Ignore Uncle Sam's 'voluntary' cybersecurity goals for hospitals at your peril If you are responsible for infosec at an American hospital or other healthcare organization, and you treat the US government's new "voluntary" cybersecurity performance goals (CPGs) as, well, voluntary, you're ignoring the writing on the wall. Plus, you're going to be in for a world of hurt when new regulations – which will …
I worked with a programmer to create a few technical applications for hospitals about 18 years ago that the American military also found useful - the initial discussions with the military users resulted in an update that totally eliminates all internet access requirements or even abilities. We find the local network but are completely inaccessible via the internet, I see a ton of outside malware workers trying to hack us and always failing because our applications completely eliminate internet access, only allowing local network access if the user does it and we are blocking all external access.
My attitude is that if you are trying to hack us then stick your finger up your arse to feel better.
I presume that neither you, nor the US Military, understand the term 'lateral.' That's when the criminals hack the printer in the office next to you, and then attack you from your local lan. Or they hack HP, Epson, or Xerox, and let them handle the deployment.
A printer should be a passive device -- it should speak only when spoken to. Unfortunately these days manufacturers desperately need their devices to constantly phone home so they can try to monetize every aspect of their operation. Its this totally unnecessary functionality that opens the door for hacking.
So if I was desperately worried about security I'd get an old FX-80 (dot matrix printer) or something like that. Not in the slightest bit sexy but "try hacking that!"
The same goes for other peripherals. You just don't need to put a full stack in every coffee maker or refrigerator -- they don't need to initiate conversations with other devices and any attempt to do so should be regarded as suspect. Marketing will have conniptions but you'll sleep a lot easier.
Medical practitioner use of tech is interesting as they use it throughout their shifts, but sporadically. To do a 2FA log in every time they want to check something would be so cumbersome, it would impact patient care. Sometimes, best practice is not viable. It is sensible to keep your private stuff entirely disconnected from the public internet - 2 systems on every desk etc. But if the requirements are too much of a problem (functionality, box-ticking or cost), places will have to consider reverting to paper-based systems. It would be safer, cheaper and offer more resilience. Many doctors actually preferred the narrative they used to get in patient records. Modern on-screen records don't do justice to this. Looking at some of the absurd costs of systems such as Birmingham's IT, paper may be a better way to go. It would be interesting to trial it.
The solution for 2FA in a medical setting is something like the new Yubikey with NFC. You could have a reader on a keyboard or monitor, and staff only have to pass a key near the scanner.
There are many ways to fix this. It only takes a commitment to make it happen.
I currently work in information security. A while back, when I was interviewing for jobs, I interviewed for a small hospital group. I think they had three hospitals in total.
It became very clear that the person in charge of information security had no clue what to do to protect their infrastructure. I instantly figured out that I didn't want the job, and switched from interviewee to more of a frank discussion about how they are missing the big picture. I have training and certification in Ethical Hacking, and I gave them detailed scenarios of how an attacker would compromise their networks. They weren't even interested in listening to any of it.
To give an example, they were convinced that by running up to date AV software, they were immune to attack. When I explained to them that someone targeting them for an eight-figure ransom will put together custom malware tailored to their network and infrastructure, that their precious AV will never have seen before, they just laughed. Any competent hacker would own their network in minutes.
I interviewed at another large local hospital where they had recently hired a new CISO after they were forced to have an external cybersecurity audit conducted. The list had over 240+ items that needed to be remediated. Then, I find out that this new CISO's was an exec at IBM before being hired there. This was a definite "run like hell..." situation.
My experience is the same as the other comments: far too many orgs are WAY behind in their entire IT systems in every way. From 10 year old PCs to 10 year old servers and even cabling. Do not get me started on access points, hubs, routers, switches, etc.
And yeah, updates are going to be costly because they are so far behind.
If your car has a dangerous safety defect, the gov pounces on the manufacturer and require them to fix free of charge
Microsoft produces software that is hard to secure due to many things that constantly change the user does cant control. At some point, they need to be held accountable. Change my system without my permission, it is on them.
Sending out a patch is not being held accountable. It is like politicians investigating themselves. Lots of noise, but nothing changes. I can only secure the system if it is under my control.
"Microsoft produces software that is hard to secure due to many things that constantly change the user does cant control. At some point, they need to be held accountable. Change my system without my permission, it is on them."
Especially when quality control rests more on the end user, than from the source corporation.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
