It’s no secret that healthcare organizations are constantly in the crosshairs of cyber criminals. One of the reasons healthcare records are 30 times more valuable than financial records is because they contain full identity profiles – including your social security number which is the gateway to acquiring any and all of your personal information. According to data gathered by the United States Department of Health and Human Services Office for Civil Rights, the number of data breaches in healthcare increased by 63% in 2016 and looking at the news on any given day shows you that the trend doesn’t seem to be slowing down.
In addition to the number of attacks, the survey states that medical device hijacking and ransomware attacks are on the rise. Medical device hijacking involves exploiting back doors in machines such as x-ray and life support devices to plant malware. Once installed, it can move laterally across the network and infect other devices, applications or the entire system. This sort of movement throughout a network requires a sophisticated attacker - and the number of sophisticated attackers will only continue to climb.
Ransomware is a simpler form of attack which is one of the reasons we see it spreading so quickly. In the world of medicine, there is an almost immediate return on investment when it comes to ransomware because the data that is being ransomed is literally life or death. One example of this type of attack is last month’s WannaCry virus where we saw the devastating impacts it had on the United Kingdom’s National Health Service. While not the first attack, this finally showcased the magnitude of the problem.
IT and Security is Not a Priority
Healthcare organizations are built around the purpose of saving and/or improving lives. Because of that focus, most IT and security departments are typically not a high priority when fighting for budget dollars. These departments are typically understaffed and left with legacy equipment which is outdated and unprepared to deal with new cyber-attacks. These teams also typically have proprietary software which is rarely patched and can be exposed easily by patch release cycles making them easy targets for cyber criminals.
Even worse, the increased digitization of healthcare information between patients, providers and insurance companies has broadened the attack surface. With the Internet of Things growing faster in healthcare than in most industries, there is new concern over device attacks and the threat of pivoting through an attack chain in your network. All of these issues are difficult to deal with on their own, however, they’re also all subject to strict government and industry regulation. From HIPAA to HITECH and HIMSS, healthcare organizations must make sure to have all of their information recorded and ready for an audit at any time.
When there seem to be attacks coming at you from all sides, how do you fight back? While your challenges as a healthcare provider are unique, they are not unprecedented. The first and most critical thing to do for your organization is to implement up-to-date security measures and create incident response plans to ensure business continuity in the case that something does happen. As mentioned before, your first priority is to save lives. To keep that as your top priority you must make sure that your organization can continue to run no matter what. Here are some ways to do that:
- Start with the Human Factor: Make sure that you are incorporating security practices in your day to day operations through strong password rules, forced password resets and required VPN usage.
- Ongoing Training: Requiring security protocols is a great first step but you need to also ensure that your employees are keeping security top of mind. Make sure you are conducting ongoing training to keep your employees up to date on what threats are out there and test them to see how they react to phishing, social engineering, and other cyber-attacks. (Bonus Material – Learn how to phish your employees)
- Implement Basic Safeguards: Anti-malware, firewalls, data encryption, separate network backups, self-service password reset and penetration testing should be the foundations on which you build your security posture.
- Include Security in the Purchasing Process: Make sure to include your security team when purchasing new medical equipment or software. This team will raise awareness and visibility into what vulnerabilities they may have and will make sure to work in patch release updates with the supplier to avoid known vulnerabilities.
- Increase the Frequency of Vulnerability Scans and Penetration Tests: In order to gather the most up to date information, prioritize vulnerabilities, detect gaps, control failures and ensure that what you’ve remediated was successful, you need to have a consistent cadence of both scanning and testing.
By following these five best practices, you will be on your way to building a healthy security posture - but don’t stop there! Make sure that you continue to build on these measures by contextualizing them using external threat information. Together with your internal security intelligence, instituting these best practices will make you better equipped to help your organization optimize your operational security to better deter, detect, remediate and validate threats.