Barnabas Health Chief Information Security Officer Hussein Syed says his organization has seen tremendous cybersecurity benefits from microsegmentation.
For healthcare organizations, cyberthreats can take many forms, including malware, ransomware and compromised devices.
Securing organizations against such threats, particularly as they grow and evolve, was the primary topic of discussion among cybersecurity and IT experts during an interactive educational session Tuesday at the Healthcare Information and Management Systems Society’s 2017 conference in Orlando, Fla.
In particular, Ladi Adefala, a senior security strategist for Fortinet, shared insights about his work and the threats he sees cropping up in the industry. Adefala talked about a breed of ransomware he discovered called Stampado, which boasts a feature dubbed “Russian Roulette” that not only deletes one file every six hours (to try to motivate victims to pay), but deletes full portfolios of stolen files after 96 hours.
“Imagine if those were health records being deleted,” Adefala said. “I’m telling you, your [disaster recovery] plan better be rock solid. Rock solid, tested, re-tested and validated.”
A Larger Attack Surface
Adefala believes hackers continue to stay ahead of the cybersecurity curve in healthcare, in particular, for one main reason: a larger attack surface.
He divided that surface into three segments: traditional, which includes laptops, email and servers; medical information centers, which includes electronic health records and devices such as CT scanners; and transformed care, which includes wearables, mobile applications and remote health monitoring tools.
“The larger the attack surface, the higher the probability that the bad guys can get in, one way or another,” Adefala said.
Hussein Syed, CISO at New Jersey-based Barnabas Health, expressed a similar sentiment, saying that by 2020, some estimates point out that as many as 646 million Internet of Things devices will be used in healthcare.
“There is a huge explosion in IoT,” Syed said. Cybersecurity incidents can happen anywhere, he added. “They all take due diligence.”
E-Cigarettes a Cyberthreat?
According to Adefala, the two most prominent methods of delivery for cyberattackers are email and the web.
Regarding the former, he said, “there’s a whole motley crew of users.” The latter, he said, involves users going to legitimate websites that are vulnerable to attacks such as clickjacking. “As you go further down the kill chain, if the attack is more successful, your risk shoots through the roof and the cost to the business skyrockets,” Adefala said.
But email and the web aren’t the only threats. As one session attendee shared, his organization had been compromised following the use of a thumb drive. Another said his organization was compromised after a user tried to charge an e-cigarette on a computer.
“There’s not just one vector, there’s multiple vectors,” Adefala said. “The reason this becomes even more challenging to mitigate risk from delivery is because the practical implementation of that model is not exactly easy.”
In the past, organizations used to have boundaries where security specialists could easily say “we have it locked down tight,” Adefala said. Now, though, those lines are blurred.
To that end, he suggested microsegmentation: breaking organizational networks into smaller networks to detect and contain threats in specific segments.
Adefala and Syed both acknowledged challenges with segmentation, such as the creation of additional networks that require monitoring. However, Syed said such an approach improved patient satisfaction at his organization by 70 percent and saved money, which enabled Barnabas to get funding approved for additional cybersecurity initiatives.
“As we all know, patient satisfaction surveys account for a lot in healthcare,” Syed said. “We saw our patient satisfaction surveys going from unsatisfactory to extremely satisfied just because we offered them the ability to get their internet and conduct business. For some of the specialty services, family members come with the patients, and if they’re not able to conduct their business, they’re basically rendered useless for that period of time. We’re able to offer them the remote access they need.”
For more, check out the articles and videos from HealthTech’s coverage of HIMSS17.