By Jerry Hook, system architect and director of Microsoft platforms, Veristor
Hospitals and healthcare organizations are among the most vulnerable enterprises to security attacks. Why? Not only are they a lucrative target for attackers with critical information on the line and downtime risks dangerously high, they also are home to a unique set of security attack vectors.
Hacker entry points abound in healthcare organizations, from the roaming laptop to IoT devices such as the diffusion pumps on IV poles. To secure your most vulnerable attack surfaces, consider these strategies. By locking down these five most exploitable cyberattack vectors, you’ll create a much more secure healthcare enterprise that’s better prepared for the threats that may lie ahead.
- The Cloud — The Newest Attack Vector. Hospitals are embracing the cloud to make patient data more accessible and to increase the efficiency and quality of their care. But quite often, when a physician logs into a cloud-based portal, they don’t log out. This can leave sensitive data dangerously exposed. Additionally, with the move to cloud storage, cloud application, and cloud processing, confidential information is kept in offsite data centers, spreading it across multiple locations and increasing its exposure as it travels to multiple sites. This expands the threat surface because data now needs to be protected at rest and in flight, making it harder to defend than if it resided in one central location.
How to Lock It Down:
- Gain Visibility: Discover which cloud platforms are in use and where the weakest points are. Also, see where your data is going and who is touching it with user activity monitoring and anomaly detection.
- Employ Data Protection: Close security gaps with Cloud Access Security Broker (CASB) services that function as a “gatekeeper” for data travelling to and from the cloud. It uses data loss prevention (DLP) technology, tokenization and encryption that allows you to hold the keys so you can rest assured that your information is never exposed to unauthorized users or forced disclosure.
- Control It: Enforce compliance policies consistently across multiple clouds, ensure data sovereignty and improve the pass rate of compliance audits with pre-built solutions that adhere to HIPAA and PCI regulations.
- BYOD — The Most Ubiquitous Attack Vector. IT policies may be in place, but often physicians will opt to use an unapproved, unsecured device to access sensitive data so they can improve their productivity. Further complicating matters, many clinicians are not directly employed by the hospital, making it extremely difficult to enforce best-practice mobile security measures. Left unchecked, user devices can expand a healthcare organization’s threat surface, creating a huge gap in security.
How to Lock It Down:
- Use Mobile Device Security. Assess all devices on the network and create specific user accounts with granular security and policy controls. The controls can then be extended to all stakeholders who have access to sensitive data — all without restricting their freedom or hindering efficiency.
- Get Fast, Secure Access To Clinical Applications. Tap-in/tap out with multi-factor authentication lets doctors access laptops in patient rooms without spending time entering passwords and other log-in credentials.
- Phishing/Ransomware — The Most Exploitable Attack Vector. Phishing only needs the slightest misstep by an end user to execute and cause large-scale damage, giving attackers a clear path to EHRs, PHI and other valuable data. The ransomware approach has been very lucrative because many healthcare organizations are willing to pay to get their files back. But this is not a long-term or viable solution. Nor is it a guarantee that your files won’t be compromised.
How to Lock It Down.
- Enable Multi-Layer Protection. Effectively dealing with malware and ransomware requires stopping threats at multiple stages — before they execute. This lends itself to end user education and technologies that provide secure credentials along with two-factor authentication. Deploying email security gateways as well as up-to-date patched browsers are also essential.
- Keeping Up With Software Patches — The Obtuse Attack Vector. While enterprises tend to perform updates and patches overnight or on weekends, hospitals and other healthcare institutions operate on a 24/7/365 basis. Because there is essentially no downtime to take advantage of, it’s nearly impossible to keep up with software patches.
How to Lock It Down.
- Virtual Patching. Patch outdated equipment virtually until you can take it offline to perform the permanent patch. A virtual patch, also called a web application firewall, prevents malicious traffic from reaching the vulnerable application without modifying the application’s source code.
- Outdated Equipment — The Age-Old Attack Vector. In order for healthcare facilities to upgrade certain IT equipment or software, there can be certain systems that require FDA approval. Therefore, it’s common to find outdated equipment in use by healthcare organizations. Because the products are typically end-of-lifed by the vendor, they are no longer patched or updated, leaving them vulnerable to modern cyberattacks.
How to Lock It Down.
- Isolate Vulnerabilities. Understand what hardware, software, and operating systems need to be monitored closely and update them regularly. Often, operating systems such as Windows are not the highest priority. Utilities such as Java or applications such as Adobe can present even greater risks if they aren’t kept up to date.
Reduce Your Threat Surface
With the federal government becoming more aggressive in fining healthcare institutions that are not compliance, and more than $5.6 billion in costs stemming from healthcare breaches last year, now is the time to elevate your security posture. While tightening the security in a healthcare organization is not a simple and absolute solution, there a many strategies and tools that can be employed to correct flaws and better defend the areas that post the highest risk.
About The Author
Jerry Hook is a healthcare security expert specializing in architecting solutions for threat detection and intelligence. A system architect and director of Microsoft platforms at Veristor, Hook guides healthcare organizations in their security operations, processes and strategies for cybersecurity resilience.