What once was only science fiction is now our reality, anything and everything can be hacked. For healthcare providers, ‘anything’ includes not only patient records and claims information, but sentient things like drug pumps and pacemakers. In addition, healthcare has operational functionality that make this space particularly challenging. The mobility challenge is particularly unusual because the workforce is constantly moving in and out of foundations, universities and hospitals. When they do this, they often need to retain the same access to do their jobs or gain completely different access at the same time because they are fulfilling different roles throughout the day. This is an access management nightmare.
In addition, the Internet of Things (IoT) challenge is unusual because providers already have lots of IoT devices embedded in their daily business. These devices are coming and going from your network and being associated with different patients at different times. These ‘things’ carry important Personal Health Information (PHI) which is valuable and constantly attacked by bad actors. However, they also control processes throughout the organization that effect lifesaving measures. Yes, healthcare organizations must remain compliant, but responsible organizations go beyond compliance to make sure a patient’s information and life support systems are respected and secured. The secret is to manage down the threat surface across both the infrastructure and access, to detect when something has been compromised with both speed and efficacy and to give your security practitioners what they need to resolve issues before there is real loss.
Mobile is Mayhem
Devices (your phone, laptop, even the crash carts) can be compromised anywhere, whether at the hospital or in the home, and many of these devices simply don’t have the memory, CPU or OS to impose a monitoring agent on them. In addition to this endpoint device protection, organizations need to be monitoring networks to detect anomalies. Machine learning algorithms can infer a lot from traffic patterns alone. For example, your medical ventilator probably doesn’t have a history of reading CNN.com. If that device starts showing this history, perhaps you want to mark that devices as suspect and augment other machine learning models to see if it’s behaving like it’s compromised. If that’s so, what TTPs (tools, techniques and practices) is it using that might point you to the threat actor or threat actor group – this will help you understand motive so that you can sharpen your defenses appropriately.
And Stop Acting So Vulnerable – it’s not a good look
Your adversaries are always scanning your systems, probably more intently than you are, so you have to be smart about staying in front of them. You need to stay on top of known vulnerabilities, but you will never patch them all because perhaps there is no patch or perhaps you just don’t have the resources to get it done in time. Securing your network is all about prioritization. By using an analytics tool to engage in evidence-based prioritization, you are able to patch the vulnerabilities that it deems most at risk. Staying on top of access is crucial because everything in the cyber community comes down to access to information and processes. You need to understand the access level each person has, whether it’s more than they need, and what needs to happen if they change job functions or move to another hospital. Then, compare the identity to the infrastructure. If an employee has a lot of access and is running on a vulnerable infrastructure, it’s a recipe for disaster. You need to fix the vulnerability infrastructure and/or reassess the access. These two views are usually separated by your security teams, but combining them provides a much better view into what vulnerabilities exist and what data is truly at risk if the vulnerabilities are exploited. The winning formula? Right people. Right access to infrastructure and entitlements. Right time. And then re-check to make sure you have it right.
As Ronald Reagan said to our friends in the old Soviet Union, “Доверяй, но проверяй”. This old Russian proverb is amusingly pronounced Doveryai, no proveryai. This proverb still rings true of our security teams today - Trust, but verify.