Healthcare organizations and their third-party suppliers are consistently among the most frequently targeted by cyber criminals, and now even nation-states. The criticality of the services provided, combined with the wealth of sensitive information held by medical organizations and the challenges in keeping systems up to date, have made healthcare breaches an all-too-frequent headline.
So, what can healthcare organizations do to defend themselves?
We spoke with Keith Jonah (CISSP, CISM, CRISC), Cyber Management Consulting Practice Leader, ISA Cybersecurity, to get his insights from 38 years of consulting experience, specializing in privacy and security governance and programs. Joining Keith is Priscilla Petgrave, Senior Client Executive, ISA Cybersecurity, who works daily with healthcare organizations helping them improve their cybersecurity posture.
Together, they present the top 10 ways healthcare organizations can defend themselves against today’s pervasive cyber threats:
1) Implement a Security Awareness Program
Your people form the first line of defense against cyber threats. Training staff to know how to protect institutional data is essential. Every team member should be taught to recognize, report, and respond to suspected cyber attacks. Security awareness in healthcare, as with any organization, should be a continuous process. With dynamic threats and healthcare organizations a common target of cyber attackers, staff need to be constantly vigilant. And as healthcare personnel may continue to work remotely even post-pandemic, an awareness program will need to address the unique challenges of working away from the office or clinic too.
“Once-a-year, check-the-box training programs may notionally satisfy audit criteria, but they don’t adequately prepare your teams or illustrate that you are serious about protecting patient and staff data. A great security awareness program will talk about best practices, emerging threats, and tie back to your corporate IT policies, responsible use guidelines, and so on,” says Keith. “The most effective programs I’m seeing lately are integrated with the work, so learning opportunities aren’t disruptive. For example, there are lots of systems that block a bad link in a phishing email. But a smarter system can not only detect a potential issue, it can also notify and coach the user on what’s happening in the moment – this is a really powerful way to provide continuous, relevant learning.”
2) Multi-factor authentication
Multifactor authentication (MFA) is an essential part of a cybersecurity program for healthcare organizations. Balancing ease of use with strong security is particularly important in the medical environment, as inefficient or cumbersome solutions can cause user frustration and put patient care at risk. “I’m seeing a lot of facilities struggle with the decision to move ahead with MFA. Even though leadership realizes it’s the right thing to do, cost, complexity, and continuing administration are creating disincentive to act. This worries me,” Keith says. “Today’s solutions are proven to be reliable, are straightforward to implement, and it’s easier than ever to onboard and train users. MFA is required for cyber insurance coverage and to meet compliance requirements, so it should be on everyone’s radar.”
“I laud healthcare organizations that have implemented MFA, but I remind them that cybersecurity never sleeps,” Priscilla warns. “If you’re still using SMS confirmations as part of your multi-factor experience, look to update. Authentication applications and biometrics are replacing old-style text message confirmations, which aren’t as secure – hackers have developed a number of ways to spoof or steal numbers and intercept texts.
“You’ve gone to the effort of implementing MFA – why would you not make it as secure as possible?”
3) Limit Access to Sensitive Data
Few organizations hold more sensitive data than healthcare facilities. Beyond the obvious, highly personal health details for patients, healthcare facilities have the responsibility of safeguarding financial information, insurance details, and family contact information. A mature data security architecture and effective cybersecurity practices are crucial to help protect these databases. The consequences of data breach and disclosure can be devastating to the victims, and can have a serious impact on the facility as well. In Canada, healthcare data breaches must be reported to the Privacy Commissioner, and many provinces have their own individual standards for protecting personal health information. Protecting health information can be complex, but following the fundamentals of “least privilege” – restricting data access only to when/where/why/who needs the information – is critical.
4) Endpoint Detection and Response (EDR)
Healthcare organizations – particularly hospitals – face significant challenges when it comes to protecting endpoints. Many facilities have diverse user communities, consisting of healthcare practitioners, support staff, volunteers, and others, any of whom could be bringing their own devices into the workplace. The complexity has only increased with the pandemic, as remote work arrangements have introduced more devices into the mix. Add networks, servers, PCs, laptops, and mobile devices to an ever-growing fleet of smart, connected IoMT devices, and the potential threat becomes both clear and seemingly daunting.
“All it takes is one compromised device to allow hackers to gain a foothold on your network. Having visibility and protection for every endpoint on the network is necessity. Fortunately, the days of plain anti-virus protection are long gone – today’s best-of-breed solutions can protect the endpoints and respond to the threat quickly, isolating the device or reversing any malicious changes to a device,” Keith says. “These solutions can now be deployed quickly, and without creating performance issues on Windows computers. It’s a different world than even just a few years ago.”
5) Security Incident and Event Management (SIEM)
“It’s essential for healthcare organizations to have a SIEM in place – it’s that simple,” Keith says. “Healthcare has been targeted relentlessly by bad actors, and a SIEM solution can give your IT staff the early warning signals that a potential attack is underway.” In a cyber incident, seconds count: a SIEM not only identifies problem areas quickly, it can give your team the insights to be able to respond and react more quickly as well. Most cyber insurance policies require the use of a SIEM; many compliance regimes (e.g., PCI compliance) insist on it as well.
“I’m seeing a lot of interest in hosted and managed SIEM solutions in the healthcare area,” Priscilla adds. “The financial outlay and staffing requirements to manage a SIEM make it impractical for healthcare facilities to run their own systems. They are finding better results when using a trusted partner to manage these aspects, particularly as more and more cloud solutions are in use.
6) Threat Monitoring
Threat monitoring is an area of great importance to all organizations, and healthcare is no exception. Today’s threat monitoring tools use a wide range of data sources – called threat intelligence – to constantly monitor and evaluate your systems for indications of attack or compromise. “Threat monitoring can be a lifesaver. Some hackers will penetrate a system and lie in wait before launching an attack. If you can spot them on your network before they strike, you can prevent a more serious incident,” Keith comments. “Threat intelligence is the result of researchers and the victims of cybercrime coming together to share information and help defend against attack.”
7) Asset Management
It may sound obvious, but a key part of your building your defense is knowing what you’re defending. A current, reliable inventory of devices on your network and cloud infrastructure is the starting point for a solid security foundation. “I am often surprised by how many undocumented devices appear when conducting these inventories. It’s a huge security risk – how can you adequately protect and patch your systems if you don’t even know what’s out there,” asks Priscilla.
This inventory must go beyond the usual catalogue of desktop computers and servers: it’s just as important to track mobile and IoMT devices, which are both challenging to manage and increasingly pervasive in healthcare settings.
8) Vulnerability Management
Vulnerability management is an equally vital preventative measure. Once your inventory tracking is sustainable, a vulnerability management system helps you prioritize your updates and keep your critical systems current. Keith explains: “Where threat monitoring looks for traces of an attack that’s already happened, vulnerability management helps you identify and prioritize security fixes as quickly as possible, helping you defend against unknown threats. It’s a great combination.”
With the 24×7 nature of many healthcare facilities, downtime for system upgrades is difficult to coordinate. However, it is essential to keep all elements of the network infrastructure up to date to mitigate the risks of cyber attack. Where uptime demands are at 100%, explore system or device clustering or redundancy to allow patching to occur in a phased approach. Allowing assets to fall behind supported versions puts your infrastructure, patients, and staff at risk.
9) Incident Response Planning
Despite everyone’s best efforts, you may still be victimized by a cyber attack. It is crucial to have an incident response plan in place – one that is customized to your operations, and tested to look for gaps, and reviewed regularly as systems and threats evolve. Fallback procedures like going to paper records should be well-rehearsed and understood by all staff. In a healthcare environment, seconds count, so confusion and lack of preparation in the event of a cyber incident could have serious consequences.
“A well-constructed incident response plan will mesh with your facility’s business continuity planning, and will give everyone peace of mind that they can react appropriately in the face of any kind of crisis,” Keith says. “I think it’s important to frame the conversation as business continuity as opposed to disaster recovery. Frankly, healthcare can’t tolerate the downtime that ‘recovery’ implies – I believe the goal should be operational resilience and continuity.”
10) Backups
“While we’re on the subject of incident response planning, I can’t stress enough how important it is to have reliable, timely, and tested backups,” continues Priscilla. “If a healthcare facility suffers a ransomware attack, you effectively have two options: pay the ransom or go to your backups. No one wants to be in the position of having to pay a ransom – that money goes to fund criminal enterprise when obviously there are better ways to spend that money. And there’s never a guarantee you will get a viable decryption code in any event.”
When determining a backup strategy, there are two main criteria to consider: your recovery time objective (RTO) and your recovery point objective (RPO). RTO refers to how much time it will take to recover your data, while RPO refers to how much data you can tolerate losing by going to a backup. Every system and database has its own specific values: a criticality assessment can help you determine them in your environment.
A criticality assessment is not just a great way to help understand your cybersecurity priorities, but it can help you map out your backup strategy, from frequency to type of archive. Many facilities are moving to virtualized backups to provide restored copies of data in only minutes, since once-a-day tapes are slow and create the potential for current data loss in the event of an attack.
“But no matter how you’re taking backups, make sure they are secured and kept separate from your production systems. If you don’t create separation, the same malware infection that takes out your primary systems could affect your archives too,” warns Keith.
Learn With a Trusted Partner
A data breach at a healthcare organization can have devastating, long-lasting consequences through operational disruptions, patient identity theft, privacy breaches, and other financial, reputational, and legal impacts. These 10 cybersecurity basics are only part of the picture, but will help reduce the risk and protect your patients and staff alike.
Keith, Priscilla, and the team at ISA Cybersecurity have helped numerous Canadian healthcare providers improve their security posture and defend against cyber threats: contact us today to learn how we can help you too. You’ll discover how we provide cyber services and people you can trust.