As healthcare providers work to implement the latest pieces of technology to improve patient care, the healthcare cybersecurity threats will also continue to evolve.
Healthcare ransomware attacks, BYOD security, and healthcare data breaches continue to be top concerns for covered entities and business associates of all sizes. However, there are ways for organizations to stay prepared and learn how to respond to potential cybersecurity breaches.
Preparing for healthcare ransomware attacks
Ransomware is particularly bad for the healthcare industry, IBM Security Senior Threat Researcher John Kuhn told HealthITSecurity.com.
“It's a huge problem for every industry, but healthcare probably a little more significant than that because of what they're doing,” he said.
It can even become dangerous as healthcare organizations are tasked with caring for people. Should certain information become locked up or inaccessible, that care could be affected.
“Always backup, have a backup plan, and have backups of these systems,” Kuhn asserted. “You need to have knowledge of how to restore this system in the amount of time required to not impact someone's health or impact your business at all. And that's where healthcare is struggling a little bit.”
Other industries will not be affected in the same way, he added. For example, if a retail store has its point of sale system locked up, the company might lose millions of dollars in paying a ransom. However, if hackers figure out how to lock up certain medical devices in mass quantities, the results will be far worse.
Citrix Chief Security Strategist Kurt Roemer said that ransomware has been “extremely pervasive” within healthcare, and that it really speaks to the model in which most healthcare providers are operating.
“There's a lot of data that winds up on end points, a lot of data that's very distributed,” he explained. “You have a lot of healthcare professionals that are contractors and other third parties and operate as independents and maybe work for multiple facilities.”
Patient care must also be swift, so sometimes security measures are dialed down or updates are delayed so they do not interfere with patient care. Unfortunately, that sets up a perfect storm for healthcare ransomware, Roemer warned.
"By utilizing virtualization, you're giving them the experience of working with the applications and the data but not actually exposing the data to the security environment of the device.”
“From a healthcare perspective, you oftentimes don't have the backups and the synchronization that you would have in other areas that maybe aren't as concerned about immediate performance,” he stated. “Many healthcare organizations actually need to go ahead and pay the fines to get the data back off that one system that had that only copy of what they needed. And that's why ransomware has really been such a big problem.”
There are quite a few things healthcare providers can do in terms of preparing against potential healthcare ransomware attacks, Roemer added. Having file sync and file share, along with having online and continuous backups through enterprise file sync and share will be beneficial.
Utilizing virtualization can also be extremely helpful, as this will keep the data off the endpoint devices in the first place, Roemer advised. This approach makes even more sense when employees are taking advantage of BYOD options.
“You want them to be able to have the applications, have the rich experience, have all the performance, but not necessarily be able to have the data on their mobile device,” Roemer said. “And by utilizing virtualization, you're giving them the experience of working with the applications and the data but not actually exposing the data to the security environment of the device.”
- How Ransomware Affects Hospital Data Security
- Utilizing Network Security to Prevent Ransomware Attacks
How expanding the network opens up potential attack options
Michael Tweddle, Dell One Identity Senior Director of Outbound Product Management, explained to HealthITSecurity.com that it is important to view the expanding medical network in two ways.
The first thing to consider is the security of a device itself. Then, there is the security of the information that is stored on the device.
“You always really have to look at it from a couple different angles,” Tweddle said. “The first is really securing the device itself, and that’s where a lot of things such as e-biometrics to get into your device and just even having the screen locked come into play. Basic things like that can definitely deter it.”
From securing the information that’s on the device is when you get into some of the BYOD vendors. For example, there are Microsoft, Google, and MobileIron.
“They can actually start to really lock down the contents that are on those devices or even understand if they are compromised be able to remotely wipe them,” Tweddle explained.
While it’s a simplistic way to look at it, it is important to secure the identities around access management into those devices. In addition, any proprietary access that are stored on them need to be managed as well.
“That’s where the BYOD services can really come into play, and you can see sort of the synergy that’s how they complement some of the identity and access management solutions out there,” Tweddle stated.
You have to have visibility into these things to understand if there's a threat there, or if there's a threat coming from [the devices] or a threat heading to them.
Every time a healthcare organization adds another device to its network, it is another potential point of attack, Kuhn stated. The increase in mobile devices has created a “huge swarm” of things connecting into hospitals that they don’t necessarily have great control over, or have great visibility into.
The key is to ensure that as healthcare organizations implement Internet of Things (IoT) options, connected medical devices, or BYOD strategies that they maintain visibility. Essentially, knowing where a gateway is and how it can potentially be accessed is critical for ensuring security.
“You have to have visibility into these things to understand if there's a threat there, or if there's a threat coming from [the devices] or a threat heading to them,” Kuhn said. “And that's where a lot of companies stumble because they don't have that insight.”
Roemer agreed, and said that with all of the expanded devices there is a tremendous amount of additional data. Healthcare providers need to consider how that data is going to be stored and maintained throughout its useful life cycle and how it is going to be protected.
“We know how that enterprise security model works, and that’s how it leads to ransomware issues,” Roemer cautioned. “Move to a virtualization approach, and you’re keeping the data in the center but that also requires an online, constantly connected type of environment.”
Roemer suggested that healthcare organizations also consider carrying sensitive data that needs to be mobilized in a container – a mobile enclave that is secured and protected by the enterprise.
“This mobile container would have all of the apps and data for the organization and for even specific projects, in many cases, and would be maintained, backed up and secured by the enterprise, even on somebody's personal device,” he said.
Healthcare has fallen behind ‘the IT adoption curve’
Susan Biddle, senior director of marketing for healthcare at Fortinet, explained that healthcare does seem to fall behind the IT adoption curve. Like financial services, healthcare is challenged with complexity, risk, and regulations.
The main difference is high-stakes technology purchase decisions are heavily influenced by delivering better health outcomes, she said. It’s a constant struggle as healthcare providers try to determine what they should invest in.
Healthcare also tends to lack the necessary cybersecurity staff, talent, and resources to keep pace with the evolving threats.
“The continuous reported data breaches say it all,” Biddle stated. “But despite the growing importance of security programs, budgets remain relatively flat. So, healthcare needs to figure out how they can do more with less. One way is they can take note of how the other sectors like finance has designed a ‘future-proof’ cybersecurity framework, one that will grow with the organization over time.”
Biddle added that sharing cyber intelligence across all verticals is also essential as hackers do not discriminate. Cyber criminals target all business types and will apply their tactics across all industries.
“Prompt information sharing is essential, and then having the needed, proactive security controls and tools in place to digest threat intelligence and take action will be key for healthcare to move forward and not fall further behind,” she said.
Healthcare records are extremely valuable on the black market, and can be much more damaging to individuals who have their records stolen, Kuhn emphasized. When a credit card is stolen, a person can call the bank and cancel the card. But with healthcare records, not only can credit lines potentially be opened, but medical procedures could be performed. Medications could be obtained under someone else’s name.
“It’s Pandora’s box,” he said. “It’s a gold mine when it comes to identity theft because it has everything about them, including past illnesses, Social Security numbers, all of those things. They’re the gift that keeps on giving when it comes to hackers wanting to steal data.”
Roemer reiterated the danger that once healthcare information is exposed, it is out there forever. Healthcare organizations need to be doing more than financial services and other industries to both balance the optimization of their patient care while also optimizing costs. Furthermore, they must ensure that they are a leader in terms of security.
- Why Blockchain Technology Matters for Healthcare Security
- HIPAA Data Breaches: What Covered Entities Must Know
Other key healthcare privacy and security areas to consider
Ransomware will likely continue to be a high priority for healthcare, Biddle explained. The July and August attacks on healthcare focused on exploiting vulnerabilities found in consumer grade devices, such as D-Link routers.
“Organizations should review their cyber assets and determine if the vendor they’re using has an efficient and effective way of responding to discovered vulnerabilities,” Biddle noted. “Does the vendor invest in product security incident response teams (PSIRT)? If they don’t, this could mean a discovered vulnerability may go unpatched for many months or may never be patched.”
Detection and mitigation tools to protect against unknown threats as firewalls are only as good as their cybersecurity signature library.
Attackers are also continuing to leverage automated tools to identify vulnerable web applications, she said. For example, Shellshock has been a top spot for the past few months.
It will continue to be important for healthcare to design and implement a high performance web application security program.
“Malware authors continue to leverage evasion techniques in an attempt to bypass detection,” Biddle said. “In some cases, the malware may slip through which is why it’s important to consider not only investing in technology and threat intelligence to protect against known threats, but also detection and mitigation tools to protect against unknown threats as firewalls are only as good as their cybersecurity signature library.”
The expansion of patient portals, the expansion of the non-traditional caregiver, and IoT are also key privacy and security areas that healthcare organizations need to consider, Roemer stressed.
With patient portals, there are more patients that have access to their medical records and doctor’s notes – very rich information.
“Those patient portals that are only protected by simple passwords are pretty easy for attackers to get into and, oftentimes, the patient portals allow the caregivers or patients to download their information,” Roemer said. “That could be kept in a lot of insecure sources as well. The patient portals have definitely been a real concern from a security perspective.”
The non-traditional caregiver role could be an individual checking up on his or her parent or other family member. These people are trying to understand what is going on in the patient’s healthcare situation and are likely going to be making decisions in some cases, he said.
“Many hospitals and other organizations have check boxes for whether a patient wants to release information about pregnancy, or about sexually transmitted diseases, or about the severity of a condition as opposed to just the condition,” Roemer explained. “And it's those types of things that are going to need to be greatly expanded so that you can only share appropriate information when necessary.”
In terms of IoT, Roemer said that it is not just relegated to healthcare facilities implementing more devices. Individuals are also carrying a lot of telemetry about their daily lives, habits, health, interests, and activities.
“The expansion of those IoT devices and their capabilities is going to be great for helping all of us better understand our health, but it's also a real boon for attackers and people who are looking to erode our healthcare privacy.”
- The 3 Building Blocks Supporting Patient Engagement Strategies
- How Patient Portals Improve Patient Engagement