Healthcare systems are consistently a preferred target of cybercriminals. Today, whenever a cyberattack occurs, healthcare networks seem to be right in the crosshairs. There are reasons for this.
Historically, healthcare networks have been reasonablely easy to break into. Despite the implementation of new EHR systems and critical infrastructure for healthcare data exchanges, healthcare generally hasn’t kept up with other vertical markets in terms of security, creating “low-hanging fruit” for would-be attackers. These networks also tend to be highly distributed, connecting hospitals, clinics, doctor’s offices, labs and billing systems into a collective ecosystem. In such a design, the framework is only as secure as the weakest link in the system. They also span a wide range of users – such as medical staff, hospital administrators, personnel at offices and clinics, and patients and visitors – and devices – including a vast array of IoT devices, such as monitors, pumps or even beds – many of which were never designed with security in mind.
Patient records are also high-value targets, commanding a high price on DarkNet sites because they include names, addresses, valuable personal data and, often, payment information. Hackers can get up to 10 times the price for medical records that they can get for credit card numbers because they are easier to exploit for identity theft and harder to detect when used for fraud. Medical records aren’t just a target for organized crime and hackers looking for financial gain. The rich personal information they contain is attractive to nation-states for espionage, and they are able to bring their vast hacking resources to bear against healthcare organizations.
Now, with the recent rise in ransomware, healthcare systems have come under even more focused attack. That’s because, unlike most other networks, lives actually depend on the network being up and available. When a system goes down, time is of the essence, and many healthcare operators opt to simply pay the ransom to get their systems back online. Which is exactly what cybercriminals are counting on.
The solution isn’t adding more security devices
Unfortunately, this is not a problem that can simply be solved with security technology. The best security device in the world is still only as good as the personnel deploying and managing it, or the network it is trying to defend. Some healthcare networks have grown organically over time into what many security professionals refer to as an “accidental architecture.” Complex, and often archaic, systems are interconnected, combining applications, routines and devices together. The result is notoriously difficult to defend. A simple analogy explains the problem: if you have a boat with 100 leaks, and you manage to plug 99 of them, what happens to the boat?
The first critical step any healthcare security administrator needs to take doesn’t involve buying new security devices. It requires a return to security fundamentals.
Security can be broken down into three simple questions:
1. “What are you trying to do?”
This question not only has to be applied at the highest level of the organization in support of its mission statement and goals, but for every department, team, application and process being deployed across your ecosystem of networks. It drives the development of applications, the selection of devices and the design of the network.
Interestingly, most organizations don’t have a good answer for this question. Of course, they can answer it generically, but it becomes difficult when looking at the individual teams and departments that access the network. This information can also often be siloed, meaning that while individual teams may understand their objectives, there is often no central team that understands the entire business, and not everyone has a unified set of objectives. That can create conflicts and compromises.
2. “What are the risks of doing this?”
Consequence-based engineering involves understanding your key assets, determining what sorts of threats your organization is most vulnerable to – such as remote access denial, corrupted applications or data, or rendering key IT or operational assets unavailable– and engineering as much of that risk out by design as possible. This requires developing a strategy for seeing and tracking every device on your network, understanding what resources individuals, devices or applications can access, and who and what should have privileges to access those resources.
While individual teams or departments may have some idea of what resources they need, and who should be able to access them, the challenge becomes more complicated as you consider the interaction between departments, applications and services. Can privileges in one area be exploited in another? What happens when sensitive data collected by an application travels to another area of the network, such as a doctor’s personal device?
3. “How can we reduce these risks as much as possible?”
This is where things can get complicated, and the solutions can be as political as they are technical.
- Build a framework
To start, all applications, systems, devices and services running in your network need to be identified and prioritized. Administrators then need to apply appropriate monitoring and maintenance. Data, devices and resources need to be segmented, access needs to be managed and privileges need to be strictly controlled to protect vulnerable resources.
This can all seem very overwhelming, which is why so many organizations fail to be adequately protected. Fortunately, there are a number of publicly available frameworks out there to guide you through the process. For example, since healthcare is a critical infrastructure, start with the NIST Cyber Security Framework. In addition, building a framework around open standards allows network and security tools to communicate with each other and effectively correlate intelligence.
Assume that your external security measures are going to be breached. What then? As much as possible, such things as access control, intrusion prevention, anti-DDoS and secure backup and recovery systems need to be engineered directly into the infrastructure rather than simply relying on security technology. At the same time, systems need to be hardened, ports closed or monitored, networks segmented, and control and data planes protected.
While new attacks are a real risk, most breaches are actually caused by attacks that have been around for weeks, months or sometimes even years. So, a formal patching and updating protocol also needs to be established. Where possible, systems that can’t be patched should either be taken offline or replaced, or other mitigating controls need to be put in place. For example, limit the avenues of approach an attacker can take to get to a server, control what applications and traffic need to pass through it, limit and monitor protocols, and eliminate or harden its resources.
- Detect and Protect
Once you have a secure network framework in place, it can be effectively complemented with the strategic selection of security tools designed to augment and enhance your network. These tools need to identify rogue devices or behavior, recognize sophisticated and modular threats, disable attacks, and correlate data between security and network devices. And in addition to their features and functions, security tools should be chosen based on their ability to be integrated into a cohesive security framework.
As much as possible, your response to any detected threat needs to be automated. Your security framework needs to be able to detect a threat in cyber-relevant time, automatically isolate key assets, create new network capacity or infrastructure either locally or in the cloud, and then automatically redeploy critical tools and assets from secure storage to get your organization back online as fast as possible.
Finally, it is essential that an incident response team be established. Internal confusion about how to respond to an active threat can often delay an adequate response. Incident response team members need to have clearly defined roles and responsibilities, and the authority to make decisions. Lines of communication need to be established that include a clear chain of command. This team also needs to be cross-trained on essential business and communications processes and priorities, which systems can be safely shut down, and how to determine if a live threat will affect critical components of the organization’s infrastructure.
Build a real security practice
The challenge many organizations face is that their approach to security has been tactical rather than strategic. Networks tend to be designed for speed rather that defense, so they rely almost exclusively on separate security devices for protection.
Unfortunately, most existing security devices and platforms were never designed to protect today’s distributed and elastic networks. Instead, they were selected and deployed piecemeal and tend to be isolated, unable to share or correlate threat intelligence with other devices or see across different network ecosystems. Most organizations also have dozens of separate security tools and management consoles in place that require tediously pouring through log files and hand-correlating data to detect advanced threats. This is why so many attacks manage to breach defenses and, worse still, persist inside networks for weeks or months.
This is why security built on best practices is essential. Of course, building a strong security framework is not a single exercise. Today’s networks are dynamic, and an integrated and adaptive strategy that assesses, analyzes and improves security – including security personnel and general staff, deployed devices and systems, and protocols and processes – needs to be an ongoing effort.