- As health IT developers work to create the latest platforms and tools for the industry, it is essential that healthcare cybersecurity measures remain a top priority. However, numerous types of healthcare organizations should take note of a guide released earlier this month that could potentially impact how the industry can keep data secure.
The National Institute of Standards and Technology (NIST) recently released its second draft of “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure System” (SP 800-160).
NIST explained that the document is meant to assist inventors in considering information security needs in all stages of product development. This includes understanding how to properly dispose of the system and still protect data.
In an effort to help organizations across the board better understand the document, the Institute for Critical Infrastructure Technology (ICIT) published a condensed review of SP 800–160. According to ICIT Co-founder and Senior Fellow James Scott explained that the purpose of the condensed review was to highlight key issues for entities and ensure that they comprehend how it can apply to them.
With healthcare cybersecurity issues continuing to evolve, it is especially important for covered entities and their business associates to review the guide and see how it may affect their health IT systems.
Why is the NIST guide important for healthcare cybersecurity?
Scott admitted that it is easy to look at the document and get lost in the over 300 pages of what can read like a technical manual.
However, it should be looked at as strategies, and more of a checklist or starting point that can be utilized by organizations to introduce a cyber hygienic and security-centric culture. It can also assist in creating best practices for entities.
“It kind of covers everything,” Scott maintained. “I think the one part that people are finding confusing is that it's very specific, while simultaneously very vague as far as who should be applying this. Is it manufacturers? Is it hospitals? Is it doctor's offices? And I think the reality is, it’s everybody.”
The key takeaway is that it’s an introduction to cyber hygiene, according to Scott.
“If the reader goes through this, they'll see basically: here's during the acquisition process, here's what you should be looking for, here's what you should expect from your vendor,” he explained. “If you're a vendor, here's what you should be doing for your customer. It talks a lot about lifecycle security of devices and organizations’ PII.”
Scott also recommended that readers should consider reviewing the ICIT summary on SP800-160 before attempting to tackle the full document. This will give individuals general comprehension of the different sections, so they can have an easier transition and understand all of the details.
“Then, if they read it in order, it is literally from beginning to end checkpoints for the introduction of standards and best practices, cyber hygiene and security-centric within an organization,” he said. “It is a simplified, straight forward, step-by-step checklist.”
Overall, organizations need to create comprehensive and strong cybersecurity practices, and also ensure that they are not practices that focus on just one area of security. For example, ransomware is currently a top threat, but it is not the only thing that healthcare organizations should focus on, he explained.
One of the main reasons that hospitals and healthcare organizations are highly sought after targets is that their attack surfaces are so massive, according to Scott. In many cases, those surfaces are also unprotected.
“The sheer liquidity and capitalization that the adversary has on a successful exploit is also a factor,” he said. “By applying SP800-160, and having a relationship with the device vendor to secure lifecycle security of that device, can help make sure that cybersecurity was taken into consideration before the planning, manufacturing of that device.”
Another big problem that hospitals will likely encounter when they start to implement this approach is that they're going to find that a lot of the technologies that they have attached to a network were never created to be attached virtually, he added.
“They're going to be in for a lot of heavy shock factor when they start to implement these things and they see how vulnerable they are,” Scott cautioned.
In cases of healthcare ransomware specifically, the attackers often do not actually care about the ransom.
“They're coming in on the backend, looking at your network activity, and something is almost guaranteed to be happening,” he said. “Typically, they're experimenting with packet sizes to see what they can exfiltrate as far as sensitive data and go undetected.”
However, SP800-160 helps set up mechanisms through these areas to be monitored and thwarted.
How healthcare cybersecurity issues affect organizations
A lack of cyber hygiene in a healthcare organization could put numerous areas at risk, such as an MRI or X-ray machine. The danger comes when devices are attached to systems that they weren’t necessarily designed to be attached to.
If organizations are not using proper cyber hygiene to back up their data to a secure place, and then a data security incident occurs, everything from PII exfiltration to patient billing could be affected, Scott explained.
“It could affect them in a lot of ways, and I think that hospitals and insurance companies and public companies, in order to get some of them to move on these standards, they have to really feel the economic punch in the gut.”
Another key aspect of SP800-160 is informing staff members, he added. Employees at all levels need to be following proper healthcare cybersecurity guidelines, otherwise the entire organization could be put at risk.
If healthcare entities are already adhering to the NIST Cybersecurity Framework, they likely are going to have an in-house information security team. That team would be charged with implementing the checklist standards from the new document.
Endpoint security will also be essential, although Scott added that device manufacturers must also be conducting penetration tests to ensure that any vulnerabilities are found and properly patched before they can be exploited.
“Endpoint security is a really valuable layer of security,” he maintained. “And security does have to be layered. There's no silver bullet even though companies are saying that all the time now.”
Scott also underlined the importance of encryption, both in-transit and at-rest.
“Field encryption with data that is in transit and stationary, least privileged access, endpoint security, user behavior analytics, backing up data in real time to a secure location, these are the basics,” he said.
These general layering strategies are also spelled out in more detail in SP800-160, along with how to audit technologies and networks and find vulnerabilities.
The future of healthcare data security
For the remainder of 2016 and even heading into 2017, there will likely continue to be more precise, targeted attacks, according to Scott. More sophisticated actors that are using front-end components, like ransomware or another type of malware that cause a type of abnormality to a device or network, will be top threats.
“They're coming up with creative ways to come in on the back end, and once they're in the network, they're coming up with more creative ways to not just exfiltrate information, but to find other vulnerable devices in that IoT space. Then they can post malware for future attacks or remote access a Trojan type of software.”
An undetected backdoor threat can be especially dangerous when organizations have “Frankensteined” devices and attached them to the network when they weren’t meant to be attached.
However, Scott wanted to reiterate to organizations that it is not all “doom and gloom.” By using the information available on cybersecurity measures, such as the NIST CSF and SP800-160, they can implement the necessary protections.
“The good news is, there's tons of tools and frameworks out there that can help you minimize the attack surface or threat,” Scott maintained. “I think that's something that from a psychological perspective, might open up individuals’ minds to actually say, ‘Okay, I'm going to try reading this document. I'm at least going to try.’”