Jelena Milosevic: Digital, Connected, but Not Secure

The cybersecurity industry is full of people who took IT classes at community college, or Computer Science courses at a major university. The usual career path in our field is presumed to be a spark of computer genius in childhood or adolescence, technical studies after high school, and then getting hired by a tech company based on specific technical credentials.

But life doesn’t always work out that way, nor do all cybersecurity careers. In my own case, I caught the bug by removing Windows malware in my previous tech support career. But many other people were in seemingly unrelated professional fields until they got swept into infosec.

In the first part of this interview series, I spoke with Jelena Milosevic, who was working as a nurse when she found an alarming security vulnerability in the hospital she was working at. Her altruistic drive to make things better led her to study cybersecurity and travel the world to give talks at security events.

She’s still a nurse, by the way, but now her path mixes medicine with information security. She’s also got a great website for end user security education called Don’t Click on That.

Interview with Jelena Milosevic: Security Vulnerabilities in the Medical industry

I asked Milosevic:

How did you learn about security vulnerabilities in your nursing career?

I worked as a Calling Nurse in different hospitals. Because I didn’t have my own account, I couldn't work with EPD and at the computers. To work, I had to get accounts and passwords from my colleagues. Or I found them on paper – people left account credentials for people who didn’t have their own account.

That way, I could see the way that accounts were made, but also the way my colleagues made their own passwords. Everything was so easy and uniform.

I realized then that I could work under name of someone else, and that wasn’t good feeling. I could (potentially) do all sorts of bad things in the name of that person and damage the patients and my colleagues. I could send emails in their names, change information in patients records under their name.

How does that put patients in danger?

I could send malicious links to many employees at the hospital. They would trust me, because the email is coming from a colleague. So, all computers and devices connected to the computers can be infected.

I also have the ability to change patient information. There are many, many ways that can damage patients. You can use patients information’s to make fake documents, credit cards, asking a credit, making invoices for treatment that never took the place, and so on.

Changing the medical information can bring medical professionals into action that can damage the patient or medical professional. Infected medical devices can stop working, work differently or have alarms.

At that moment, my greatest concern was that someone could work under the name of another colleague. They could make problems for everyone by changing information, both medical and personal.

Did your hospitals improve after you took action?

I was working in many hospitals and did try to contact more. I wanted to share my findings and concern with them, but no one wanted to talk with me. I got to constantly hear, “We have everything under control and have good security.” I wanted to see who the IT department was.

I found out that there was no-one with a security background, that there was almost no infosec policy, nothing. At the same time, everything was digital, connected, but not secured.

What was your first step to studying and speaking about cybersecurity?

It took me three years to get a complete picture of the situation in healthcare. At the same time, Martijn Grooten from Virus Bulletin invited me to talk more about my findings about the situation in healthcare. I had two great mentors, Thom Langford and Jeanette Jarvis.

What was the first cybersecurity talk you gave, and what did you present?

My first talk was about building awareness in medical professionals. (It was) at BSides London 2017: To Click or Not to Click, or How to Build Awareness About Behavior Online. The second presentation was for Virus Bulletin, Consequences of Bad Security in Health Care.

In twenty-five months, I have given more than thirty presentation across the world. Three in the U.S., Circle City Con, Skytalks, and at IOActive, in the rest of Europe, everywhere.

Are there similarities between being a nurse and working in cybersecurity?

Sometimes it looks like it, but there are different kinds of knowledge that you need to have. You have vulnerabilities, you need to find the cause, and see how to fix them. And nurses and security professionals are ones who find them, report them, and help to treat them.

I did send media warnings to all hospitals in Holland. I got good responses back, that they will pay attention. Because of this and more, security professionals need to be consulted for every action that is digital, connected, and online.

Would you encourage hospitals to limit the connected Internet of Things (IoT) technology they use? For example, Internet-connected surgical machines, IV pumps, etc.

Yes - this is why I say, security must be included in every decision. It is not. If there is the way to make something work, then it needs to be safe. Too much money is wasted on all digital products we don’t need and have no need to use, products that make our work more difficult.

Do you think that cyberattacks are going to become a worse problem in medicine as the years go on?

Absolutely, yes. If we look at healthcare, we can’t just overlook security. We need to look what is really going on. All the time we put pressure on medical professionals, but most of the time in a bad way. Infosecurity people have no idea how the system works. We talk to be heard, but not to listen to another, or listen to their response.

Healthcare professionals get lot of pressure from everyone. Because of financial pressure from the boards, the pressure to innovate, being digital and online, eHealth EMR and everything, we get products that had no security. No one cared. And we did trusted them (the manufacturers), that their products were safe. It is not our job to know how to protect devices, PCs. We assume that PCs, products, devices are secure and safe.

Now it’s a bit hard to put security in everything. But because everyone who has no idea about working in healthcare make all decisions, we get a lot over our heads. 40% of medical professionals have burnout, and a lot are depressed and even suicidal.

We put smart insecure products (i.e: connected to the Internet of Things) in hospitals and connect them on same networks. Not just medical, but other types of IoT devices too. Smart coffee devices look nice for PR. People are making decisions that bring all sorts of danger inside.

Medical professionals are not aware of it and have no idea because they are too busy with own work. So what I think is that security professionals must be consulted about everything. Do you have any idea how many times people take work home (because) they have no time during the day? And for that, they are not paid.

What do you think the contrasts and intersections between medicine and cybersecurity are?

 Cybersecurity is more complex than most people think. It is not just the technical side of the story,  it's more about many different components that need to fit in with each other, like a three-dimensional puzzle.

Looking about healthcare, I found that we need to take a look from different sides and from different perspectives. After three years talking with everyone, medical, and security professionals inside of the hospital, vendors, boards, people outside of the hospital that are giving service to the hospital, PR and marketing. I found out that role of infosecurity professionals is big, and they need to be included in everything.

There are many paths to cybersecurity careers; expect the unexpected! In the second part of this series on inspirational women in cybersecurity, I spoke with Katelyn Bowden, who was working as a bartender when an ex-partner distributed her very private photos without her consent. Bowden founded a non-profit organization called BADASS to help other victims of private photo theft and online harassment.

Read Katelyn's interview now in Part 2.

About Jelena Milosevic

Jelena Milosevic is a pediatrician and ICU nurse with a ton of experience, having worked at many different hospitals in the Netherlands since 1995, and before that having spent 10 years working in the ICU at the University Children's Hospital in Belgrade.

Over the past three years Jelena has been active in the infosec community and has been applying her sepecialized knowledge to the healthcare world in order to help improve security for both patients and medical staff. Jelena is a member of the I Am The Cavalry group and a part of the Women in Cyber network.