While it’s widely reported that healthcare isn’t necessarily targeted any more than other industries, the complications for the industry are compounded by many things including the COVID-19 crisis, the increase in the dependence on connected medical devices, and the decade-long trend of mergers and acquisitions among healthcare systems. Due to this complexity, it is paramount for information security professionals and chief executive officers alike to pay specific attention to their cybersecurity policies, procedures, and systems.
To better understand the rise in visibility of attacks in healthcare, let us look at some of these key areas of vulnerability:
- COVID-19 The pandemic has served up two main areas of concern. One being the explosive growth in a remote delivery model of telehealth services which increases the opportunity for threat actors to get at patient data. The second being the pandemic itself. Hospitals remain the epicenter for the most critical cases, as well as hotbeds for community spread. These issues have hospital administrators and doctors scrambling to focus on the physical care of their patients, and rightfully so, but leave them exposed if they are not also equally focused on the digital care.
- Connected Devices Decades of efforts to modernize medicine and bring medical devices online for speed, efficiency, and the introduction of artificial intelligence for better medical care and diagnosis, has put hospitals in a radically dependent position. A focus on privacy has long been a point of legislation, protection, and liability but cyber threats don’t simply exist to threaten a release of data, they are now, more than ever, looking for any way to disrupt your business. If it’s connected, it’s vulnerable.
- Mergers and Acquisitions The healthcare industry has become a highly competitive one and over the years we have seen an increase in larger mergers among healthcare systems and facilities. Combining organizations present a lot of common business challenges that have spurred the rise in firms specializing in process improvement and change management, however the complexity of merging technology and legacy systems has largely been left to a handful of IT professionals and departments who sometimes lack the resources and expertise to properly manage the security of these transitions.
Where should healthcare organizations start given the urgency of the problem and appropriate concern and focus on the pandemic? On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint cybersecurity advisory (the Joint Cybersecurity Alert) to warn the healthcare sector that there is “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” In this alert, an outline of Network Best Practices was provided as a helpful place to start.
- Patch operating systems, software, and firmware as soon as manufacturers release updates.
- Check configurations for every operating system version to prevent issues from arising that local users are unable to fix due to having local administration disabled.
- Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
- Use multi-factor authentication (MFA) where possible.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Implement application and remote access restrictions to only allow systems to execute programs known and permitted by the established security policy.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Audit logs to ensure new accounts are legitimate.
- Scan for open or listening ports and mediate those that are not needed.
- Identify critical assets; create backups of these systems and house the backups offline from the network.
- Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
- Set antivirus and anti-malware solutions to automatically update; conduct regular scans.
We will only continue to see a rise in the number and severity of attacks. Healthcare organizations need to equally prioritize the physical well being of their patients, the protection of their data, and the cybersecurity posture they impose to defend against cybercriminals and mitigate incidents when they occur.