Tuesday, October 25, 2016

I Wonder Just What This Sort Of Disruption To The Global Internet Might Have On E-Health.

It was a bad day for the Global Internet last Friday.
Here is a report:

After massive cyberattack, shoddy smart device security comes back to haunt

Almost everyone affected by the cyberattack had a part to play — from shipping shoddy devices to a consumer apathy towards security.
By Zack Whittaker for Zero Day | October 22, 2016 -- 18:49 GMT (05:49 AEDT) | Topic: Security
Friday morning saw the largest internet blackout in US history. Almost every corner of the web was affected in some way -- streaming services like Spotify, social sites like Twitter and Reddit, and news sites like Wired and Vox appeared offline to vast swathes of the eastern seaboard.
After suffering three separate distributed denial-of-service (DDoS) attacks, Dyn, the domain name system provider for hundreds of major websites, recovered and the web started to spring back to life.
The flooding attack was designed to overload systems and prevent people from accessing the sites they want on a scale never seen before this.
All signs point to a massive botnet utilizing the Internet of Things, powered by malware known as Mirai, which allows the botnet's operator to turn a large number of internet-connected devices -- surveillance cameras, smart home devices, and even baby monitors -- against a single target.
In this case, it was Dyn's servers.
"We're seeing attacks coming from an Internet of Things botnet that we identified called Mirai, also involved in this attack," said Dale Drew, chief security officer at Level 3, in a live stream on Friday, during a time where information about the attack was still scarce.
Level 3 and other firms, including Sophos, said that only a fraction of the half-a-million devices in the botnet were used in the attack, suggesting it could be far more powerful if used again.
Chester Wisniewski, principal research scientist at security firm Sophos, said that this demonstrates "incredible power wielded by just one type of device," and argued that harnessing the power of tens of millions of insecure smart devices "could cause incredible disruptions."
Lots more here:
Almost prophetically we say this a day or so earlier.

Australian IoT industry told to put security first

The director of the Australian Centre for Cyber Security at UNSW in Canberra has delivered a scathing attack on the IoT industry
Stuart Corner (Computerworld) 18 October, 2016 09:31
Professor Jill Slay, the director of the Australian Centre for Cyber Security at UNSW in Canberra, has delivered a scathing attack on the IoT industry for failing to design in security, on the vendor community for peddling false promises, and bemoaned what she sees as a general lack of leadership in cyber security.
Delivering a speech at the Everything IoT conference in Sydney, Slay opened her presentation by telling the audience: “I am the person who is going to pour cold water on all your enthusiasm.”
Of her role, and that of other security researchers she said: “We have hacked every kind of device you can imagine. We walk a few steps behind you agile people who adopt new things. Then we attack them and tell you why you shouldn’t use them. That is who we are. … Our mantra is: ‘Don’t bolt on the security afterwards, build it in at the beginning.’ Security by design. Hack it to death yourself.”
She called on all involved in IoT in Australia to develop a culture of security as a matter of urgency. “The Internet of things has a bright shiny future, but we are way past the beginning already. We need to build in the security now. “I commend you all for your excitement and I trust you will secure everything. Let us develop a culture of security as we develop a culture of agility.
Meanwhile she accused vendors of making unrealistic promises about their technologies. “I live in Canberra. What I see is the vendor solution to everything. It would appear that we just have to buy the right tool and the right vendor training for the tool and then we will see a system that is secure. If anybody promises you that, it is just not true.”
Lots more here:
There is little doubt this was one of the largest disruption to the Internet in the US that has been seen in a good while.
Reading about this it seems to me that the classical medical approach of ‘prevention is better than cure’ is even truer than ever! This is an issue that is of rather larger scope than e-Health!
For e-Health clearly the risk in all this is a prolonged inability to access information which is held on the web or in the cloud.
It makes sense that, when planning to use remote services, at least some questions are asked of prospective service providers as to the mechanisms steps they have in place to mitigate risk from Denial of Service attacks and so on.
It was also really interesting to see just how quickly the attacks became major news. There is a lot of dependency on the net these days!


Anonymous said...

Re: Medicare payments system tender.
There should be some review of the Medicare items, the definitions and payment calculation methods. It may sound easy for a 1 code = 1 payment but (many health workers know) if you have a closer look you see a montage of payment conditions and formula's. Anyone taking the tender must assume that the effort required will be 6x their estimate because of the complexity. Simplifying the payment definitions and calculations would greatly reduce the cost and risks of replacing the current system.

john scott said...

David, the attack(s) raise a number of serious issues for e-health / digital health that need to be placed as priorities for strategic analysis and corrective action.

The first is our reliance on Threat as the starting point for risk identification followed-up by management based on Likelihood. The Likelihood aspect resolves to: If it is unlikely then don't spend too much money on it.

The second issue, arises naturally from the first. This is the absence too often of a 'Whole of System' perspective. Technology firms and their backers have been touting all the benefits of the Internet-of-Things without, it appears, asking the real questions about implications arising from use of this technology.

E-Health Governance should have been flagging the unacceptability of such Internet-of-Things-based devices in a healthcare setting at least a decade ago. Clearly there has been a failure at the level of governance to connect the two spheres (the physical human sphere of health and the electronic sphere) in regard to basic norms. That is, unless a vendor can provide assurance that the digital device is safe and supports the clinicians Duty of Care, it will not be acceptable for use in our modern health care systems.

We are only just beginning to touch on what needs to change in regard to the relationship between health and digital technology developers and vendors. I suggest that the intent of developers and vendors of digital technology has to change in order for digital technology to enable the health system of the 21st Century.

Bernard Robertson-Dunn said...

Adding to John's astute observations, I'd like to quote from today's SMH in their reports of the census problems:

"While the (ABS) had contracted IBM to defend its sites against attacks, its behaviour after awarding the contract was similar to that of a homeowner who employed a builder but then rarely went on site to check how work was progressing, Mr MacGibbon said."

The Department of Health, as the ultimate owner of the My Health Record, does not have the technical or Information Management skills and experience to oversee such a complex, multi-discipline, multi-objective system.

Over many years the Federal government has been reducing the number of scientists, engineers and Information System and Information Management System experts who can advise the government and make sure that the developers and vendors are delivering what is really needed, not just what has been cobbled together in the business case or RFT.

The government should not rely on external technical expertise and/or vendors most, if not all, of whom have conflicting agenda.

The government may have got what it asked for, but it hasn't got something that delivers better and more efficient health care.

Peter said...

Obama recently commented that IT should take a more medical approach to security rather than the current military approach.
In real terms this means more than just blocking and countering attacks. It means assuming that there WILL be incursions and immune systems need to be built to restrict the scope of damage, automated repair capabilities and resilient systems that can adapt quickly to multiple challenges. Other readers of this blog are more qualified than I to provide insights on what concepts might be helpful.
However, adaptation of the ideas to the realities of computing is something that IT professionals need to be involved in. From my view of eHealth it appears that most of the decision makers have a medical background with some IT experience rather than having any in-depth experience of the capabilities - and constraints - of technology.
Sorry, that is a bit of a sore point, I'll leave it now.

With respect to the attack from IoT, this is something the Security people have been predicting for some time. Embedded code is rarely, if ever, updated and hence security holes are never patched. Even if new devices are created with tighter controls, there is still an enormous installed base that will be dangerous for decades. Few of these are likely to actually be medical devices, CCTV is apparently one of the major sources of the current issue, but health systems need to be designed to withstand both mass attack and subtle intrusion.
At the same time IoT is way to valuable to the medical industry to be dis-regarded out of hand. The possibility of monitoring an out-patient to the same level as a current ICU could save millions of lives and billions of dollars. OF course it is necessary to make sure the baddies are not able to turn off someone's pace maker but we need to be careful not to throw out the baby with the bath-water.