I won't sugar coat it. Hospitals are on the radar of hackers as "soft" and valuable targets. The modern medical facility is connected to the internet in a multitude of ways. These connections include email clients, multi-location data integration systems, medical devices, and off-premise vendor support; all which leave hospitals and clinical networks extremely vulnerable to attack. To make matters worse, successful attacks are becoming more common, more devastating, and more costly.
In 2017, with more than 28% of total breaches having targeted medical operations, healthcare won the dubious honor of being the year's most breached industry. Based on research from the Identity Theft Research Center, there were more than 374 total reported healthcare breaches and over 5.1 million patient records impacted.
If you're asking why hackers are so keen on tormenting the healthcare industry, the answer is simple: Hospitals process and hold a vast amount of Electronic Protected Health Information (ePHI). The information contained within those virtual files is worth a lot of money. A 2017 study by IBM and Ponemon found that healthcare data breaches cost an average $380 per record — more than 2.5 times the global average across industries.
More and more, hospital administrators are embracing IoT and more and more clinical assets are being connected to the cloud. Yet, these devices are normally not manufactured with robust built-in cyber defenses. In fact, they're normally not protected at all.
When a conscientious IT administrator tries to fill the gap and retrofit the devices with aftermarket security measures, he or she quickly finds that it is very difficult to put an anti-virus or EDR (Endpoint Detection and Response) solution on each device. And so, more often than not, huge healthcare industry cybersecurity gaps remain.
10 Tips from the Experts
The good news? Hospitals can dramatically reduce their threat exposure by enforcing the following 10 best practices. These have been derived and refined over many years of cyber experience as well as extensive research into how hospitals have been breached and what was done to protect those hospitals that succeed in thwarting attacks.
Without further ado, here are our top ten best practices to help you fortify and protect medical networks and the life-saving devices that use them. To make this list as actionable and user-friendly as possible, I've broken these best practices down according immediate, near, and long term tasks:
Immediate Actions —
- Identify your connected medical devices and critical assets. Every hospital needs visibility into which of its devices are IP addressable and how they're interacting with the network. It's important to create a comprehensive and easy-to-update inventory map of all the connected devices deployed across the entire hospital.
- Establish an operational and technical framework for risk assessment. Effective cyber risk management starts with awareness. A concise and actionable risk assessment for every identified medical device enables IT security professionals to prioritize threats.
- Roll out detection mechanisms. Once your medical devices and critical assets have been identified, contextualized, and analyzed for risk factors, healthcare industry cybersecurity professionals need to measure operational baselines in order to capture what "normal" traffic looks like. If the ultimate objective is recognize, predict, prevent, and respond intelligently to malicious traffic, this is non-negotiable. All network traffic should be continuously scanned and processed, and automated alerts should be configured.
- Train and Educate. While the deployment of technology is critical, healthcare providers must also train IT and security personnel, as well as all employees, who have access to critical assets. The importance of proper education and communication across the entire organization — from top down — cannot be overstated. You should initiate staff training and prioritize widespread knowledge transfer about the risks, how to recognize them, and what to do when an incident arises.
Medium Term Interventions —
- Proactively reduce the attack surface. Hospitals have multiple access points, so IT professionals must try and reduce it by building a well-thought out defense architecture. This can be achieved by leveraging existing IT and cyber solutions, segmenting network zones, blocking activities or access ports associated with high risk level vulnerabilities, and constantly reviewing security policies, controls, and procedures.
- Build an automatic, zero-configuration, zero-manual-maintenance security architecture. This dramatically reduces the manual labor required of IT and helps drastically reduce the radius for human error. Hospital IT teams typically struggle to keep up with an overload of work and this type of smart automation is just what the doctor ordered (sorry) to help alleviate high TCO.
- Establish an incident response protocol. CSIR (Cyber Security Incident Response) is essential for effectively handling a coordinated response (both technically and non-technically) to events and incidents. Hospitals must prepare and document response planning, triage and containment strategies, decision making and communication priorities, as well as recovery processes.
Long Term Directives —
- Understand regulations and standards as they pertain to your medical devices and critical assets. Hospitals must gain an in-depth understanding of the wide range of regulations affecting medical devices and their security. From HIPAA and HITECH to ISO and IEC standards, the compliance landscape is a complex one that deals not only with data privacy but also patient safety and business continuity.
- Establish patch management processes. As part of the procurement process, it’s integral that vendors be held responsible to provide automatic security updates and patches for all devices they sell. Make sure that these considerations are reflected in purchasing requirements and vendor/service provider contracts, while taking care to specify expectations within RFI, RFP, bid, and similar documentation.
- Collaborate and work towards an atmosphere of continuous knowledge sharing. Leverage threat intelligence and experience from other hospitals as well as shared and individual experiences. A conscientious administrator should look to collaborate with other industry organizations such as NH-ISAC, MDISS, ECRI, ICS-CERT, NIST and programs such as MD-VIPER and MDRAP.
Sustaining Healthcare Industry Cybersecurity
Hospital IT teams have a lot on their plates and the constant struggle to stay one step ahead of attackers can be grueling. Overwhelmed putting out daily fires, dealing with slow, inefficient processes, and cumbersome firewall and anti-virus management, healthcare IT personnel are in serious need of assistance; which is why mapping out a smart, well-structured plan for protecting your organization's critical assets is so important.
Often the phrase “crawl, walk, run” is used when working towards new normals within large organizations. There is merit to that, but when it comes to healthcare industry cybersecurity, you'd better make sure that the hackers better not be crawling, walking or running faster than you.