- Providers need to maintain healthcare compliance and ensure their data security measures are strong enough to combat ever-evolving threats. However, compliance and security are not interchangeable and entities must focus on both for comprehensive cybersecurity.
Brooklyn, New York-based Interfaith Medical Center works to guarantee both healthcare compliance and healthcare security, utilizing network segmentation and mock malware attacks.
Compliance is the baseline that needs to be achieved, Interfaith Director of IT Infrastructure Christopher Frenz told HealthITSecurity.com.
Compliance should be the end goal, but it is not enough by itself, he explained.
“Shooting for compliance is kind of like shooting for a D grade in the class,” Frenz said. “Yeah, you might pass, but you’re really not doing a good job. Security and compliance are similar and related, but they’re two different things.”
“You can be compliant and still be pretty unsecured,” he continued. “Compliance is a baseline starting point. I’m very big on actually putting security to the test to make sure it is effective.”
Starting in about 2015, Interfaith began to conduct simulated malware outbreaks, Frenz recalled. The hospital used the European Institute for Computer Antivirus Research (EICAR) test file.
“It’s a harmless file, but years ago, all the antivirus manufacturers agreed to treat this particular file as a virus,” Frenz explained. “It provides a great way to actually test antivirus and test certain security controls. Even though it’s harmless, it should be detected by your systems as malicious.”
Interfaith conducted an incident where Frenz created a script and “infected” the PCs. The script was trying to connect to all the other PCs in the organization and basically plant the EICAR test string, or test the virus, on the other machines.
“It was really interesting to see what machines it impacted and what machines it didn’t,” Frenz said. “We were able to take that information and really use that as lessons learned to both see what worked, what didn’t work, and what we could do to improve our security.”
Network segmentation was highly effective at preventing the spread of the malware, he added. Interfaith did have a segmented network at the time, but given how effective it proves to be, Frenz said they wanted to take network segmentation to the next level.
This is where VMware NSX came into play for network virtualization and micro-segmentation, Frenz explained.
“We started using VMware’s Zero Trust approach to break the network down into the smallest segments as possible in order to further improve security,” he said. “We began acquiring products like VMware’s NSX to do that within the datacenter, and we also did network access control and a few other things to do that within the fiscal network for the PCs and other devices in the hospital.”
Patient safety is one of the long-term benefits that Frenz hopes to achieve with the network security tools. The WannaCry ransomware attack that infiltrated organizations across the globe in 2017 was really a wake up call for the industry, he said.
“WannaCry resulted in a lot of the medical devices within many hospitals across the US and around the world actually being encrypted,” Frenz stated. “Those devices lost their functional abilities as well, which creates a real patient safety issue.”
“You don’t want to be a patient who’s in the middle of a surgery or a procedure and find out the medical devices you’re attached to are suddenly rendered nonfunctional because of a cyber attack or virus outbreak within the organization.”
Having improved network security will help protect the safety of the patients who come into the hospital, Frenz explained.
Having mock attacks has definitely been a short-term benefit for Interfaith, he pointed out. There has been noticeable improvement in how employees have reacted to simulated attack scenarios.
Increasing connectivity can create increased exposure
Patient portal security is also an increasingly key issue for healthcare organizations, especially as patients want to become more involved in their own personal health care.
“Patient portals have potential for positive clinical benefits because the idea is that the patient can see the records,” Frenz said. “They can become more involved with their own care and that could help improve patient outcomes.”
One of the potential dangers of a patient portal is that it basically provides a publicly-accessible face to a lot of a hospital’s medical record systems, he noted. If not done securely, it’s a potential avenue that could be exploited to gain access to patient data.
“Our network segmentation strategy also does come into play with that,” Frenz explained. “We do try to keep that as segmented as possible. So, if, in the event something was to penetrate our defenses, and actually compromise our patient portal, the damage would be as mitigated as possible in terms of what could be accessed to that portal.”
Working to limit lateral movement within the organization’s network has been a key cybersecrity measure Interfaith has taken over the last few years, Frenz said.
“What commonly happens in a lot of cyber attacks is an employee gets a phishing email,” he stated. “Somebody clicks the link. That results in a computer within the organization being compromised. And that computer is used as a staging ground to start compromise other assets within the organization.”
Interfaith conducts phishing training for employees and utilizes web filtering and similar tools to try and prevent malicious links from being clicked.
“But we also do the network segmentation to the point that with the exception of some PCs in IT, that no PC in the organization can actually see any other PC in the organization,” Frenz explained. “The idea is we want to stop that lateral movement as much as possible. If one of those PCs became compromised, it would be very difficult for malware to begin to spread to other systems within the organization.”
A good approach to healthcare data security is to work on allowing only what needs to happen, rather than allowing everything to happen and trying to block bad actors, Frenz said.
“Many reports and research, such as the Verizon Data Breach Report, typically estimate that between 70 and 90 percent of malware that an organization sees is actually unique to that organization,” he stated. “That really means that trying to block everything that’s bad is pretty much an impossible task.”