Side of High Demand 3

Connected Medical Device Risks 4

Ransomware 4

Risks to Data 7

Escalating Demand 10

Types of Internet-Connected Medical Devices 11

COVID-19 Trending Influences 12

By the Numbers 13

Telehealth 15

Home Healthcare 15

Remote Patient Monitoring 16

The Road to High Risk 16

Innovate or Die 19

In Summary 26

Chapter 2 The Internet of Medical Things in Depth 27

What Are Medical Things? 28

Telemedicine 29

Data Analytics 30

Historical IoMT Challenges 31

IoMT Technology 36

Electronic Boards 36

Operating Systems 37

Software Development 38

Wireless 39

Wired Connections 43

The Cloud 43

Mobile Devices and Applications 46

Clinal Monitors 47

Websites 48

Putting the Pieces Together 48

Current IoMT Challenges 48

In Summary 50

Chapter 3 It is a Data-Centric World 53

The Volume of Health Data 53

Data is That Important 55

This is Data Aggregation? 57

Non-HIPAA Health Data? 59

Data Brokers 60

Big Data 63

Data Mining Automation 68

In Summary 70

Chapter 4 IoMT and Health Regulation 73

Health Regulation Basics 73

FDA to the Rescue? 77

The Veterans Affairs and UL 2900 81

In Summary 83

Chapter 5 Once More into the Breach 85

Grim Statistics 86

Breach Anatomy 89

Phishing, Pharming, Vishing, and Smishing 90

Web Browsing 92

Black-Hat Hacking 93

IoMT Hacking 94

Breach Locations 95

In Summary 95

Chapter 6 Say Nothing of Privacy 97

Why Privacy Matters 98

Privacy History in the United States 101

The 1990s Turning Point 103

HIPAA Privacy Rules 104

HIPAA and Pandemic Privacy 104

Contact Tracing 106

Corporate Temperature Screenings 107

A Step Backward 107

The New Breed of Privacy Regulations 108

California Consumer Privacy Act 108

CCPA, AB-713, and HIPAA 109

New York SHIELD Act 111

Nevada Senate Bill 220 111

Maine: An Act to Protect the Privacy of Online Consumer Information 112

States Striving for Privacy 112

International Privacy Regulations 113

Technical and Operational Privacy Considerations 114

Non-IT Considerations 115

Impact Assessments 115

Privacy, Technology, and Security 115

Privacy Challenges 117

Common Technologies 118

The Manufacturer’s Quandary 119

Bad Behavior 121

In Summary 122

Chapter 7 The Short Arm of the Law 123

Legal Issues with Hacking 124

White-Hat Hackers 125

Gray-Hat Hackers 125

Black-Hat Hackers 127

Computer Fraud and Abuse Act 127

The Electronic Communications Privacy Act 128

Cybercrime Enforcement 128

Results of Legal Shortcomings 131

In Summary 132

Chapter 8 Threat Actors and Their Arsenal 135

The Threat Actors 136

Amateur Hackers 136

Insiders 136

Hacktivists 137

Advanced Persistent Threats 138

Organized Crime 138

Nation-States 139

Nation-States’ Legal Posture 140

The Deep, Dark Internet 141

Tools of the Trade 143

Types of Malware 144

Malware Evolution 146

Too Many Strains 147

Malware Construction Kits 148

In Summary 148

Part II Contextual Challenges and Solutions 151

Chapter 9 Enter Cybersecurity 153

What is Cybersecurity? 154

Cybersecurity Basics 154

Cybersecurity Evolution 156

Key Disciplines in Cybersecurity 158

Compliance 158

Patching 160

Antivirus 161

Network Architecture 161

Application Architecture 162

Threat and Vulnerability 162

Identity and Access Management 163

Monitoring 164

Incident Response 165

Digital Forensics 166

Configuration Management 166

Training 168

Risk Management 168

In Summary 169

Chapter 10 Network Infrastructure and IoMT 171

In the Beginning 172

Networking Basics: The OSI Model 173

Mistake: The Flat Network 175

Resolving the Flat Network Mistake 177

Alternate Network Defensive Strategies 178

Network Address Translation 178

Virtual Private Networks 179

Network Intrusion Detection Protection Tools 179

Deep Packet Inspection 179

Web Filters 180

Threat Intelligence Gateways 180

Operating System Firewalls 181

Wireless Woes 181

In Summary 182

Chapter 11 Internet Services Challenges 185

Internet Services 186

Network Services 186

Websites 187

IoMT Services 189

Other Operating System Services 189

Open-Source Tools Are Safe, Right? 190

Cloud Services 193

Internet-Related Services Challenges 194

Domain Name Services 195

Deprecated Services 197

Internal Server as an Internet Servers 197

The Evolving Enterprise 198

In Summary 199

Chapter 12 IT Hygiene and Cybersecurity 201

The IoMT Blues 202

IoMT and IT Hygiene 202

Past Their Prime 203

Selecting IoMT 203

IoMT as Workstations 204

Mixing IoMT with IoT 204

The Drudgery of Patching 206

Mature Patching Process 207

IoMT Patching 208

Windows Patching 208

Linux Patching 209

Mobile Device Patching 209

Final Patching Thoughts 210

Antivirus is Enough, Right? 210

Antivirus Evolution 211

Solution Interconnectivity 211

Antivirus in Nooks and Crannies 212

Alternate Solutions 213

IoMT and Antivirus 214

The Future of Antivirus 215

Antivirus Summary 215

Misconfigurations Galore 215

The Process for Making Changes 216

Have a Configuration Strategy 217

IoMT Configurations 218

Windows System Configurations 218

Linux Configurations 219

Application Configurations 219

Firewall Configurations 220

Mobile Device Misconfigurations 220

Database Configurations 221

Configuration Drift 222

Configuration Tools 222

Exception Management 223

Enterprise Considerations 224

In Summary 224

Chapter 13 Identity and Access Management 227

Minimal Identity Practices 228

Local Accounts 229

Domain/Directory Accounts 229

Service Accounts 230

IoMT Accounts 230

Physical Access Accounts 231

Cloud Accounts 231

Consultants, Contractors, and Vendor Accounts 232

Identity Governance 232

Authentication 233

Password Pain 233

Multi-factor Authentication 236

Hard Tokens 236

Soft Tokens 237

Authenticator Applications 238

Short Message Service 238

QR Codes 238

Other Authentication Considerations 239

Dealing with Password Pain 239

MFA Applicability 240

Aging Systems 240

Privileged Access Management 240

Roles 241

Password Rotation 242

MFA Access 242

Adding Network Security 242

Other I&AM Technologies 243

Identity Centralization 243

Identity Management 244

Identity Governance Tools 244

Password Tools 244

In Summary 245

Chapter 14 Threat and Vulnerability 247

Vulnerability Management 248

Traditional Infrastructure Vulnerability Scans 248

Traditional Application Vulnerability Scans 249

IoMT Vulnerability Challenges 249

Rating Vulnerabilities 250

Vulnerability Management Strategies 251

Asset Exposure 251

Importance 252

Compensating Controls 252

Zero-Day Vulnerabilities 252

Less-Documented Vulnerabilities 253

Putting It All Together 253

Additional Vulnerability Management Uses 254

Penetration Testing 254

What Color Box? 255

What Color Team? 255

Penetration Testing Phases 256

Scope 256

Reconnaissance 256

Vulnerability Assessments 257

The Actual Penetration Test 257

Reporting 258

Penetration Testing Strategies 258

Cloud Considerations 258

New Tools of an Old Trade 259

MITRE ATT&CK Framework 259

Breach and Attack Simulation 259

Crowd Source Penetration Testing 260

Calculating Threats 260

In Summary 261

Chapter 15 Data Protection 263

Data Governance 264

Data Governance: Ownership 264

Data Governance: Lifecycle 265

Data Governance: Encryption 265

Data Governance: Data Access 267

Closing Thoughts 268

Data Loss Prevention 268

Fragmented DLP Solutions 269

DLP Challenges 270

Enterprise Encryption 270

File Encryption 271

Encryption Gateways 271

Data Tokenization 272

In Summary 273

Chapter 16 Incident Response and Forensics 275

Defining the Context 276

Logs 277

Alerts 278

SIEM Alternatives 279

Incidents 280

Breaches 281

Incident Response 281

Evidence Handling 282

Forensic Tools 283

Automation 283

EDR and MDR 284

IoMT Challenges 284

Lessons Learned 285

In Summary 285

Chapter 17 A Matter of Life, Death, and Data 287

Organizational Structure 288

Board of Directors 288

Chief Executive Officer 289

Chief Information Officer 289

General Counsel 290

Chief Technology Officer 290

Chief Medical Technology Officer 290

Chief Information Security Officer 291

Chief Compliance Officer 291

Chief Privacy Officer 291

Reporting Structures 292

Committees 293

Risk Management 294

Risk Frameworks 294

Determining Risk 295

Third-Party Risk 296

Risk Register 297

Enterprise Risk Management 297

Final Thoughts on Risk Management 298

Mindset Challenges 298

The Compliance-Only Mindset 298

Cost Centers 299

Us Versus Them 300

The Shiny Object Syndrome 300

Never Disrupt the Business 301

It’s Just an IT Problem 301

Tools over People 303

We Are Not a Target 303

The Bottom Line 304

Final Mindset Challenges 304

Decision-Making 304

A Measured View 305

Communication is Key 306

Enterprise Risk Management 307

Writing and Sign-Off 308

Data Protection Considerations 308

In Summary 309

Part III Looking Forward 311

Chapter 18 Seeds of Change 313

The Shifting Legal Landscape 314

Attention on Data Brokers 314

Data Protection Agency 316

IoT Legislation 317

Privacy Legislation 318

A Ray of Legal Light 318

International Agreements 319

Public-Private Partnerships 319

Better National Coordination 320

International Cooperation 322

Technology Innovation 323

Threat Intelligence 323

Machine Learning Revisited 323

Zero Trust 324

Final Technology Thoughts 325

Leadership Shakeups 325

Blended Approaches 326

In Summary 327

Chapter 19 Doing Less Harm 329

What IoMT Manufacturers Can Do 330

Cybersecurity as Differentiator 332

What Covered Entities Can Do 332

Cybersecurity Decision Making 333

Compliance Anyone? 334

The Tangled Web of Privacy 335

Aggregation of Influence 335

Cybersecurity Innovators 337

Industrial Control Systems Overlap 338

What You Can Do 339

Personal Cybersecurity 339

Politics 341

In Summary 342

Chapter 20 Changes We Need 343

International Cooperation 344

Covered Entities 344

Questions a Board Should Ask 345

More IoMT Security Assurances 346

Active Directory Integration 347

Software Development 347

Independent Measures 348

In Summary 348

Glossary 351

Index 367

Authors

Matthew Webster