Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome to Status Secure. Today’s briefing is about the disappearing walls of the hospital. We used to protect acute care patients behind locked doors, physical security guards, and enterprise grade firewalls. Today, through hospital at home programs and remote patient monitoring, we are delivering the same care over the exact same residential wifi routers that teenagers use to play video games. So, CISO, when the hospital bed is in the living room, where exactly is our new perimeter?
The CISO (00:28)
Well, remote patient monitoring, right? That’s RPM. That started with COVID, right? Everybody went home. Healthcare had to figure out how to provide healthcare remotely. So you had telehealth. And then now with the cost of healthcare, if you’ve gone to a hospital recently, you’ll notice for any kind of surgery, you’ll notice that they send you home faster, sooner, right? And then the care is provided at home.
Your recovery is at home. So now it’s the dispersed hospital healthcare system, right? They’re shipping clinical tablets, Bluetooth blood pressure cuffs, and configuring glucose monitors in your home. So that way they can free up beds, right? So they can see more patients. So now your threat surface has extended from the regulated hospital network that’s being monitored.
into the hostile digital environment. It’s unpatched, default passwords everywhere, consumer home network, like you don’t know if it’s protected or not, depends on how well that person understands security. So the reality is that the enterprise firewall does not matter if the data is being intercepted at the source, at the patient’s living room.
Actual (01:42)
So practically speaking, how does an adversary actually exploit a telehealth kit sitting on a patient’s kitchen table? Like, are they trying to steal PHI or is this a back door into the main hospital network? Like, how does that work? What are their goals here?
The CISO (01:57)
Well, patient data is worth a lot of money. We all know that in the dark web. So what they’re doing is they’re doing like, for instance, Trojan horse scenario, right? Where the threat actor scans residential IP ranges for vulnerable, you know, IoT internet of things. I mean, everybody has them in their homes now. Even your refrigerators are IoTs now. Especially if you have like smart cameras.
Those are easy to hack into. So they pivot to the, instead of trying to attack the hospital, now they’re attacking issued telehealth tablets and devices. So that tablet uses a basic, always-on VPN tunnel back to the hospital’s EHR.
The attacker rides that tunnel straight into your core infrastructure. So the man in the middle, data spoofing, it’s not just about stealing data. It’s about data integrity. So now, know, it’s a lot of data from these devices are sent unencrypted over home wifi. So an attacker can just sit in the middle and attack the data.
It makes it so much easier for them actually to attack individual homes. I don’t know if you’ve heard, but sometimes they just drive through neighborhoods scanning for open ports. It’s easy enough to do. It’s fast. It’s simple. So now the impact is that the hospital dashboard suddenly shows the remote patient is crashing.
The hospital dispatches an ambulance and diverse resources, creating a kinetic disruption. But think about that. If they could do that on a large scale, what kind of chaos could they cause for hospitals to be really mobilizing all their resources out of the hospital? Now what should be a little bit harder target has become a really soft target, and you’ve created chaos.
Actual (03:50)
Yeah. So we’re trusting these, this, clinical decision-making, to data that’s transmitted over a basic router, somebody bought it best buyer Walmart, and we’re, they’re deploying these kits and we’re not treating the homes or like, what is their process? with that understanding of, Hey, this may be an unsecured network. Does it, does it even matter? Do they even think about it?
The CISO (04:10)
It’s hard, right? Because you’re talking about like making decisions about convenience versus security gaps. mean, there has to be a balance, but it’s hard because you want it to be easy for the patient. So you want them to be able to take something that’s plug and play. But you’re talking about like patients, elderly people, sick people, people who are not in security.
Mostly, like most of the time. So you’re asking non-technical patients to become technical and that’s just not going to happen overnight. You’re going to give them a plug and play, you know, device. The patient’s going to take it home. They’re not going to, they’re not going to look at security settings when they plug it into their, you know, plug it in. And so now it’s, it’s easy. They automatically joins their home wifi and who knows what kind of security is there.
The problem is that IT teams in health and provider space, oftentimes they look at these devices as part of their hospital’s assets. And they assume that, it went through all the reviews, it’s been approved, it’s authorized to be used, so it’s safe. And they’re relying on the vendor to make it safe.
And we talked about that before, like what happened with Triker, right? So, you know, this is a public facing device that, you know, requires really good strong authentication. Otherwise, it’s just another vulnerable, you know, endpoint that you’re not aware of what’s happening there.
Actual (05:47)
Yeah. And, you know, kind of adding to that thinking of the legal side of things. I’m sure there’s plenty of CYA type paperwork that needs to be signed. It’s out of curiosity though. Let’s say a patient receives wrong medication dosage because something was compromised in the chain here. Maybe, maybe their internet was compromised. I don’t know. So what, what is sort of the legal environment around something like that? If it happens.
The CISO (06:11)
Well, mean, regulators and courts, they’re not going to hold the patient accountable. They’re going to hold that hospital accountable. The hospital issued the device or informed the patient to use it. The hospital should have done their due diligence in reviewing it. You cannot outsource your fiduciary duty.
If you issue the device and you rely on that data and you’re collecting that data and you’re requiring that data, you are responsible for securing that data. So, you know, the hospital is responsible for keeping, know, for ensuring like when you’re, the patient is in the hospital that the, you know, that the floors are clean, that everything is disinfected, that it’s safe for the patient. Just because now that
that’s been expanded into a patient’s home doesn’t remove the hospital’s responsibility. So, following to encrypt the data to secure the endpoint is looked at as the same as leaving some biohazard in the patient’s room. So you can’t, as a, you know,
as a healthcare provider, you have to understand that’s still your responsibility. So as executives and C-suite are scaling hospital at home to get more revenue, right? Because the faster you can move people through the hospital, the more revenue you can generate. And to save the cost, to increase revenue and to save the cost of healthcare, because that’s so expensive now, the physical
the physical real estate and staffing, they have to understand that legally the money that they’re saving and the money that they’re now profiting from, they need to reinvest that into securing the distributed perimeter that they have just created.
Actual (08:01)
Yeah, so for people maybe on both sides of the fence, let’s start with the person who’s in the patient’s shoes. What would you what kind of advice could you give them? Like, hey, let’s say you’re in a situation where you’re receiving telehealth, maybe you have something at your house that’s using your your network. What can they do to make sure that they’ve kind of covered their bases?
The CISO (08:21)
mean, if you’re talking about at the patient, what a patient can do, you can learn security now. There’s YouTube videos, there’s AI. You should want to protect your home. You should want to protect your sensitive data. You can go and learn at least the basics of configuring security on your home Wi-Fi. That’s the basics.
You know, just go in there, learn. So as a patient who’s getting devices or who’s, you know, being, you know, sent home for home care, you know, even before then, you should want to do that. But the least is if you’re getting devices and they’re connecting into your home network, you know, learn a little bit about how to secure your network.
Security configurations, like I said, can learn them on YouTube now. Look up your Wi-Fi, and your device, and it’ll tell you the configurations actually that you need to set and why you need to set them.
Actual (09:15)
Yeah, and I would say too, like, I’ve seen this with people I know, it’s a, you get your, say you move into a house or whatever and then you do a contract with AT &T or Comcast or Spectrum and they come in and they install the device. Many times they just install it with kind of the factory settings or they install it with something very basic. And I would say, at least for me, the best practice in that
situation is go to your, your router. And like you said, look up YouTube or Google, go to your router and log in and change your, change your password, you know, change the, even change the SS ID, which is like the name that it shows up when you look at your wifi, you hit wifi and it was like a name. You can change that name. So it’s not so default. It’s not a default setting. And right. Because if I see, if I’m one of those people driving around,
and I’m looking at all the wifi networks and I see all these ones with default names, I’m probably going to assume they come with the default password, which I’m going to, I’m going to know. So then I can just easily get in some, you know, some basic things and change the name of your wifi network, change your password, or add a password if you don’t have one. And then, and then for the, for the healthcare on the other end of it, the healthcare executives listening, what are some, you know, we’re not going to stop.
the, we’re not going to say, don’t provide devices. Don’t do telehealth. Like, right. And we also can’t just send it and security people with every device. So what are some things, some action steps that they can take a look at review, maybe implement, you know, right after they listen to this.
The CISO (10:45)
Yeah, mean, one of the definitely, definitely have a third party vendor security management program, right? So really make sure you’re looking at the vendor who’s supplying the device to you. Like what kind of security are they providing? The other thing is you want to stop relying on your patients.
to provide the security for your hospital. You can get devices that bypass the patient Wi-Fi and where they have dedicated cellular 5G connections. they don’t have to connect to the home Wi-Fi. They’re directly connected online. And so that way you can control the security better.
You can get an iPad that is connected to the internet without having it connected to your home Wi-Fi. I mean, that’s been around for a long time. So make your vendors do the same. The technology’s out there. It’s been here for a long time. Why not utilize it to make sure it’s more secure? Make that a requirement from your vendors. The other is, you know,
Make sure that your hospital is treating those remote clinical devices as if though they were unknown devices connected to your network. Verify that the device, authenticate the session, encrypt the payload, mean all the things that you should be doing from a security standpoint. Make sure that’s in place.
Actual (12:15)
Got it. Yeah. So the perimeter is not our four walls of the hospital and it’s the living room. It’s the bedside table, the residential router. When we extend patient care into the home, security mandate is going to have to follow through the front door. So the mission success is about patient safety wherever they’re located. So let’s execute to the standard and we’ll see you next week.
