- Covered entities and business associates have numerous areas to consider when it comes to preparing against potential healthcare ransomware threats. It is not enough to just install firewalls and anti-virus software. Organizations need to implement regular employee training to keep data security measures well-rounded.
A failure to do so could be especially crippling for healthcare organizations and their patients.
While ransomware has been around for some time, the latest resurgence within healthcare has been horrifying, said Dell EMC Healthcare Strategist Susmit Pal. Healthcare providers have been moving from paper records to digital, which creates an enormous opportunity to leverage that digital data to improve patient care and even share information across the circle of care.
However, it also creates the potential danger of not being able to properly protect that data.
“As you continue this journey of digitization, the next step is to be able to connect things,” Pal told HealthITSecurity.com. “You're also seeing the drive toward mobility, where clinicians today want to access patient data from any device, anytime, and anywhere. You have to enable that functionality because that is key to reaching the triple aim, which is better outcomes, better patient experience, better health for the population, and reducing costs.”
With healthcare becoming more digitized, organizations could be fully dependent on their applications, whether it’s an EMR system or medical devices.
“These are important systems and you've got to access them in order to deliver patient care,” Pal explained. “And if something like ransomware locks you out of these applications or encrypts the data and you're not able to access it; that has direct implications on the lives of patients. You could lose lives if, all of a sudden, you have to shut down your ER because of a ransomware attack.”
Pal recalled the cases of Hollywood Presbyterian and MedStar Health as examples of how healthcare organizations could be negatively affected by ransomware attacks. Healthcare ransomware goes far behind just losing credit card information and having to replace the card, he said.
Healthcare ransomware is a huge threat that could directly impact patients’ lives.
User training paired with layered security measures
Healthcare data security is slightly difficult because there is no one solution that be prescribed to a hospital that will take care of the ransomware threat, Pal stated. There are multiple threat vectors that hospital IT must prepare for.
Right at the center of networks is patient data, he explained. That is the most important asset organizations are trying to protect and what cyber criminals are also trying to access.
There are numerous layers of data stored throughout the network, and then there are users who are using multiple devices to log on to the network. The users open applications, pull data from the hardware, the server, or the storage center.
“There is vulnerability, there are threats, and there are security controls that you need to put in place across all these layers,” Pal said.
From a threat surface, users are often referred to as the weakest link in the chain, he said. They’re unpredictable, and you never know how a user is going to react to certain things, such as phishing scams. An email could arrive in an inbox, and appear to be a genuine email. But the user clicks on it and they have actually downloaded malware.
Spear phishing campaigns are also becoming more difficult to distinguish, Pal added.
User training is one of the more fundamental things that every healthcare customer should be doing, he said. The training must be periodical, and include simulated phishing exercises where tests are run to determine the likelihood of employees clicking on those types of emails.
Pal also underlined the importance of an identity management solution that centralizes the user management function. If an employee – whether it’s a clinician, nurse, or contractor – leaves the healthcare system, their access can be revoked.
“When many of your health applications could be online applications that could be accessed over the public internet, it becomes extremely critical for that change to be applied soon and not have to wait days before it's finally done,” Pal explained, adding that de-provisioning users can be managed through a centralized identity management solution.
Furthermore, one of the ways organizations can ensure that they have a good strategy to train users is to make sure that their identity, authentication, and their authorization is done in a consistent manner and is done quickly.
A device management strategy can also be beneficial to healthcare providers, Pal said. More employees are working on various mobile devices, whether it’s commissioned via the organization or is part of a BYOD program.
It is important to find the right balance between security and productivity though, as no employee wants to be hindered in providing patient care. At the same time, maintaining PHI security and overall security to the healthcare system is critical.
“More and more we are going to find hospitals take a serious look at how they want to segment their network,” Pal noted. “The segmentation has to be dynamic, otherwise, you run into the productivity issue with users having to log into multiple networks.”
Pal also advised that network virtualization and micro-segmentation are great strategies to implement as more hospitals are trying to decide how they want to segment their network.
“Particularly in the EMR situation, where you have the most critical data repository, you would want to have the best protection around that.”