Healthcare Data Security
Healthcare Data Security Technology Roadmap
- 2HDS Healthcare Data Security
Roadmap Overview
The context, working principles, and architecture for healthcare data security is shown in the following diagram. Security countermeasures are required to address potentially compromising threats, which are extending beyond privacy concerns for Personal Healthcare Information (PHI) to potential disruption, interference, and attack directed at equipment present in clinical, hospital, and emergency room settings. These devices are referred to as the Internet of Medical Things (IOMT), and also as connected medical devices. <ref>Marr, Bernard. “Why The Internet Of Medical Things (IoMT) Will Start To Transform Healthcare In 2018.” Forbes. Accessed December 3, 2020. https://www.forbes.com/sites/bernardmarr/2018/01/25/why-the-internet-of-medical-things-iomt-will-start-to-transform-healthcare-in-2018</ref>
Health is an essential aspect of life, connected to each individual and to families and our societies, as well as forming an integrated element of the economy. Distributing healthcare to the point of care may improve outcomes, reduce risks, and reduce costs. Patients, healthcare workers, and healthcare organizations require trust in the security of these systems in order to adopt the systems and to avoid losses. Regulation is primarily made at the national level and requires that health privacy and security are effectively achieved. Compliance to HIPAA requirements apply in the United States<ref name="HIPAA">CDC.gov HIPAA description,“Health Insurance Portability and Accountability Act of 1996 (HIPAA) | CDC.”</ref> , and the EU General Data Protection Regulation (GDPR) applies to operations within EU countries, to data about EU residents, and to any organization that interacts with data of citizens of EU countries.<ref name="GDPR">THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION, General Data Protection Regulations (GDPR), 2016.</ref> Healthcare coordination and efficiency may be improved through the use of electronic medical records / electronic health records (EMR / EHR) which may be maintained using on-premises or by using cloud computing services. Over the past decade, increased adoption has focused an attention on the need for systems and technologies to provide for security and privacy while maintaining efficiency and scalability.<ref name="Colicchio_2019">T. K. Colicchio, J. J. Cimino, and G. Del Fiol, “Unintended consequences of nationwide electronic health record adoption: Challenges and opportunities in the post-meaningful use era,” Journal of Medical Internet Research, vol. 21, no. 6. Journal of Medical Internet Research, p. e13313, Jun. 01, 2019, doi: 10.2196/13313.</ref><ref name=Al-Issa_2019>Y. Al-Issa, M. A. Ottom, and A. Tamrawi, “Review Article eHealth Cloud Security Challenges: A Survey”, 2019, doi: 10.1155/2019/7516035.</ref>
This roadmap study focuses on the topic of securing healthcare data, with an emphasis on medical devices that measure and/or interact with patients. Specifically, the technology includes
healthcare data security applied to internet connected medical devices through medical device security technologies. This space includes security measures aimed to mitigate risk associated with 1) malicious threat actors, purposefully attempting to collect data that these individuals should not have access to, as well as 2) accidental data disclosure, with no malicious intent behind the occurrence, and 3) disruption, interference, or attack directed at equipment present in clinical, hospital, and emergency room settings. These devices are referred to as the Internet of Medical Things (IOMT). Examples include vital signs monitoring, medical imaging, IV and infusion systems, and medical instruments. <ref name="Taylor">K. Taylor, M. Steedman, A. Sanghera and M. Thaxter, Medtech and the Internet of Medical Things: How connected medical devices are transforming health care. London: Deloitte Centre for Health Solutions, 2018.</ref> Technologies providing security countermeasures are addressed in detail in this roadmap. The risks articulated below are key drivers for technology improvements as well:
Design Structure Matrix Allocation
The Healthcare Data Security (2HDS) tree that is extracted from the Design Structure Matrix (DSM) above shows 2HDS within the context of a larger Health Delivery Organization IT Environment (HDOITE). Healthcare data security (2HDS) is applied to internet connected medical devices (2ICMD) through Medical device security technologies (3MDS). Intrusion Detection Systems (3IDS) and Intrusion Prevention Systems (3IPS) work to detect and block the proliferation of malicious activity or binaries on a Healthcare Delivery Organization’s (HDO) network, whereas Next Generation Firewalls (3NGFW) blocks activities at the perimeter, provides protection at the application/asset level, and incorporates some of the IPS functionality. <ref>J. Pirc, “The Evolution of Intrusion Detection Prevention Then Now and the Future.” https://www.secureworks.com/blog/the-evolution-of-intrusion-detection-prevention (accessed Nov. 29, 2020).</ref> <ref>"Next-Generation Firewall,” VMware. https://www.vmware.com/topics/glossary/content/next-generation-firewall (accessed Oct. 25, 2020).</ref> Host-based Intrusion Detection Systems (4HIDS), a sub-technology of 3IDS, are agent-based and applied at the endpoint level. Network-Based Intrusion Detection Systems are analyze network behavior instead of endpoint artifacts, and both of these technologies can incorporate prevention capabilities well.<ref name="Khraisat">A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, “Survey of intrusion detection systems: techniques, datasets and challenges,” Cybersecurity, vol. 2, no. 1, p. 20, Jul. 2019, doi: 10.1186/s42400-019-0038-7.</ref> Wireless Intrusion Protection Systems (WIPS) is specifically applied to technologies that communicate over wireless networks, which is true of many internet-connected medical devices.<ref>J. R. Vacca, Managing Information Security. Syngress, 2010.</ref> Denial of Service Protection Mechanisms (4DOSPM), Ransomware/Botnet Protection Mechanisms (4RBPM) and Malware/Antivirus Protection (4MAVP) are all technical capabilities embedded in various flavors of security products including IDS, IPS and NGFWs, and can be enabled or disabled based on end-user preferences.<ref> “CERTIFICATIONS | NetSec OPEN,” NetsecOPEN. https://www.netsecopen.org/certifications (accessed Dec. 01, 2020).</ref> Internet Connected Device Discovery (4ICDD) and Network Access Control (4NAC) support Medical Asset Visibility Mechanisms (3MAVM), a highly pertinent technology for HDOs, which often are not aware of all devices that are internet-facing, resulting in unknown vulnerable medical devices exposed to external threat actors, or threat actors connecting to the network posing as just another medical device on the network.<ref>“Cyber Security Challenges in Healthcare IoT Devices,” The State of Security, Jun. 20, 2019. https://www.tripwire.com/state-of-security/security-data-protection/iot/cyber-security-healthcare-iot/ (accessed Oct. 25, 2020)</ref>
Roadmap Model Using OPM
An OPM model is provided here for the 2HDS roadmap in the figure below. This diagram captures the main object of the roadmap (Healthcare Data Security), its decomposition into subsystems (Human Actors, Data Storage Systems, Communication Processes that interact with the Communication Channel, Securing Processes that interact with the Health Information Technology Environment, Health Organizations including Insurer, Service Provider or Lab, Public Health Agency, and Family/Caregivers), its characterization by Figures of Merit (FOMs) as well as the main processes (Communicating, Storing, Retrieving, Securing, and Managing). The potential Threat Actor is identified with the potential for the damaging process of Exploiting vulnerabilities in the elements of the system.
An Object-Process-Language (OPL) description of the roadmap scope is auto-generated by the OPCLOUD software and is given below. It reflects the same content as the previous figure, in a formal natural language.
Figures of Merit
Healthcare data security as it applies to cyber threat detection and prevention for medical devices in a Healthcare Delivery Organization (HDO) setting (e.g., hospital, clinic) involves a confluence of considerations in order to ensure meaningful Figures of Merit support the Penultimate Frontier’s Technology Roadmap:
| Type | Topic | Details<ref name="Taylor"></ref><ref>Connected Medical Device Security: A Deep Dive into HDO Networks,” Forescout. https://www.forescout.com/connected-medical-device-security-report/ (accessed Nov. 13, 2020).</ref><ref>“The IoT within us: Network-connected medical devices - Synopsys,” Software Integrity Blog, Sep. 14, 2018. https://www.synopsys.com/blogs/software-security/network-connected-medical-devices/ (accessed Nov. 17, 2020).</ref><ref>M. Fagan, K. Megas, K. Scarfone, and M. Smith, “Foundational Cybersecurity Activities for IoT Device Manufacturers,” National Institute of Standards and Technology, NIST Internal or Interagency Report (NISTIR) 8259, May 2020. doi: https://doi.org/10.6028/NIST.IR.8259</ref> |
|---|---|---|
| Healthcare | HDO IT environments versatility | The HDO IT ecosystem have specific types of assets that distinguish it from other environments. They are much more variable in that they include point-of-care medical devices (e.g., insulin pumps, heart monitors) that often connect to the internet, typical IT infrastructure with HIPAA-protected data, and a high number of systems with connectivity to third parties like billing/transaction firms (often subject to PCI regulations) and other HDOs. Privacy considerations are an essential consideration. |
| Internet of Medical Things (IoMT) | Internet-connected medical devices are often easy to deploy and use but difficult to maintain. They are lightweight therefore do not have much processing power, and therefore can be negatively affected by security solutions. They are also often operating on old operating systems no longer supported, and therefore have a high number of vulnerabilities threat actors can exploit. If a medical device is compromised, associated risks can range from a loss of sensitive patient data to patient loss of life. | |
| IT | General cybersecurity threat detection and prevention | This takes into consideration security solutions like intrusion detection and prevention systems, as well as next generation firewall capabilities. Technology solutions that identify, monitor and control which assets are on the network are essential as well. |
| Network and infrastructure limitations | These are factors like processing power and network bandwidth that affect either the security solution (e.g., IDS/IPS) or technology asset (e.g., server) itself. |
Healthcare Data Security Figures of Merit include the following:
| Category | FOM | Units | Description |
|---|---|---|---|
| Healthcare Data Privacy | PHI Data Safety Ratio | Ratio - See Description | A key objective of securing healthcare data should be to avoid sensitive data leakage or theft. This FOM aims to show a proxy measure for how well Protected Healthcare Information (PHI) and unencrypted ePHI (electronic PHI) was protected in the event of a data breach. Specifically, this measure takes the total number of healthcare data breaches involving more than 500 records in the US per year (# of recorded healthcare data breaches), and compares this to the sub-set of incidents that successfully did not include theft or loss of PHI or unencrypted ePHI. This would include but is not exclusive to medical devices that are compromised. This helps to show that the most fundamental aspects of the technology are working, even as the cyber attacks against HDOs as an absolute number are increasing significantly. |
| Accuracy <ref name="Khraisat"></ref> | Detection Rate | % Malicious Attempts Detected | This is the number of true positives divided by the total number of malicious procedural events. An event is defined as a discrete occurrence within the system and is logged with its own code or object. As an example, a type of event could include steps to execute a denial of service or ransomware attack on a hospital. No true negatives or false positives are included in this FOM. Essentially, the FOM answers the question, “For all malicious activity, how much was detected?” with the understanding that no benign activity was part of the scope for this FOM. This is important, because although the presence of false positives are not ideal from an end-user standpoint, the risk associated with a false negative (i.e., an attack is incorrectly categorized as normal activity) is much greater. |
| Classification Rate | % Accurately Detected Events | This is the secondary accuracy FOM to the one above. Classification Rate is the term in industry for overall accuracy, which is defined as (true positives + true negatives)/all events. | |
| Scalability/Performance <ref>J. Arshad, M. Azad, K. Salah, W. Jie, R. Iqbal, and M. Alazab, A Review of Performance, Energy and Privacy of Intrusion Detection Systems for IoT. 2018.</ref><ref name="Ullah">F. Ullah and M. A. Babar, “Architectural Tactics for Big Data Cybersecurity Analytic Systems: A Review,” arXiv:1802.03178 [cs], Feb. 2018, Accessed: Nov. 30, 2020. [Online]. Available: http://arxiv.org/abs/1802.03178.</ref> | First Time to Byte (FTTB) | ms | This FOM measures latency. This is the elapsed time between sending the SYN packet from the client and receiving the first byte of data. |
| Mean Time to Response (MTTR) | ms | Time it takes for the security tool to identify and take action on malicious activity in the aggregate (could be monthly, over a vendor test period, etc.). “Take action” refers to actions such as detection, security event logging, blocking or quarantining. | |
| Minimum Memory Usage Required | Gig RAM | This is the minimum memory allocation required in order for the threat detection/prevention capability for a healthcare security tool to function consistently as intended. A lower number of required Gigs is preferred, especially within the context of lightweight internet-connected medical devices. | |
| Average CPU Usage | % CPU Usage | CPU usage as a percentage of total capacity is the standard unit of measure. This is a measurement of the average required compute needs over a set period of time for the threat mitigation technology. | |
| Compatibility <ref name="Ullah"></ref> | Asset Coverage Potential | Ratio – See Description | Total number of internet-connected medical devices that can be covered by the technology (i.e., is protected) compared against the total number of internet-connected medical devices within a given network. |
| Health Data Security Figure of Merit: PHI Data Safety Ratio |
|---|
| Publicly available data collected by the Office of Civil Rights (OCR) helped the team to create a meaningful PHI Data Safety Ratio as a FOM. The data available includes the total number of discrete healthcare data breaches that involve more than 500 healthcare records from 2009-2019. As a subset of this data, the OCR recorded the number of loss or theft incidents that included PHI or unencrypted ePHI.<ref>“Healthcare Data Breach Statistics,” HIPAA Journal. https://www.hipaajournal.com/healthcare-data-breach-statistics/ (accessed Oct. 01, 2020)</ref> We took the delta between these two data sets to look at the number of incidents that did not include PHI (or unencrypted ePHI), using this as a proxy for safety. This allows the team to plot a lack of sensitive data loss and therefore a success of healthcare data security implementations between 0 and 1 inclusive, with 1 (i.e., no incidents with PHI or unencrypted ePHI) as the goal and theoretical limit. The conceptual stage of technology would be Stagnation. However, this will likely end up interlocking with a new trend-line as both attacks and breaches are applied to different assets, in this case being IoMT. |
Company vs. Competition
Security for the Internet of Medical Things (IoMT) is a relatively new industry with data often kept confidential. Key players in the medical device security space include companies such as CyberMDX, Medigate, Armis (acquired by Insight Partners), and Palo Alto Networks. These vendors have not subjected their tools to broad public assessments yet, nor are the underlying detection or visibility technologies well known. A general sense of relative position in industry based on a Forrester survey released in Q2 2020<ref name ="Forrester"></ref> is as follows:
However, there are many established security vendors that serve HDOs as part of their larger client base as well. Some of these firms, like Palo Alto Networks, have more heavily prioritized IoMT -- the firm recently acquired Zingbox <ref>HealthITSecurity, “KLAS Finds Zingbox, Ordr Lead IoMT Market Considerations,” HealthITSecurity, Oct. 01, 2019. https://healthitsecurity.com/news/klas-finds-zingbox-ordr-lead-iomt-market-considerations (accessed Oct. 25, 2020).</ref>, and IoMT security company. The Penultimate Frontier therefore selected vendors that were either a) also a player in the Medical or general IoT space, or b) has integrations with the medical device detection vendor tools. Minimum required Gig serves as a measure of minimum resource usage (processor requirements were not consistent enough to use), with fewer RAM usage preferred.
Based on where the Penultimate Frontier sits in this space today, the company strategy would be to improve Detection Rate at the expense of required RAM usage if investment dollars were a constraint. This is because Palo Alto Networks, which is even further to the left of the Penultimate Frontier, is considered a successful player in the space, and the resource requirements do not serve as a significant deterrent at this time. Detection rate is a key FOM within the industry and studied in academia, and therefore the firm should prioritize improving this capability as much as possible within this context. Note that the below is specific to the firms' Endpoint Detection and Response (EDR) solution.
Sources: MITRE APT29 Evaluations<ref>ATT&CK® EVALUATIONS.” https://attackevals.mitre-engenuity.org/APT29/results/paloaltonetworks/allresults.html (accessed Oct. 27, 2020)</ref><ref>“ATT&CK® EVALUATIONS.” https://attackevals.mitre-engenuity.org/APT29/results/kaspersky/allresults.html (accessed Oct. 27, 2020)</ref><ref>“ATT&CK® EVALUATIONS.” https://attackevals.mitre-engenuity.org/APT29/results/symantec/ (accessed Oct. 27, 2020)</ref><ref>“ATT&CK® EVALUATIONS.” https://attackevals.mitre-engenuity.org/APT29/results/vmware/ (accessed Oct. 27, 2020)</ref>, a well as company product documentation<ref>“ATT&CK® EVALUATIONS.” https://attackevals.mitre-engenuity.org/APT29/results/vmware/ (accessed Oct. 27, 2020)</ref><ref>]“Kaspersky Endpoint Detection and Response (EDR) | Kaspersky.” https://usa.kaspersky.com/enterprise-security/endpoint-detection-response-edr (accessed Dec. 03, 2020).</ref><ref>“System requirements for Symantec Endpoint Protection.” https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/release-notes/system-requirements-for-v53308029-d69e1453.html (accessed Oct. 27, 2020).</ref><ref>“VMware Carbon Black Cloud Endpoint Sensor System Requirements | Dell US.” https://www.dell.com/support/article/en-us/sln319296/vmware-carbon-black-cloud-endpoint-sensor-system-requirements?lang=en (accessed Oct. 28, 2020).</ref>
Technical Model: Morphological Matrix and Tradespace
Morphological Matrix<ref>A. Burns, M. Johnson, and P. Honeyman, “A brief chronology of medical device security,” Communications of the ACM, vol. 59, pp. 66–72, Oct. 2016, doi: 10.1145/2890488.</ref><ref>“New Tech: Medical Device Security, Q1 2020.” https://www.forrester.com/report/New+Tech+Medical+Device+Security+Q1+2020/-/E-RES157312?objectid=RES157312 (accessed Oct. 23, 2020).</ref><ref>F. Badrouchi et al., “Cybersecurity Vulnerabilities in Biomedical Devices: A Hierarchical Layered Framework,” in Internet of Things Use Cases for the Healthcare Industry, Springer, 2020, pp. 157–184.</ref><ref>HealthITSecurity, “Cybersecurity in 2020: IoT Medical Devices, Ransomware, Legacy OS,” HealthITSecurity, Dec. 12, 2019. https://healthitsecurity.com/news/cybersecurity-in-2020-iot-medical-devices-ransomware-legacy-os (accessed Oct. 25, 2020).</ref><ref> “Cyber Security Challenges in Healthcare IoT Devices,” The State of Security, Jun. 20, 2019. https://www.tripwire.com/state-of-security/security-data-protection/iot/cyber-security-healthcare-iot/ (accessed Oct. 25, 2020).</ref><ref>O. Media, “1. Internet of Things (IoT) - Scalable Architecture for the Internet of Things.” https://learning.oreilly.com/library/view/scalable-architecture-for/9781492024132/ch01.html (accessed Nov. 17, 2020).</ref><ref>M. F. Elrawy, A. I. Awad, and H. Hamed, “Intrusion detection systems for IoT-based smart environments: a survey,” vol. 7, Dec. 2018, doi: 10.1186/s13677-018-0123-6.</ref>
Part 1
There is a high level of option variability in this space, each with particular cost/benefits. For example, from a solution-type standpoint, network-based tools are highly efficient but often fare poorly for zero-day cyber attacks or new variants. Host-based technologies are the opposite. This has led to the drive towards hybrid solutions. Wireless solutions are more applicable to mobile devices, which includes IoMT. While the general benefits, challenges and interrelationships among FOMs and decision variables are known, specifics are often difficult to find in literature given the apples-and-oranges comparisons and lack of real-to-life underlying assumptions in a test environment. Additionally, private cybersecurity firms do not wish to expose proprietary information regarding how their tools work.
That being said, The Penultimate Frontier leveraged first principles and available data to articulate relationship that would drive technologies progress. By collecting analyzing data via ImageNet algorithm winners<ref>A. Khan, A. Sohail, U. Zahoora, and A. S. Qureshi, “A Survey of the Recent Architectures of Deep Convolutional Neural Networks,” Artif Intell Rev, vol. 53, no. 8, pp. 5455–5516, Dec. 2020, doi: 10.1007/s10462-020-09825-6</ref> <ref>V. Sze, Y.-H. Chen, T.-J. Yang, and J. Emer, “Efficient Processing of Deep Neural Networks: A Tutorial and Survey,” arXiv:1703.09039 [cs], Aug. 2017, Accessed: Oct. 28, 2020. [Online]. Available: http://arxiv.org/abs/1703.09039</ref>a general relationship between the number of parameters, and depth of the algorithm and accuracy is logarithmic:
From here, the Penultimate Frontier estimates that there is also a logarithmic relationship between the percentage of the technical estate that is covered by the detection algorithm and detection accuracy. For example, detection of anomalous behavior within a hospital’s network requires a minimum percentage of visibility in order to be accurate for that hospital, as opposed to in a test setting using a sample dataset. This is the concept behind CrowdStrike’s Endpoint Detection and Response (EDR) technology<ref>“Healthcare Cybersecurity Solutions | CrowdStrike,” crowdstrike.com. https://www.crowdstrike.com/healthcare/ (accessed Oct. 28, 2020).</ref> – greater, personalized accuracy for a network can be acquired via a crowd of endpoints, which for our purposes are medical devices.
From a constraints standpoint, these detection algorithms have computational limits due to processing power<ref>F. Lin, Y. Zhou, X. An, I. You, and K. R. Choo, “Fair Resource Allocation in an Intrusion-Detection System for Edge Computing: Ensuring the Security of Internet of Things Devices,” IEEE Consumer Electronics Magazine, vol. 7, no. 6, pp. 45–50, Nov. 2018, doi: 10.1109/MCE.2018.285172</ref>. As algorithmic complexity via a greater number of parameters and depth increases, so to do the required instructions. Based on the literature and analysis, complexity has a logarithmic relationship with computations as well. We will set the FOM equation variables as follows:
Key FOMs
Part 2
If we then want a proxy for efficiency of a system, these should be looked at in relation to the FOM Average CPU Usage given both are already normalized figures. This leads to the relatively simple relationship of:
| Efficiency Ratio |
|---|
| Efficiency = Classification Rate (%) / 4*Average CPU Usage (%) |
An Efficiency Ratio greater than 1 can be considered meaningfully efficient, whereas less than 1 may indicate inefficient use of compute resources given the quality of the detection tool. Each of these FOMs are naturally bound as a percentage, with Average CPU Usage constrained by security tool efficiency and processing power technology, referenced in the next section.
Part 3
In 2020, the University of New Hampshire’s InterOperability Lab started a service to objectively certify different security solutions<ref>“CERTIFICATIONS | NetSec OPEN,” NetsecOPEN. https://www.netsecopen.org/certifications (accessed Dec. 03, 2020).</ref>. This is significant in that it serves as an objective, standardized assessment across multiple product offerings. We took the FOM First Time to First Byte as a proxy for possible detection speed given its relationship with latency, and viewed that in relation to Detection Rate.
While this shows the relationship with Detection Rate, we can assume broadly the same relationship between speed and the overall Classification Rate already discussed above. Given detection speed F in ms, Classification Rate R and Asset Coverage Potential s, this generates the following relationship:
Theoretical speed can be optimized through the use of Amdahl's law<ref>"Amdahl’s law,” Wikipedia. Dec. 02, 2020, Accessed: Nov. 29, 2020. [Online]. Available: https://en.wikipedia.org/w/index.php?title=Amdahl%27s_law&oldid=991970624</ref> given assumptions about upgrades to processing:
- L is the theoretical speedup of the execution of the task as a whole
- t is the number of parallel processes
- e is the proportion of execution time that the portion benefiting from improvements in resources originally included
The more processors added to the system based on hardware and architecture considerations, the greater the speed potential that could affect the Classification Rate. Hardware optimization is outside the bounds of this analysis.
Financial Model and R&D Projects
Overview
The overall value to a customer to properly secure networked medical devices, or an Internet of Medical Things (IoMT) device, against attacks is to be able to identify and prevent a cyber attack from exploiting the device. While there are several mechanisms to do this (e.g., encryption, vulnerability management, different segregation for network deployments), the value of a distinct intrusion detection and/or prevention solution, at its core, can be summarized here as the ability to detect a true positive cyber attack in near real-time. False positives, while a nuisance to the customer due to potential business disruption, are far less of a risk than a false negative – i.e., behavior on the network or device that is misidentified as benign. Therefore, while ease of use is a factor for why a customer would value a product, it is a secondary consideration.
The drivers of this value to the customer can be broken down in the following ways:
| # | Category | R&D Investment/Tech Infusion | Rationale | Key Dependencies | Target Impact Goal |
|---|---|---|---|---|---|
| 1 | Network Visibility | Hybrid host and network, cloud-based solution (Network Intrusion Detection System for IoMT) | Improved scalability; increasing attack surface | Time and resources to adjust tool architecture | Ability to increase volume of medical devices by 10-20% |
| 2 | Network Visibility | Device protocol security inclusion (POCT01, LIS02, DICOM, proprietary)<ref name="Taylor"/> | Improved coverage; increasing attack surface; highly vulnerable protocols | Ability to work with vendors (GE, Philips) to understand proprietary protocols | 10% increase in coverage potential (average % of IoMT devices compatible with tool /hospital) |
| 3 | Detection/prevention capability | Machine Learning-based detection<ref>J. Asharf, N. Moustafa, H. Khurshid, E. Debie, W. Haider, and A. Wahab, “A Review of Intrusion Detection Systems Using Machine and Deep Learning in Internet of Things: Challenges, Solutions and Future Directions,” Electronics, vol. 9, no. 7, Art. no. 7, Jul. 2020, doi: 10.3390/electronics9071177.</ref> | Greater algorithmic accuracy, particularly for detecting new types of threat techniques | Algorithm training time, data set availability, compute resources | 15% improvement in Detection Rate, 5%+ improvement in Classification Rate |
| 4 | Detection/prevention capability | Incorporation of FPGA (Field-Programmable Gate Array) hardware <ref>“World’s fastest open-source intrusion detection is here.” https://www.cylab.cmu.edu/news/2020/11/05-intrusion.html (accessed Nov. 18, 2020).</ref> | Increased detection speed; low bandwidth and energy usage | High engineering costs | 30%+ increase in detection speed given constant throughput size (ms) |
A key component of the financial model is the projected increase in market demand based on the threat landscape. The attack surface of hospitals will increase by at least 20% within a 5 year period, with expected continual growth. The attack surface increase is driven by moving offline medical devices online, or upgrading from older devices to IoMT. At the same time, the increasing attack surface area and a history of successful exploits will drive up the number of attacks on hospitals. From 2019 to 2020, ransomware attacks were expected to quadruple – COVID-19 and the election have altered these estimates, with hospitals experiencing up to a 75% uptick in ransomware attacks since Q1 2020.<ref>“25+ Healthcare Data Breaches Statistics [2020 Updated],” TechJury, Mar. 21, 2019. https://techjury.net/blog/healthcare-data-breaches-statistics/ (accessed Nov. 17, 2020)</ref><ref>“31 Alarming Healthcare Cybersecurity Statistics For 2020,” PhoenixNAP Global IT Services. https://phoenixnap.com/blog/healthcare-cybersecurity-statistics (accessed Nov. 18, 2020)</ref> These trajectories helped to inform our R&D portfolio prioritization and financial model.
R&D Project Portfolio
The presence or lack of presence of the following R&D projects are incorporated into the subsequent financial model. Note that Projects 1 & 2 are prioritized due to the increase in attack surface area and variability in medical device type. The governing philosophy is as follows: It does not matter how accurate an intrusion detection system is if the asset that is meant to be protecting is not even covered by the solution in the first place. Therefore, focusing on network visibility is the first order priority, followed by enhancing detection capabilities (Projects 3 & 4).
R&D Project #1: Shift from host-based solution → Hybrid host and network, cloud-based solution
Improving scalability: Currently, The Penultimate Frontier’s intrusion detection solution is host-based, meaning this is an agent-based deployment (i.e., on each endpoint, either a medical device or the connected server). This makes it difficult to scale across networks that are increasingly putting medical devices online, especially given compute constraints and issues with latency described in previous sections. In 2020 alone, more than 250 million devices shipped to medical providers [CyberMDX]. The aim would be to move to a cloud-based solution with a more centralized architecture to account for an increase in network visibility coverage needs by medical providers. A hybrid approach would balance the ability to detect zero day attacks with the ability to manage the proliferation of medical devices.
R&D Project #2 – + Increase coverage of device binding ports / protocols specific to medical devices
Improving coverage: A customer, such as a hospital, may want to cover and even deploy intrusion detection solutions across their technology estate, but the efficacy of this effort is reliant on the uniqueness of the various types of medical device first coming online. Even if one device, say an MRI machine, in this hypothetical was kept perfectly secure via an intrusion detection tool, if all of the CT scan machines are connected to the network and not compatible with the existing solution, the hospital will either 1) purchase another solution or, more likely 2) keep the CT scan machines online and exposed. Increasing the protocol coverage type for intrusion detection capabilities would enable a larger percentage of a hospital’s online device to be protected. Note that there are two standards that exist today for the interoperability of medical device connectivity – namely, CEN ISO/IEEE 11073. However, many hospital devices use outdated or insecure protocols. While updated this should be the responsibility of the IT stakeholders within a hospital, a good detection tool would be driven off of the reality that these vulnerable areas will exist within a hospital’s network and require enhanced detection. Some device protocols are also proprietary, so either a one-size-fits-all solution or collaboration with those vendors (GE, Philips etc.) would be necessary.
R&D Project #3 – + Add Machine Learning detection to existing signature and anomaly-based detection methodology
Improving algorithmic accuracy: Machine Learning-based detection is better suited to the dynamic threat landscape than current methodologies. Signature-based detection is precise and accurate, with few false positives from an efficiency standpoint, but zero days and malware variants are a large gap. For example, if a known malicious file is delivered by a threat actor in a new way (zipped two times, for instance), then the signature changes and the threat may go undetected. Anomaly-based detection addresses some of these issues, but ML analyzes large amounts of network or endpoint behavior patterns, and can maintain or improve upon accurate detection even as threat techniques change.
R&D Project Option #4 – + Incorporation of FPGA hardware
Improving detection speed: Field-Programmable Gate Array (FPGA) hardware is a relatively new alternative to CPUs or GPUs that increases speed and processing potential. Carnegie Mellon’s Cylab recently created the fastest and most efficient open source Intrusion Detection System at 100 gbs/s/server that is dependent on FPGA to perform. Since this is a newer technology and takes a large amount of engineering resources to implement at this time, The Penultimate Frontier would prefer to take advantage of this technology after additional technological progress is made in this space. There would be a possibility that minimal R&D would be needed in future-state; instead third party technology infusion could be a possibility.
Financial Model
The financial model we are exploring relates to the investments made for cybersecurity in support of IoMT. A set of 4 technology areas relate to the product and service for Penultimate Frontier’s cybersuite, described above. 3 areas relate to the technology applied to the individual medical devices that are at risk for patient care in hospital settings. One additional technology area is the technology for compute resources needed as the infrastructure to support the deployment of the cybersuite capability at the hospital.
| # | Technology Area | Type | Description | Notes for R&D Investments |
|---|---|---|---|---|
| 1 | Scalability | Product technology | Intrusion detection | Move from agent-based to cloud-based |
| 2 | Device Coverage | Product technology | Coverage of device binding ports / protocols | Increase protocol coverage |
| 3 | Detection Algorithms | Product technology | Algorithms to detect activity and identify accurately | Extend machine learning methods for adaptive response |
| 4 | Compute Resources | Deployment infrastructure | Deployment to newly added medical devices incurs a cost for setup | Automation for reducing cost of setup |
Additional key assumptions were baked into the model:
| # | Model element or parameter | Description | Value | R&D Project Target(s) |
|---|---|---|---|---|
| 1 | Large hospitals (USA) | Number of large hospitals, USA | 6146 | |
| 2 | Forecast range | Years | 2020-2025 | Target timeframe |
| 3 | Devices/hospital | 2020 Number of medical devices per hospital (total) | 7500 | Current group served |
| 4 | % of IOMT devices that operate connected to the network | Networked or smart devices (Internet of Medical Things) | 48%-68% |
(increasing over study period) || Market requirements |
| 5 | Market capture | Percent of IoMT devices served by Penultimate Frontier products | 5%-100% | |
| 6 | Revenue/device | Pricing ASP (Average Sales Price) per unit | $20 | |
| 7 | Cost as % revenue (device revenue) | Cost as % revenue, with declining cost over study period | 20% | Reduced cost as Compute Resource improvements are deployed |
| 8 | Deployment cost/device | Deployment cost (average) for each unit (non-recurring) | $1 | Fixed cost per unit |
| 9 | Discount rate | Discount rate used in evaluating Net Present Value (NPV) to represent opportunity cost and time value of revenues vs investments | 10% | |
| 10 | R&D investment | Proposed budget for R&D projects | $50M NPV |
Demand will vary based on a confluence of drivers. Attack frequency and increasing attack surface were noted above. The below table from NIH highlights the relationship between cybersecurity resources, target cybersecurity capabilities, and successful attacks. The relationship between these factors drive the level of uncertainty baked into the financial model below.
Summary of the NPV for the costs related to Penultimate Frontier Operations, and the effective NPV comparing revenues and costs is as follows: Benchmark data is applied for R&D as percent of sales, and operating expenses as a percent of sales.
Financial model and projections for for revenue and costs related to Penultimate Frontier Operations, and the effective NPV comparing revenues and costs.
Penultimate Frontier R&D Portfolio Investment Allocation by Area. FPGA investment for hardware-based technology is deferred to start in 2022 and is expected to be released in 2024.
A Monte Carlo study using Oracle Crystal Ball is also performed and described in a subsequent section of this page.
Patent & Publication Analysis
Landscape Map Analysis produced by PatSnap analysis, December 1, 2020
link=https://vimeo.com/485808626
Click to Vimeo Viewer Animation of PatSnap Landscape 2007-2020
1. Packet analysis based IoT management <ref>Cheng, Gong, Pui-Chuen Yip, Zhiwei Xiao, Ran Xia, and Mei Wang. Packet analysis based IoT management. United States Patent US10771491B2, filed February 19, 2019, and issued September 8, 2020. https://patents.google.com/patent/US10771491B2/en?oq=US10771491B2</ref>
- Type: Patent (Patent # 10212178; US10771491B2)
- Owner: Palo Alto Networks (Inc.) for their medical device security product offering under ZingBox, Inc.
- Key dates: Filed on February 2019 and application granted September 2020
- Description: This technology is allowing for network packets to be analyzed when going to or from an Internet of Things (IoT) device in the context of preventing attacks against these devices. Through this technology, uncharacteristic behavior deriving from an IoT device can be detected using historical data from the device itself that is collected over time. Packet data can both be inspected and triangulated with what is considered standard behavior based on previously collected event logs and IoT device characteristics, ultimately generating in anomaly detection notification.
- Applicability to roadmap: Zingbox is a major player in the expanding Internet of Medical Things (IoMT) security industry [4]. Our focus on medical device security via threat detection and prevention is highly related to this patent; this technology describes a specific example of how anomalies can be detected on IoT devices that are ultimately indicative of cyber-attacks. It builds upon well-established technologies from the security space (packet capture, event logging, vulnerability identification) and combines this technical capabilities to form a new methodology that may be better suited for identifying anomalous behavior in IoT by crafting device profiles rather than the ‘one size fits all’ approach IT security tools (although the team has not seen implementation data that would demonstrate higher rates of accurate detection or better infrastructure compatibility – this is the assumed benefit/FOM area).
2. Systems and methods for detecting a cyberattack on a device on a computer network <ref>Cherry, Ronald. Systems and methods for detecting a cyberattack on a device on a computer network. United States Patent US20190190952A1, filed December 5, 2018, and issued June 20, 2019. https://patents.google.com/patent/US20190190952A1/en?q=(Systems+and+methods+for+detecting+cyberattack+device+computer+network)&assignee=mercy. </ref>
- Key dates: Provisional application filed on December 2017 and July 2018; publication occurred on June 2019, with the patent still pending
- Owner: Mercy Health
- Description: The technology focuses on detection in the context of a cybersecurity attack, as applicable to medical devices. Data is collected through a honeypot scheme, where attackers are geared towards dummy medical devices set up within the same IP subnet as actual medical devices. This allows for the collection of attack techniques from actual threat actors, which in turn generate Indicators of Compromise (e.g., types of obfuscation techniques, multiple failed attempts to access a device within a set timeframe) that serve as the basis for malicious event detection alerts.
- Applicability to roadmap: This technology relies on medical devices as the dummy infrastructure, and is specific to detection in the context of cybersecurity attacks – this is squarely aligns with medical device cyber threat prevention and detection. This newer incorporation of OT into the targeted assets makes it difficult for existing security products (firewalls, anti-virus, etc.) to effectively detect attacks meant specifically for medical devices rather than IT. The technology scheme relies on the collection of data from real attacks actually occurring on the network to enhance medical device security detection. The team interpreted a baked-in assumption that the risk of setting up a honeypot is outweighed by the benefits of collecting highly applicable and accurate data on threat actor threat techniques (As an aside, this was a very fun technology to discovery – it’s a great idea if the benefits outweigh the risks).
3. Fernandez Maimó et al., “Intelligent and Dynamic Ransomware Spread Detection and Mitigation in Integrated Clinical Environments.” <ref name="maimo">Fernandez Maimo, Lorenzo, Alberto Huertas Celdran, Angel L. Perales Gomez, Felix J. Garcia Clemente, James Weimer, and Insup Lee. “Intelligent and Dynamic Ransomware Spread Detection and Mitigation in Integrated Clinical Environments.” Sensors 19, no. 5 (2019): 1114. https://doi.org/10.3390/s19051114 </ref>
- Publication Date: 5 March 2019
- Authors: Lorenzo Fernández Maimó, Alberto Huertas Celdrán, Ángel L. Perales Gómez, Félix J. García Clemente, James Weimer, and Insup Lee
- Publication Name and Details: “Intelligent and Dynamic Ransomware Spread Detection and Mitigation in Integrated Clinical Environments.” Sensors 19, no. 5 (2019): 1114.
- doi:10.3390/s19051114
- Applicability to roadmap: This paper describes cybersecurity requirements and vulnerabilities for Medical Cyber-Physical Systems (MCPS). Consideration of ransomware attacks as the leading type of attack is reported as 85% of cases, with 70% of attacks involving confirmed data loss. The paper reviews potential technology to address these concerns. The focus is on automating detection of attacks through machine learning (ML) and real-time operations.
4. Markus Willing et al., “Analyzing Medical Device Connectivity and Its Effect on Cyber Security in German Hospitals.” <ref name="willing">Willing, Markus, Christian Dresen, Uwe Haverkamp, and Sebastian Schinzel. “Analyzing Medical Device Connectivity and Its Effect on Cyber Security in German Hospitals.” BMC Medical Informatics and Decision Making 20, no. 1 (September 29, 2020): 246. https://doi.org/10.1186/s12911-020-01259-y </ref>
- Publication Date: 29 September 2020
- Authors: Willing, Markus, Christian Dresen, Uwe Haverkamp, and Sebastian Schinzel.
- Publication Name and Details: “Analyzing Medical Device Connectivity and Its Effect on Cyber Security in German Hospitals.” BMC Medical Informatics and Decision Making 20, no. 1 (September 29, 2020): 246.
- doi: 10.1186/s12911-020-01259-y
- Applicability to roadmap: This paper explores the use of networked devices in hospitals and the risks for cyber attacks. The authors analyze networked medical devices in German hospitals by considering the departments with largest use of devices and their vulnerabilities. In this recent study published this September, the authors report 5000-40000 active medical devices per hospital with an increasing percentage that are networked devices. The largest increases are reported in the departments of Radiology, Intensive Care, Radio-Oncology, and Nuclear Medicine.
Strategic Drivers
| # | Strategic Driver | Alignment with Targets |
|---|---|---|
| #1 | To develop a medical device security tool that utilizes minimum resources and a high rate of detection accuracy for malicious activity, that can attract HDOs as customers to generate $X million in revenue by 2025 | The medical device security roadmap will target intrusion detection capabilities with a threat detection rate of at least 85% and utilizes no more than 4 Gig of RAM to achieve this threat detection rate. |
| #2 | To develop a security tool that focuses on enhancing HDO network visibility based on the specific characteristics of internet-connected medical devices, thereby differentiating the firm in industry and reducing the overall risk profile for healthcare providers | 10% increase in coverage potential (average % of IoMT devices compatible with tool /hospital), and ability to increase volume of medical devices by 10-20% |
Technology Strategy Statement
The objective for the Penultimate Frontier is to provide value to our customers through the ability to identify and/or block all true positive attempted cyber incidents in near-real time. This can be done by developing a solutions that are highly accurate, scalable and use minimal resources. Revenue targets for the firm are ~ 1.0B annually based on strategic investments in new technologies for our IoMT intrusion detection system. Investments in technology driven by revenue and VC investments ($50M) will be completed via a two-stage approach: 1) enhancing visibility of IoMT devices (2020-2022), and 2) improving detection capabilities (2022-2025). The company is strategically prioritizing projects at the forefront of device visibility technology, since this is an area heavily affected by both the uptick in cybersecurity attacks and increase in hospital device conversion to IoMT. Detection capability will be incrementally improved from the current detection rate for true positives (70%) and overall accuracy (classification rate – ~90%) through technological improvements in detection algorithms, and detection speed will increase by incorporating highly efficient processor hardware.
Monte Carlo Analysis using Oracle Crystal Ball
A model for the value of technology in preparing and responding to cybersecurity threats authored by M.S. Jalali and J.P. Kaiser of MIT highlighted the importance of combining technology in addition to dedicated staff resources. The following chart illustrates the need to deploy effective technology in order to mitigate the risk of attack and prevent their consequences.
Source: Mohammad S Jalali and Jessica P Kaiser, "Cybersecurity in Hospitals: A Systematic, Organizational Perspective" Accessed at NIH.gov at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5996174/ <ref>Jalali, Mohammad S, and Jessica P Kaiser. “Cybersecurity in Hospitals: A Systematic, Organizational Perspective.” Journal of Medical Internet Research 20, no. 5 (May 28, 2018). https://doi.org/10.2196/10059 </ref>
An excel spreadsheet is developed based on the outline of these model parameters. An initial (static) analysis provides an overview of relative Net Present Value (NPV) for the 3 product improvement R&D technology development projects, and the compute resource infrastructure R&D development project that is target to reduce the cost of deployment and setup at the hospital and their healthcare IT integration.
We have examined a Monte-Carlo study using the Oracle Crystal Ball tool <ref>“Oracle Crystal Ball” Accessed December 3, 2020. https://www.oracle.com/applications/crystalball/ </ref> for the NPV that compares two model scenarios of the effect of increased cyber activity on the adoption of this technology. In each scenario, the consequence of incident is to increase the adoption rate by up to 50% beyond the current trend. Market studies have shown that the healthcare sector is spending at 3% of operations compared with other industry sectors of 6% of operations. From the report above, organizations learn to deploy technology more effectively in response to their own incidents, or by learning from the experiences of others and taking proactive steps. The captured market starts at a base rate of 5% of the available market (connected medical devices) and increases by a growth rate (10% year over year) that is modified by the learning from incidents by up to 50% more market share response to an incident. The Monte-Carlo study examines the uncertainty of this factor and what effect changes in this investment rate could influence the NPV of the R&D projects. Note that for the log-normal distribution, the tail of the distribution extends beyond 1.0 and may therefore lead to more than 50% growth in market share terms. The total market share is limited to 100% of the total available market. The model does not include estimates of competitors technology investments in response to grow or maintain this territory, which could be added to a future version of the model.
The charts below compare a gaussian distribution of cyber attach incidents, with a log-normal distribution of incidents. As described above, the consequence of significant incidents may cause more rapid adoption. With the log-normal distribution, the likelihood of large-scale incidents is less frequent but has a larger overall effect on investment in security.
Scenario 1 : Gaussian (normal) distribution of cyber activity, centered on small-scale incidents (mean = 0.5, st.dev = 0.15)
Scenario 2 : log-normal distribution of cyber activity (approaching power law where large events are potentially occurring but far less frequently than small incidents) (mean =0.5, st.dev for log = 0.8)
For both scenarios, the NPV for these R&D programs gives an estimated mean for the NPV of approximately $670M. With the log-linear model for incidents, the mode is decreased to $530M while the long tail is increased to $1.B over the range of 1000-run samples. This model is focused on the resulting revenue for the product and reduced operations cost. A benefit to Penultimate Frontier’s clients would be the resulting improvement in security operations. A future study could be to examine the value from the client’s perspective.