AMA Update covers a range of health care topics affecting the lives of physicians, residents, medical students and patients. From private practice and health system
Featured topic and speakers
Featured topic and speakers
Top health care cybersecurity issues: Why is health care data so valuable to hackers? When is it OK to reuse a password? Why are hospitals vulnerable to cyber attacks?
Our guest is Charles Aunger, managing director of technology at Health2047 and founder and CEO of HEAL Security. AMA Chief Experience Officer Todd Unger hosts.
Speaker
Charles Aunger, managing director of technology, Health2047; founder and CEO, HEAL Security
Unger: Hello and welcome to the AMA Update video and podcast. Today, we’re checking in on some of the latest cybersecurity trends in health care and what physicians need to know. Our guest today is Charles Aunger, managing director of technology at Health2047 and founder and CEO of HEAL Security in San Francisco. I’m Todd Unger, AMA’s chief experience officer in Chicago. Charles, welcome back.
Aunger: Hey, great to be back, Todd. Thank you very much. Appreciate it.
Unger: Last time we had you in our studio, but by the looks of things in your background, I feel like you’re on the Starship Enterprise. What’s going on back there?
Aunger: Everybody says the Starship Enterprise. It’s HEAL Security. We’re … this is our operations center that we’re going to be building to protect health care against all the bad actors in the world.
Unger: Well, that’s a good segue for people out there who aren’t familiar with HEAL Security. Can you give us the 30 second lowdown on what the organization does?
Aunger: Absolutely. HEAL Security has been built as an organization invested by the AMA Health2047 to actually look at how we enable more intelligence, more security inside the health care industry, specifically on the health care industry, with the only one that actually is building situational threat intelligence for the health care industry.
Unger: Excellent. Well, since the last time that we talked, HEAL Security has published a new cyber pulse report. Why don’t we just start by having you give us an overview of some of the top-line trends that you’ve seen during this period?
Aunger: Absolutely. So we do this cyber pulse report every month now. We bring all of our data together and put this out there. And what are we actually seeing is the following. Incidents are up. Vulnerabilities are up. Across the board, the trend is growing and it’s continually growing on the amount of people that are getting breaches. Health care organizations, we’ve seen a couple of big ones. We’ll talk about maybe in a little bit over the last little while. And that is a continuous graphic move towards the upside.
What we’ve seen on average is thousands of more vulnerabilities being released, just over 1,200 in the last couple of weeks. And the attacks and incidents are growing in severity across the—literally, the last year, side by side. It’s almost up nearly 30%, 40%.
Unger: In fact, I think you said by comparison versus last year, at the same time, the number of breaches is more than double. Is that accurate?
Aunger: Yes. At the moment, the number of breaches is more than doubled in total. So we’re seeing this across the piece. So this time last year, it was about 54 breaches in same month per month and then 93 in the same period this year. So that’s nearly double where we are.
Unger: So a huge and growing problem. Your report highlighted the results of a study on the vulnerabilities of health care networks and medical devices. Tell us more about that.
Aunger: Yes. So what we find across this piece is that firmwares, for instance, the actual software that’s embedded on these devices, keeping them up to date is a big problem. What we’re also seeing is how—what mistakes happen continually across the organizations. So those mistakes tend to be around misconfiguration, standard configuration, user information.
So this is an interesting one. This is about having standard credentials that people forgot to change. So that means that anybody—out-of-the-box default settings, you probably do that at home, Todd, you don’t change your settings.
Unger: I don’t do that. Now I know better.
Aunger: Right? So people log in, they forget to change the default settings. They leave the default passwords. And this allow people to get hacked. Funny enough, this is the same situation we’re finding in the health care industry and devices, default settings.
I’ve just been at a conference for the last week in San Francisco, the RSA Conference, one of the biggest cybersecurity conferences in the world. And that’s being the same scenario that we’re finding, continually misconfiguration of passwords, not keeping the systems up to date, not really understanding what systems are accessing what in the organization and what’s being sent outside.
So that’s a really big problem, continually. Known vulnerabilities that are not being fixed. So as that happens across the board, it’s creating a vulnerability threat landscape that the bad actors can use.
Cybersecurity in Medical Practice CME
Cyberattacks on medical institutions are on the rise. Learn the basics of cybersecurity and how to best protect yourself with this curated CME course.
Unger: So just an initial direction. If your password is password, make sure to change that.
Aunger: Password. Or the other one that everybody seems to use is 1234567, or Password1. What the other interesting factor that we found out is, over the many years, we’ve moved from this landscape of people changing passwords every 90 days, 180 days, that’s actually a bad thing because what we found continually is people use Password as—for an example, and then they put a one on the end, and then a two, and then a three, and then a four, is they just change the password.
That actually makes it worse because they know how to do that. They look for those.
Unger: Is there so a better way to do that?
Aunger: Yeah. So actually now, using password managers is the better way of doing it. Using a password manager—many out there—and not knowing your password. So using a password manager and having longer passwords, letting it create a password for you that’s variable. And you can use these password managers across smartwatches, smart devices, connect those passwords together, and then it means that you’re not having to create like one that you know.
Definitely do not use the same password across everything. And using that all the time actually gives you a harder landscape and a harder attack surface for the bad people in the world to access.
Lastly, we found that multifactor type authentication, using PIN numbers, the little tools that they give you from your bank, et cetera. If you haven’t got that, you need to enable it. Nobody should be using passwords on their own in any shape or form on any of your products that—where multifactor is available, enable it. It’s a big deal. And I would recommend to everybody today in the banking world, go and enable multifactor on your banking platform. It’s just not good sense to just have a password anymore.
Unger: That’s good advice. Charles, one thing I want to ask you a little bit more about—because we’re talking about breaches into systems, but let’s look at the topic of medical devices because we’re seeing vulnerability there in that arena. What are some of the initial steps that health systems and practices should take to mitigate issues around medical devices?
Aunger: Absolutely. So we’re seeing things like Philips, GE, others, where they’re having medical devices that are being vulnerable—have vulnerabilities on them that are known vulnerabilities. Again, the first thing is you should be contacting your medical vendor. You contact Philips, contact your providers, whichever ones they are, and check if there’s any patches or any fixes for those vulnerabilities that are there.
If you’re—get hold of your IT department. Your IT department should be looking into this, and making sure that the configurations are correct and actually to the recommendations of the vendors inside your security product. We actually have some mitigation steps for those as well. Making sure that the network configuration and protection around your network is correctly set up.
So it seems very strange in the world that I live in, but making sure that small practices have a firewall of some kind, making sure that we know where the data is going outside that firewall. So having an IT professional look at that and making sure there’s no spurious data just leaving your building to the middle of nowhere. It’s amazing what you find.
Even looking at my house, I can see strange data going from different devices I have in my house out into the world. And that’s an important thing. And lastly, make sure that, again, you’ve got the default configurations that have not—have been changed. If it has an administrative password on some of these devices, which tends to have or PIN lock code, make sure they’re enabled.
Unger: Charles, you mentioned firewalls. You mentioned the password issue again. Is there anything else that physicians can do to minimize the chances of something like this happening in their own practices?
Aunger: You know, what we found is people—it tends to be internally created from a lot of ways. So when they’re using email, when they’re using USB sticks—it used to be a big thing. I used to get them sent to me all the time. Free USB stick, put it in your device. Just don’t do it. Just don’t do it. Don’t use freebie USB sticks.
Watch what you’re doing from email. Phishing attacks, people sending data in to you saying, hey, look, click on this. I get them all the time from people like Docusign. I think it’s a Docusign. They’re very, very good. And it says, ‘Hey, Docusign, there’s a contract you need to update.” People, just click on it. That’s—just be aware of what you’re doing.
When you’re using your email, everybody’s really quick to answer emails, just open, answer. Sometimes, that’s not a good thing. If you—you’ve just got to be aware, continually aware of what’s going on. And it’s—that’s the fastest entry point to most people nowadays is via phishing, or sending you devices.
The new one that we’re seeing a lot out there is USB sticks that actually blow up your device. They create a power charge on your device. And so, when you’re—it’s just literally like the movies, when they’ve done what they need to do, they can blow the USB stick up and your motherboard.
Unger: What advantage is there in that?
Aunger: Basically, that is to stop you seeing what they were trying to do on the device. And actually it’s malicious. So if they can’t get what they need to get out of there, they charge the USB stick up. It’s got a capacitor inside and then bounce it into your device to actually blow it up.
People like Chase Bank have had a lot of instances where people have just been walking and plugging them into devices that they see lying around, you know, on desks as they do. Plugging them in, and then as somebody starts messing with it, it actually blows the device up. It’s pretty malicious attack that people are doing now. So do not use freebie USB sticks that’s sent to you.
Unger: So much of what you’re talking about sounds like it’s out of movies. We talked about Star Trek. This sounds like—
Aunger: Absolutely.
Unger: –Mission Impossible here. Charles, one final question. These cyber attacks, they don’t just affect practices. Obviously, they impact patients, too, especially as we talk about medical devices. And we often talk about these issues as tech issues when really we’ve got a patient safety issue at hand. Can you talk a little bit more about that connection?
Aunger: We’ve got a massive patient safety issue, right? So consumer patient safety is a big problem. Having access to information, even blocking people from making phone calls happens, yeah, and getting ahold of people. Spoofing people’s contact details, impersonating people, ringing up—believe it or not, actually, there’s quite a few—you know, you’ve seen a lot of this impersonation happening to defraud people.
And that’s happening more and more now where they’re ringing up and saying, I’m from a bank or I am from something else. The easiest one that you trust, because we trust, right, is if I ring up and say, I’m from a physician’s practice, or I’m from a health care org, you owe a payment x, y, z. They’ve been looking on that consumers—or that patient’s device and see that, and try and defraud people. That’s a big deal.
And what happens—I wrote a Forbes article a couple of years ago where—and so my data had slightly been changed, inaccurately by actually the organization. But what happens if somebody goes and changes the data? So they’re doing that to actually defraud, possibly, looking at scripts and issuing scripts and actually going—getting pharmacies to prescribe the scripts, and actually getting the drugs out for another individual and not you.
So again, a lot of that now is having notifications enabled. So if you get a notification from your health care org—but it’s good common practice if you don’t know about it, and you don’t see something that’s normal, contact the practice. Contact the organization because you’re the number one person that says, hey, look, I don’t think I’ve been to a pharmacy, or I don’t think that payment is real, et cetera.
Fraud is massive. And that’s what these people are trying to do.
Unger: Charles, for anybody that wants more information and to get the pulse report we talked about, where should they go?
Aunger: Contact HEALsecurity.com. It’s up there and you can download a free copy of the pulse report every month. We make it free. We believe in helping the community. And that’s what it’s all about.
Unger: Charles, thanks so much for joining us. We’re going to look forward to seeing you again soon. To learn more—
Aunger: Thanks so much, Todd.
Unger: To learn more about cybersecurity, physicians can check out the resources on the AMA Ed Hub. We’ll include those links in the description of this episode. So take a look. That wraps up today’s episode and we’ll be back soon with another AMA Update. Make sure to subscribe for new episodes and find all our videos and podcasts at ama-assn.org/podcasts. Thanks for joining us today. Please take care.
Disclaimer: The viewpoints expressed in this video are those of the participants and/or do not necessarily reflect the views and policies of the AMA.
Subscribe to AMA Update
Get videos with expert opinions from the AMA on the most important health care topics affecting physicians, residents, medical students and patients—delivered to your inbox.