Guest Column | February 15, 2019

Breaches Are All Over The Place. And, So Is Your Cybersecurity Tech Stack

By Doron Kolton, Fidelis Cybersecurity

AHIMA Breach Management Toolkit

Healthcare systems have built out increasingly complex and overlapping technology stacks. For many years, the focus has been on electronic health records (EHR) systems – how to streamline solutions and achieve interoperability. But, in 2019, the industry needs to turn its attention to cybersecurity solutions.

Healthcare systems were late to adopt security technology. This has left many IT teams in healthcare without the experience of other industries – like financial services. Many systems have exacerbated this issue by deploying overloaded security tech stacks. This hampers teams further by requiring they learn many different tools. Then add to this the fact that many smart health devices or IoHT end-points are incompatible with end-point security agents and require more advanced security solutions. Lastly, layer on many open networks required in healthcare to allow collaboration with other clinics, laboratories, universities, and more.

The current situation must change. According to the U.S. Health and Human Services Office for Civil Rights, the organization tracking healthcare data breaches, there were more than 300 breaches in 2018. This is the highest on record, and they were primarily categorized as "unauthorized access/disclosure" and "hacking/IT incidents.”

While some of these challenges are harder to address, like finding a common end-point security solution for connected health devices, there are immediate cost, security and sanity benefits to simplifying the cybersecurity stack, and fully utilizing the solutions you keep. Health system IT and technology leaders can begin to rationalize their stacks if they understand how they “over” stacked in the first place, and how to get started in culling.

Did You Overdose On IT Security?

Many healthcare organizations have security technology stacks built from solutions from as many as 10-20 different vendors, each with its own maintenance and training requirements. This results in many facilities using a little as 30 percent of the capabilities in each offering. Most could get similar or better security coverage with a compressed and focused security stack.

So, how did we get here? Solutions have been purchased to protect against threats from yesterday in a piecemeal approach, even as technology and services have changed or merged, security threats have rapidly evolved, and we’ve entered into a cross-industry cyber skills gap.

A typical security stack includes the following solutions: firewall, intrusion detection or prevention system (IDS/IPS), malware detection, data loss prevention (DLP), forensics and analytics, and security information and event management (SIEM). It’s all to likely that your organization has multiple iterations of each solution, and that several distinct solutions have overlapping capabilities.

Newer security offerings converge tools from traditionally distinct categories. However, most healthcare systems have purchased new solutions without getting rid of previous offerings, increasing overlap. It’s safe to say that if your security tech stack isn’t currently overloaded and under-functioning today, it will be in the near future. It’s time to change how healthcare systems vet and acquire cybersecurity solutions.

Evolving Aliments Require New Meds

Many cybersecurity solutions are purchased as a siloed tool versus part of a holistic security platform. For example, many malware solutions claim to be content-aware for DLP, meaning they can “see” and flag content such as sensitive or HIPPA-regulated information hidden in messages or files that are heavily obfuscated and buried many layers within the payload, etc. However, malware solutions only run through three or four layers of decoding and inspecting and if nothing is found, assume that the content is safe. A DLP solution needs to dynamically unwrap and decode the entire session in real-time, particularly when HIPPA-protected information is on the network.

Efforts to find the most affordable options also can lead to purchases of software without proper training or support baked-in. Security analysts in healthcare systems are mostly likely already overwhelmed with the everyday tasks at hand. Too many solutions means analysts go wide versus deep, leaving powerful capabilities untapped. They do not have time to learn every product in their stack to the point they would get the maximum ROI. For example, most users have SIEM solutions to collect log data emitted from every product in the security stack, but important SIEM correlation capabilities go largely unused.

Additionally, while large stacks align to a defense-in-depth strategy in theory, they can slow down holistic analysis. Attacks can take advantage of the fact that security is managed by people or teams who are only experts in a specific solution or category, versus security orchestrated across the entire system.

Lastly, security contract requirements themselves are often written by these category-specialists, leading to RFPs that are hyper-focused on specific categories to the detriment of end-to-end protection. This is exacerbated as healthcare systems and facilities issue new RFPs using their old template. As cybersecurity categories are beginning to converge, now is the time to refresh how they are purchased. It would be equivalent to an ENT doctor being expected to care for someone’s holistic medical needs. Cybersecurity, like healthcare, requires generalists and specialists working in tandem.

Culling The Stack

What healthcare systems need in cybersecurity is contextual visibility across the entire cyber infrastructure – cloud to network to endpoint. This is only going to be more crucial as IoHT devices dramatically increase the attack surface at healthcare facilities, and limitations on end-point security embedded in medical devices remains. To truly improve security, purchases of new solutions must be made more holistically.

To get there, we need to understand requirements for the system via a full requirement analysis, moving away from the category framework. Next, look at your tech stack and identify overlap and integration needs with a gap and overlap analysis.

Continuous, real-time asset classification also needs to be part of an integrated cybersecurity stack. While IoHT is creating tremendous value for patients and providers, it also means a lot more network traffic is HIPPA-protected information and there are a greater number of entry points for potential threats.

Next, don’t underestimate the importance of training, both on the solutions in your stack and on general cybersecurity tactics and techniques. Hackers are doing it, so your cyber analysts must too. Product technology training should be included with every acquisition of new technology, in addition to funds and time set aside for ongoing cyber education training and certifications.

A Better Stack

Most healthcare systems have too many tools and platforms in their stack for a typical security team to efficiently know, integrate, maintain or leverage.

If you cull your stack and provide contextual visibility across all layers of your environment –network, endpoint, lateral movement, cloud and IoHT – your security team will be more effective and efficient. You will get better intelligence and gain a holistic view of network threats. The patients in your care will have better protection for their private information. Plus, you reduce the cost and frustration burdens being felt in too many healthcare technology environments.

This might take some time and new thinking in terms how cybersecurity solutions are bought for health systems – but it’s imperative to start thinking bigger. Security is at stake.