19 Nov Healthcare Cybersecurity: A Life And Death Crisis
Not all doom and gloom, with the right controls in place
– Brian Olliff
Columbia, S.C. – Nov. 19, 2021
It’s no secret that attackers and threat actors view the healthcare industry as a large and lucrative target. According to a recent Trustwave report, individual health records can be valued at up to $250 per record on the black market, and that is in addition to any ransom that may be collected from organizations that elect to pay. HIPAA Journal reports over 640 large healthcare data breaches (500 records or more), with 429 of those attributed to “hacking or an IT incident.” Add on a global pandemic to further stress an overstressed industry and you have a recipe for disaster.
What makes the healthcare industry such an easy target? In hospitals, it is very common to see biomedical devices that are running older versions of Windows, where the vendor does not support patching. This can be due to FDA certification of the device or just the support level from the vendor. In addition, organizations can frequently be running endpoints running out-of-date, under-patched versions of Windows that employees use every day. Couple this with phishing emails and “too quick to click” users, and you have the perfect environment for an incident. On top of this, it’s not unusual to see overworked, understaffed cybersecurity teams in healthcare organizations that are struggling to stay on top of their organization’s needs.
All Hope is Not Lost.
There are several basic steps that security teams in healthcare can take to help mitigate a large range of potential attack vectors:
- Use modern best practices and recommendations. However, some of these may go against what has typically been normal, and may need a bit of salesmanship to get implemented. For example, current NIST recommendations actually advise AGAINST periodic forced password changes unless in the event of a compromise (https://pages.nist.gov/800-63-FAQ/#q-b05).
- Secure MFA (ie, non-SMS based) should be used on all external points of access, whether this is an OWA portal, Citrix access, or a VPN. Ideally, an organization can combine ease of use with security by using a solution with a mobile app and push notifications.
- Strict usage controls should be used on all endpoints. There is much to be said about the balance between employee privacy and security controls, however, there is still a need for some control. Basic DLP should be used on workstations, such that USB drive usage is limited. This type of control has multiple benefits: helping prevent accidental disclosure of PHI and helping prevent potentially infected external devices being introduced to a secure network.
- Security awareness training should be utilized in all organizations. There is a very wide range of options when it comes to training, but the bare minimum doesn’t cut it anymore. Employees should be well educated on spotting (and reporting) suspicious emails, not clicking on links or attachments in emails, and this training should be more frequent than once a year. Some companies, including INE, offer this type of comprehensive security awareness training at no cost. The frequency of such training and/or phishing simulations can only be determined by the individual organization, but quarterly training and assessments should be a reasonable goal.
- Alongside this training, there should be repercussions for those who either do not complete this training, or repeatedly fail assessments. Unless employees are held responsible for their actions, those actions will not change.
- System backups should be completely isolated from the rest of the network and restores regularly tested for all critical systems.
But what is the end goal here, what are we actually trying to protect? Besides the financial and reputational loss that comes with any type of breach, the healthcare industry has much higher stakes.
If a manufacturing facility is attacked and infected with ransomware, it will certainly affect them financially. Their bottom line will suffer. Consumers may not trust them as much. They may have difficulty fulfilling orders. Healthcare organizations have the same concerns, but with the added risk of people actually dying from a ransomware attack, especially in hospitals. If an EHR (electronic health record) system is taken down, or a prescription ordering system is unavailable, it becomes much harder to track patient care. This can be further complicated if an organization does not have properly implemented and tested downtime charting and ordering procedures. This can be taken a step further though; if an infusion pump is compromised and begins delivering a lethal dose of medication, or a network-connected pacemaker delivers a fatal shock, people die.
The healthcare industry has the same security concerns as any other industry and must take the same steps to protect its network, systems, and data. But security analysts and engineers have that added pressure of patient care always in the back of their heads.
It’s not all doom and gloom though. A few well-placed and moderately easy to implement controls, along with a commitment to security awareness training, can make a huge difference in how a hospital or other healthcare organization can protect itself against a cyber attack.
– Brian Olliff is a defensive engineering instructor at INE with more than 15 years experience in information technology.
Sponsored by INE
INE is revolutionizing the digital learning industry through the implementation of adaptive technologies and a proven method of hands-on training experiences. INE’s portfolio of trainings is built for levels of technical learning specializing in advanced networking technologies, next-generation security and infrastructure programming and development.
INE’s mission is to be your trusted partner in reaching your professional goals. INE has cultivated innovative content and teaching methods, delivered through cutting-edge technology and disseminated by the most esteemed instructors in the world. Over the past 14 years, INE has helped tens of thousands of IT professionals achieve their goals and countless Fortune 500 companies build a world-class technical organization fully prepared for tomorrow’s challenges.