3 Key Ways to Bolster Healthcare Cybersecurity with MFA, Training

June 24, 2020 - Throughout the course of the first half of 2020, the FBI, the Department of Homeland Security, and a number of security agencies ramped up cybersecurity alerts -- many of which directed at the healthcare sector -- in an effort to support vulnerable industries responding to the COVID-19 crisis. In response, hackers steadily worked to target the rapid rise in telework and telehealth.

While the number of reported cybersecurity incidents in the healthcare sector are fewer than in previous years, it does not mean the number of attacks have declined. Security researchers and federal agencies have all reported rises in cyberattacks on cloud services, remote platforms, mobile devices, and other endpoints.

For the healthcare sector, already burdened with the Coronavirus response, the expanded threat landscape could lead to some serious issues down the line. Fortunately, the majority of these advisories contain key elements that could allow enterprises to effectively close some of these critical gaps.

Multi-Factor Authentication

A report from Microsoft found that 99.9 percent of all automated cyberattacks can be blocked with multi-factor authentication. And the 0.1 percent of successful attacks are far less common and sophisticated in nature.

In its report, researchers stressed the three most common vulnerabilities across all sectors are password reuse, legacy protocols, and business email compromise, with 73 percent of users duplicating their passwords in both their personal and work accounts.

READ MORE: Can Multi-Factor Authentication Help Healthcare’s Security Posture?

Those shared passwords are leveraged by hackers to gain access to corporate accounts. The rise in remote work and telehealth use amid the pandemic has only increased the need to employ MFA to reduce the risk.

MFA implementation will vary for each organization and the type of system. Some enterprises may opt to provide coding and instructions to the IT team to implement MFA, but others may choose to rely on their EHR vendors to add the tool to the EHR platform.

Overall, a successful MFA implementation will balance the need to secure all access points with the need to be user-friendly with a variety of identification layers.

User Education, Training

This year was the first time external threats outpaced insiders in the healthcare sector, according to the Verizon Data Breach Investigations Report. However, healthcare remains the leading industry for internal bad actors.

Meanwhile, recent Clearwater research showed untrained and untested users were the second largest vulnerability to healthcare endpoints, stressing the need for continuously training staff. The report is supported by earlier research from JAMA that showed that phishing education and training can reduce healthcare’s cyber risk.

Clearwater stressed that training should be a fundamental part of any healthcare organization’s internal security policies. Training must go beyond security policies and procedures, and include any other parties with outside access to enterprise systems and data.

“Employee awareness and training represent an important component of protection against phishing attacks,” JAMA researchers wrote, at the time. “One method of generating awareness and providing training is to send simulated phishing emails to a group of employees and subsequently target educational material to those who inappropriately click or enter their credentials.”

Overall, every smartphone, networked device, and user is a potential risk to the hospital network. Enterprises should routinely educate and train employees to keep threats top-of-mind, while encouraging users to report any suspicious activity to the security team.

Further, combined with MFA and other security tools, the JAMA researchers stressed that employing filters to prevent users from receiving those malicious emails in the first place.

Clearwater also recommended organization employ backup measures for when training fails to stop users from accidentally infecting systems with malware.

Asset Inventory and Patch Management

At any given point in time, many healthcare organizations lack insight into just how many devices are connected to the enterprise network. Added to the rapid deployment of new technologies deployed to respond to COVID-19 and a heavy reliance upon legacy technologies, the healthcare sector is facing some critical challenges.

Hackers are continuously exploiting vulnerabilities to gain footholds into the network of potential victims. For example, the National Security Agency recently warned the Russian hacking group known as Sandworm was actively targeting a flaw in the Exim Mail Transfer Agent (MTA) email software.

Patch management and asset inventories, preferably automated and near-real-time, can help organizations better understand their complete device inventory, while keeping vulnerable devices isolated from the network.

Manual asset inventories only include about 80 to 90 percent of all devices, CyberMDX Vice President of Business Development told HealthITSecurity.com in 2019. Leveraging automated tools to create a comprehensive list of all devices can allow an organization to better defend the devices or secure them when they come online.

Organizations should first craft a plan and then determine what devices are at the highest risk or tof the biggest priority to the enterprise. Then, administrators should move to patch management policies, to create a plan that keeps track of when vendors release software updates to patch known vulnerabilities.

Segmentation can support organizations when patching is not possible in a timely fashion, as well as getting a better understanding of how data flows throughout the hospital and how device connect to the network -- and to each other.

“Often, we’ve found that data flow is not clear to hospitals. They use a lot of open ports or devices, and allow those devices to speak, or use protocols that aren’t allowed,” Oranski said, at the time. “There’s a way to block this with firewalls, for one.”

“What we found in many cases – more than 95 percent of device communication could and should be blocked,” he added. “There are so many things you can do to secure devices simply—even without patching.”