- The Department of Health and Human Services released a four-volume set of cybersecurity guidelines for the healthcare sector last month, which was applauded by many for its extensive breakdown of both risks and mitigations.
Drafted in partnership with over 150 cybersecurity healthcare and cybersecurity leaders, the guide effectively breaks down cybersecurity needs by organization size and includes resources for end users.
“It’s a great document; an in-depth read. It’s clear they wanted to make sure they’re putting things first that make sense,” said Suzanne Widup, Senior Consultant of Network and Information Security for Verizon RISK Team. “It’s a great way to point things in the right direction.”
“It should also make security a lot simpler for some of those small providers and give them a place to start,” she continued.
There were many places where the guidance hit the nail on the head. However, some sections didn’t go far enough and there were some topics – like mobile security – that were missing from the guide. Here are some of the guidance’s hits and misses from Widup and Bob Stevens, Vice President of Federal Systems for Lookout, an IT security company.
Hits: Size, Mitigation, Security Metrics, Medical Devices
To Widup, the recommendations around evaluating risk and customizing it to the size of an organization was the ideal way to craft the guidance, as “obviously resources vary by the size of the organization.”
For small organizations struggling with implementing security due to a lack of resources, it provides methods to shore up some of these flaws without necessarily spending a lot of additional funding. Widup explained that the medium and large recommendations are also useful.
“Absent of guidelines, people may not know how to protect against networking attacks: Maybe they know it exists, but what can they do about it?”
The details around mitigations were also a really good primer on how to deal with risks, said Widup. And the security metrics section broke down how and what to measure. At the moment, either organizations don’t measure what’s going on at all, or implement new tools without fully understanding the needs.
“Organizations are flooded with alerts, but it’s not providing something actionable,” said Widup. “The guidance takes a good look at what they should measure.”
“And when trying to justify expense, it’s good to point to those numbers and say, ‘this is how we’re being attacked,’” she added. “It’s takes it out of the realm of someone depending on outside information.”
For Stevens, for the most part, they captured nearly everything needed to deal with the gaps seen in healthcare security, especially around infrastructure.
“Absent of guidelines, people may not know how to protect against networking attacks: Maybe they know it exists, but what can they do about it? From that standpoint it’s really good,” said Stevens. “[Security leaders] can read them and make sure they’ve implemented what they can to protect infrastructure.”
Stephanie Domas, MedSec Vice President of Research and Development told HealthItSecurity.com this month that the addition of medical devices to the guide as its own threat, also showed signs that HHS is taking medical device risk seriously as the industry moves to shore up the threat.
Missed Opportunities: Insider Threats, Mobile Security, Phishing, and Medical Devices
Widup also noted that the guidance around email security was thorough and covered much of what the industry needs to understand about the threat. However, as phishing attacks and malicious insiders continue to plague the sector, the guidance missed an opportunity to dive deeper and better explain the risk employees can pose to healthcare.
“There’s a section where they talk about insider threats, with accidents versus intentional acts,” Widup explained. “It would have been a great opportunity to say they should monitor the activity of insiders and to dive into insider’s malicious activity. But they fell back into using familiar terms.”
“It’s a missed place to talk about a big risk to healthcare: insiders,” she said. “I do see a lot focus on emails causing these problems. But we’d like to see [HHS] make it more obvious that this is what happening and stressing the need to implement individual account use – and encryption.”
Especially with the advice around phishing, Widup explained that they didn’t discuss or explain the need to make it easier for users to tell the security team that they’ve been phished.
“It’s a good way to train users and turn them into sensors for the network, which could give an early warning that the organization is being phished,” she said. “A large portion of people don’t tell security because a lot say it’s not easy to do.”
“If your suggestion is just to make sure you protect devices with emails – than you’ve missed the mark with phishing.”
But for Stevens, the real loss with the guidance was that mobile security was omitted by officials. For example, HHS addressed the continued threat phishing poses to the sector. However, it addressed as an email-related threat to desktops or laptops, but not as it relates to mobile devices.
“If you want to extend it to all endpoints within the network, then you have to address it with more than desktops,” said Stevens. “With mobile, you can be phished in many ways more than email – SMS, messenger, and it can come via web browsing.”
“There are multiple ways that the attempts can come in: If your suggestion is just to make sure you protect devices with emails – than you’ve missed the mark with phishing,” he added.
Mobile devices are mobile by definition, they are taken everywhere by employees – from clinicians to human resources. Stevens explained that it’s much easier for hackers to get onto mobile devices than desktops. Hackers are constantly looking for a way onto a network, and mobile is a prime target.
Hackers are trying “to get credentials, steal two-factor authentication, maybe tap into data, maybe a one-time use situation,” he explained. “It’s surgical, targeted and they want these credentials, so that they now can go in and steal whatever it is that they want.”
When protecting mobile devices, one concern is phishing. Stevens explained that it shouldn’t just say to protect against phishing by just emails.
“Give all of the examples you need to protect devices from phishing,” said Stevens. “For example, network attacks. Mobile devices are trying to connect with every WI-FI they come in contact with, so develop network protections broader than if you’re physically connected to the network.”
“[HHS] should broaden the definition there,” he added. “Those are two good examples, but you also have to worry on mobile devices about applications: Make sure those apps are free of malware.”
Organizations need more capabilities around mobile security, it’s more than anti-virus. Everyone considers security around desktop or laptops, but often don’t consider mobile, he explained.
“In the end, it’s all about protecting the data,” said Stevens.
Bring-your-own-device is another area that needs to be managed differently than a device owned by the health provider. Stevens stressed there are tools on the market that organizations can use to put security on those BYOD devices without having to manage the employee’s device.
“The industry still hasn’t gotten the message that you need to encrypt all data at rest.”
Organizations should also consider visibility into those and potentially cutting off those devices from the network that the security teams doesn’t have permission to access, he explained. “It’s saying, ‘I don’t want you to have access to the systems, until you request it.’”
Widup also added that a lot of large organizations allow for BYOD. And while HHS discussed managing endpoints, they didn’t quite go deep enough around mobile storage devices – and potential exploitation.
“The industry still hasn’t gotten the message that you need to encrypt all data at rest,” she said.
While HHS offered practical advice for managing medical device risks, Widup added that they could have gone deeper, as connected devices pose a real threat to patient safety.
“There have been attacks that can shut down critical monitoring devices during a procedure. It’s concerning,” she said. “Devices should be incorporated into incident response plans”.
The chances are people are doing security around devices, but some don’t know how to recognize when something is wrong – or who to contact when something fails, she explained. But it would also be good to have an outline of detection capabilities around devices.
Organizations need to know “how to detect medical device threats and how to put that into response capabilities,” she explained. “It’s still a big challenge and healthcare is largely unprepared.”
Lastly, Widup explained that some recommendations felt better suited for large organizations, such as single sign-on security.
“It’s not a trivial task, and I’m not sure smaller organizations can do something with it,” she said. “Also, multi-factor authentication mentioned control of remote access points, but not around internet-facing systems.”
“A lot of times these are managed by third-parties. They need MFA, as these points are interfacing out there for everyone to hammer on,” she added. “They need additional controls, so they’re far less likely to be hammered on without anyone noticing.”
HHS stressed that the guidance is voluntary, but it does beg the question: How does the agency intend to use the guide? And will there be a second iteration to enhance it?
“It’s great first step. I don’t want to make it seem that the work they’d did was bad. It just needs phase two, which should include some additional guidance, said Stevens. “Mobile isn’t going away. One could argue that desktops and laptops going away. HHS should focus on where the world is heading.”
For Widup, what comes next depends on how HHS intends to use the guide. For example, if someone is breached and then audited, will HHS look to the guide to drive enforcement? The answer won’t come to light in the near future, but it is something to consider.
“It’s great to put something out for proactive people. And this is a great place to start, if you are in a small organization and want to make an impact or change in your security program,” said Widup.
“Regardless of the size of the organization, this is a good place to start if they haven’t done anything on risk mitigation,” she continued. “Even without the budget, the guide shows places that you can start. For example, get an incident response plan going. How you respond is going to matter most.”