In the last several years, data breaches and cyber attacks on healthcare organizations have been in the news with alarming frequency. Contributing to the challenge is the fact that HDOs are an easy target for hackers. Far too many hospitals are still running legacy software that’s no longer receiving updates. Patches aren’t implemented regularly, and since organizations are large and disparate, there are many key users making basic cybersecurity mistakes that leave holes in their existing protection.
Effective digital risk management is a monumental challenge. Limited by budget restrictions and siloed organizational management, it can be difficult to figure out where to begin.
Although the task is daunting and requires smart planning, spending too much time mapping your intervention strategy from beginning to end can choke progress. It's important to get moving quickly. Toward that end, taking an expressly pragmatic and incremental approach is a good way to ensure that you don't get in your own way — making the perfect the enemy of the good.
The goal must be to start moving toward a stronger security posture as quickly and purposely as possible. Even with this approach though, you still have the question of where to begin and where to proceed.
A Smart Prioritization Scheme: A Prerequisite to Success
You can’t fix every issue all at the same time. Beginning in any old place and then moving systematically from one stack to the next leaves you persistently exposed to risk. So while it’s not reasonable to wait to plan the whole thing through before you set out, you’ll still need a basic prioritization plan. You need to know what you’re looking at across every stage and break down your remediations according to the relevant factors.
The trickiest part of cyber-securing your hospital is always going to be systematically capturing and smartly categorizing digital risks. Before you can do this, however, you have to identify exactly what assets (really, liabilities in the context of risk assessment) you're deploying, where they're located, and how they interact with the rest of the network. You need to be able to map the configurations, vulnerabilities, and requirements of every last connected camera, syringe pump, workstation, pneumatic tube system, and even application. Even then, it’s important, however, to note that not all digital risks are the same.
There are 3 basic classifications of risk:
This risk category would apply when an intrusion or anomaly has been detected.
This refers to documented vulnerabilities affecting certain devices, software, configurations, etc. Under adverse circumstances, if proactive measures are not taken, a known risk has the potential to turn into an active risk at any moment.
These are the risks associated with undocumented vulnerabilities that may be latent in your technology deployment. Organizations can take a seek-and-destroy approach to unknown risks — conducting research and penetration testing — or they can take a fortress approach — conducting more vigilant patrols, imposing stricter controls, and strengthening general defenses.
Of course, to intelligently prioritize your efforts, it’s not just important that you know the nature of the risk, but also that you have an idea of the context in which that risk exists. In other words, what are the potential impact dimensions of a given risk?
There are 3 primary impact dimensions to consider:
What would happen if a given endpoint were to be compromised? Would it impact patient safety? How about operational continuity? Revenue?
Suppose an MRI workstation is held hostage in a WannaCry attack. While it would not directly threaten patient safety, it would moderately disrupt operational continuity, and significantly impact your ability to generate revenue.
What are the compliance implications of a given device’s compromise? Supposing that patient safety is not in question, this usually boils down to what type of data the device handles. Does it transmit ePHI? Does it store ePHI? Does it interface with an ePHI database?
Based on the answers to these questions, the risk can be assessed to bear high, medium, or low regulatory impact.
If a given device or device group is breached, what potential does it have to affect other devices and the wider network? Basically, we’re trying to get an idea of the range of possible collateral damage. Of course, this depends as much on the architecture and internal security of your network as it does on the nature of the compromise.
You want to look at the nature of the threat as well as the governance of your network in terms of the device immediately affected, the security group to which it belongs, and all adjacent network segments.
Across all digital risk management categories and impact dimensions, it's also important to factor in "fixability." All other things being equal, if one security risk can be attended to easily and quickly, and another would require considerably more time and effort, the easier risk should take priority. This ensures that your work progresses at an efficient pace and you get the most security bang for your effort buck.
Of course, in real life, all other things are rarely equal, so you'll need to weigh the overall effectiveness of your limited time and resources against each of the different interventions on your docket. Keeping fixability in mind will help push things forward even in the face of inevitable obstacles.
Once you’re armed with a complete view of your infrastructure, a classification of risk levels, and an understanding of the impact dimensions, you’re in a position to prioritize your cybersecurity efforts.
First Active Risks
It should be a given that active risks need to be dealt with first. However, there’s a chance that you’ll face a number of different active risks and need to decide which ones to give attention to first.
Active risks should be prioritized first according to their potential for the greatest direct impact, then according to their compliance impact, and finally according to their network impact potential.
Of course, these guidelines for prioritizing interventions are quite generalized and should not be applied to the exclusion of important context-aware nuance. If, for example, an attacker is moving through your network at a rapid pace, it might make sense to tackle network impact issues before compliance issues to try and slow his advance, get out ahead of the problem, contain it, and prevent knock-on threats that will doubtless affect safety, continuity, and compliance.
This is where things can become complicated and a more sophisticated, context-aware, and dynamic risk scoring rubric might be needed.
Broadly speaking, the idea is to rate all digital risk factors on an even scale (say 1-10) to reflect their applicability and then weigh those ratings based on the comparative importance of each factor. In essence, there is the extent of a risk factor and then the importance of the risk factor. Issues that would very require a great deal of time and energy to resolve should be similarly de-weighted to reflect the diminished marginal returns involved.
Total risk scores should be assessed in this way for each device, device group, network segment, business unit, and the organization as a whole.
When confronted with multiple situations ascribed the same risk scores, you should again prioritize your interventions according to fixability.
Then Known Risks
After active risks are locked down, you should move on to work on known risks. When you’re faced with a number of known risks, you should prioritize them in the same way as active risks — first according to direct impact potential, then ePHI, then network impact. And similarly, risks with the same impact potential should be prioritized according to fixability.
A non-active risk with a high direct impact potential could be a CT workstation that is exposed to the “BlueKeep” vulnerability. Leveraging a BlueKeep exploit, a malicious actor can hijack the workstation’s remote desktop services to circumvent authentication and take full control of the system. At that point, the attacker can reconfigure the CT — opening the door to serious patient safety, say by increasing the level of radiation output or decreasing the instrumentation sensitivity.
A digital risk like this can be relatively easily mitigated (highly fixable) by making sure that applicable security patches are in place and that port 3389 is closed on vulnerable devices. Accordingly, provided that you’ve already attended to active threats, risks like these jump to the front of the line.
If you find it difficult to quantify the impact potential of known risks, you can save a lot of time by simply consulting the relevant CVE’s Common Vulnerability Scoring System (CVSS) grade. The CVSS (v3) is a framework for measuring the severity of a given vulnerability. The formula incorporates a variety of factors — including measures of exploitability, impact, and scope — to grade the risk. It delivers a standardized number so that you can easily compare and prioritize vulnerabilities.
Of course, to make use of CVSS grades, you’ll still need to have a way to identify exactly which known risks are present in your deployment. For this, you’ll need to have a granular digital inventory of the connected devices in your facility — including an accurate accounting of device type, intended use, vendor, hardware, software, connectivity, and governance details.
The other thing to bear in mind is that even though the CVSS does a good job quantifying the severity of risks, it does so in the context of a generic network deployment. The same vulnerability can have vastly different digital risk management implications based on its point(s) of access to your network, your security regime, and your network topology.
Then Preventative Measures
Although unknown risks should technically constitute your lowest priority, they’ll also likely take up the majority of the time you spend hardening your cybersecurity posture. This is because over the long-term, the more general defenses you can put in place to secure your network, the better position you’ll find yourself in to effectively deal with or altogether avoid risks — active, known, and unknown alike.
Accordingly, here too you should strive to instill some appreciation for nuance in your prioritization scheme. Meaning that even while you contend with known risks, it may be worth setting aside some time to also fortify your defenses against unknown risks. In so doing, particular attention should be paid to the following best practices.
Maintain good network hygiene
When your network is "clean", it not only runs more smoothly. It also makes it easier for you to spot and fix problems that could lead to serious breaches, because you won’t be distracted by the minor errors.
Among other things, good network hygiene includes strengthening your network segmentation regime, defining smart context-aware security policies, making sure that enforcement is universal, closing ports that are not needed for intended for a device’s intended operation, reducing “network noise1” and false alerts, fixing native VLAN-endpoint mismatches, and making use of QoS solutions.
Ensure strong password management
Your cybersecurity is only as good as your weakest password. Using a weak password or leaving a device or application configured to the default password makes it easy for hackers to gain a foothold in your network. Properly managing credentials isn't actually very hard and will make a world of difference in the overall strength of your cybersecurity.
Conduct staff-wide cyber training
It only takes one weak link to break your chain of cybersecurity. Which is why it’s so important that management instills a culture of cybersecurity awareness and ensures that everyone on board have at least some basic cyber training.
Connecting BYOD to the internal network and opening suspicious emails are two of the most common ways for breaches to occur. Hospital staff should know to abide by BYOD policies, not to share cyber sensitive information, to use clinical assets only for purpose-specific activities, how to spot a suspicious email, what to do when they come across one, and what type of device performance hiccups might be suggestive of a bigger problem.
Use end-to-end encryption
End-to-end encryption ensures that confidential ePHI remains unreadable when it’s sent internally or externally as well as when it’s sitting in your archives. Strong encryption means that hackers wouldn’t be able to unlock and sell the data even if they succeeded in stealing it.
Carry out proactive device lifecycle management
It’s crucial to keep your software up-to-date by proactively installing patches and approving updates. In addition to newly disclosed vulnerabilities, you might find yourself exposed on account of deprecated endpoints, remote computers, and servers lacking protection against known malicious actors.
Collaborate with other HDOs to stay up-to-date with the latest security news and make sure that you have the necessary security updates and patches. At the same time, you should keep track of the device lifecycle so that you’re prepared with a strategy to replace or restrict devices when vendors stop rolling out support for them.
Continuously monitor network traffic at the packet level
Continuous monitoring is critical so that you can set benchmarks for “normal” traffic and use those to spot anomalies. With deep packet inspection, you’ll be able to scan incoming traffic more completely to detect malicious activity much earlier.
Regular penetration testing helps you to identify third-party software and detect vulnerabilities in your networks. It’s a key step in securing your supply chain as well as your immediate infrastructure. That said, penetration testing should be treated differently in medical environments than in other IT configurations.
There is a chance that scanning the network with a standard scanner might crash old or otherwise deprecated devices that aren’t designed to handle a particular communication protocol or such a level of traffic. Instead a scanner that is more discriminating and aware of the limitations of specific devices should be used.
Enact strong, role-based access controls
The threat of insider attacks is real. In fact, according to Verizon, healthcare is the only industry where insider threats outnumber external threats. And lest you think that this fact wouldn’t apply to your organization, bear in mind that according to Ponemon, 64% of insider threats are inadvertent.
Smart access controls are not just important to protect against insider threats, but in a hospital that is open to the public 24 hours a day 7 days a week, your attack surface would absolutely explode without proper access controls. Bottom line: only people whose normal workflows would require them to access particular devices, systems, or applications should be given access to those devices, systems, and applications.
Healthcare organizations are particularly vulnerable to cyber-attacks, but they aren’t likely in a position to be able to secure their large, disparate, and complex ecosystems in one fell swoop. Going at it randomly is not much of an option either as it risks undue exposure.
Triage is the basic and brutal prioritization strategy responsible for ensuring the best possible outcomes for patient care given limited resources. It's high time that the same concept be applied to hospitals' digital risk management strategies. Following the structured prioritization scheme outlined above, you can be sure that you're investing your efforts in the right place at the right time to avoid becoming the next high-profile cyber-attack headline.
- Generally speaking, this would refer to communication data points that are irrelevant to the network's core functionality and continuity, fail to reflect any interaction of substance, and may even constitute a burden on the network.
This can, for example, be caused by an improperly de-networked device that previously communicated with the network. In such a case, an initiator device may try and send packets to the removed device to open a session. but the destination IP would no longer exist. This would result in "noise".