Last time, I had a chat with Kristen Kozinski. She's an expert on web development security, and she also has a pretty cool website for end user security education called Don't Click on That. This time, I have a very special interview with Jelena Milosevic. She's a nurse who has made it her mission to educate people about the cybersecurity problems in the medical industry. Kimberly Crawley: Please tell me about what you do. Jelena Milosevic: I work as a nurse, and few years ago, I got interested in infosec. It started with getting passwords from all my colleagues. I realized what sort of power I have by knowing how to access their accounts and that I can work under their names. That's how I entered the world of infosec. KC: Wow, that's some lousy password policy. JM: It didn't exist. I found a lot of usernames and passwords in our office room. I started with passwords, and I hope I can find a way to convince people at work to be more careful about that. It's about building awareness. If you know how to access user accounts on the medical side, you can harm the patient or even kill really easy. There is nothing that is safe and secure in healthcare. As a result, I am trying to convince people about the importance of cybersecurity. When it comes to data, marketing money is what most people in my industry care about, and they do not want privacy. Because of that, the security is bad, too. KC: Are there not cybersecurity regulations that pertain to the medical field? JM: There was no policy for anything. But recently, there have been small changes. We cannot download movies or access some links. Websites that have pornography and online games are usually blocked. But not long ago, I could download Tor, but I didn't. I did download the Chrome plugin, though. Our IT department doesn't have a lot of people responsible for cybersecurity. In US and Dutch hospitals, sometimes there's only one person, and the IT department can't be influenced much. Small healthcare institutions often have no one responsible for cybersecurity. KC: I'm shocked. Wow. After the password incident, how did you start teaching yourself about security? JM: As a nurse, I am that one who tells a doctor about everything that happens with the patient. Based on that, he makes diagnostics and then chooses the treatment. So I know what sort of information they need to hear. I also know what I need to pay attention to regarding medical devices, how something needs to work, and how to show proper results. I know how medical devices can start to work improperly, and how bad information can lead to doctors making the wrong decisions. So I did started to ask myself, can that information be manipulated from the outside? Everything I worried about turned out to be true. In the last three years, I've spoken with a lot of people from the infosec world, and I asked about what's possible, one by one. When I talked to one journalist, she said, “It can't possibly be that bad.” I sent her a lot of information and documentation that suggests otherwise. I started with simple things, such as URLs of hospitals. With the help of women in cybersecurity from Holland, I conducted research that was published based on 97 hospitals in Holland. Later, I researched the top 100 American hospitals on my own. KC: I'm incredibly impressed by your drive. Would you consider leaving medicine for a full time position in infosec in another industry, or would you prefer to have an infosec role in a hospital? JM: Honestly, that would be nice, but I need to learn a lot more, and there's no position I can fill yet. So for now, I'm working independently because I want change. KC: Have you done any public speaking on the importance of security in medicine? JM: Yes.I was just at FSec 2017 in Croatia, Varazdin. I was also at SHA2017 in Holland, and I will talk at Virus Bulletin. KC: That's amazing. Can you tell me anything about what you plan to discuss at Virus Bulletin? JM: I want to show the problems in healthcare and offer some solutions. Because I'm not from a tech background, it's more of an idea about how people in infosec can build better products and make a better environment for online healthcare. I see myself as an assistant to infosec people as far as helping to reveal the problems in medicine and showing them how to present those problems. A lot of the time, people outside of healthcare talk about problems that aren't a reality for people who actually work in my industry. When they present that to medical people, they laugh knowing that that isn't a danger and forget about security. KC: Have you considered getting any cybersecurity certifications? JM: I don't know where I can start the process of getting cyber certifications. By the way, this is a problem I'd like people to look at. Attackers can take control of IV devices, and a patient can be killed in about a minute. KC: I'm shocked. Wow. The information you reveal is an important public service. I think the work you do is very impressive. JM: You know, there are a lot of things I won't say and will never say in public. If I share certain knowledge, it can be abused. Patients can be killed, and no one would know. A lot of people from the cyber security world including ethical hackers have helped me. I'm grateful for that! KC: I think Dutch hospitals should be grateful for you. Is there anything else you'd like to add before we go? JM: Yes. I sent reports to 100 American hospitals. Most of them ignored me or blocked me. KC: That's terrible. JM: But some reacted or changed their websites from HTTP to HTTPS. One hospital representative sent me a kind note. We have made some progress in minor ways, but I'm having to speak to a great many people who aren't necessarily security-minded to help them understand why this stuff is important. I'm hopeful we'll get stuff fixed. Thanks for the kind words!
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
