With the wealth of personal health information housed by healthcare organizations, it’s no wonder that they can be a top target for hackers. In fact, a recent study by security firm Cylance has found that the healthcare sector accounted for more than half of all cyberattacks in 2017.
"Cybercriminals are adept at modifying their malware and methods to stay ahead of traditional protections that organisations deploy, as seen by the rise in infections and sophistication of attacks in 2017,” Rahul Kashyap, worldwide chief technology officer at Cylance, said in a press release. “It's critical that companies are aware of the threats, keep up-to-date with patches, and use defences that protect against constantly evolving malware.”
This statistic is even more important in light of the fact that, as CDW’s Cybersecurity Insight Report points out, healthcare organizations face large fines or legal consequences if they haven’t been meeting regulations such as the Health Insurance Portability and Accountability Act of 1996 or the more recent Health Information Technology for Economic and Clinical Health Act of 2009.
“Cybercriminals are still exploiting aged and unstable infrastructure in the healthcare sector to extract data, extort networks for ransom, leech off of network elements for financial gain and more,” says Sonia E. Arista, national healthcare practice director at Fortinet, which recently released research on the current threat landscape for healthcare organizations.
Arista notes that as cybercrime is evolving and hackers are adopting new and varied ways of attacking networks, “from reconnaissance and weaponization, to post-attack command and control,” it is difficult for healthcare organizations to keep up.
“This means healthcare organizations need adaptive technology and agile security programs to maintain strong security postures against an ever-evolving attack surface and growing cybercrime economy,” says Arista.
But successfully protecting against a constantly evolving threat landscape is no easy feat, and it often means not only making use of security tools and policies, but understanding what those threat vectors are for providers.
In Fortinet’s Quarterly Threat Landscape Report for Q1 of 2018, two key threat vectors for healthcare organizations emerged.
IoT Offers the Potential for New Provider Cyberthreats
The use of Internet of Things devices in healthcare continues to grow, but IoT security is challenging for providers on a number of levels.
“When you have devices of all types in your portfolio that you are trying to manage in a health system, it’s very hard to keep up with regular patching and consistent communication with your employees regarding security concerns. The large number of solutions also makes it hard to budget for the management costs,” explains Anthony Giandomenico, senior security strategist and researcher for Fortinet.
IoT threats are evolving fairly quickly, in large part due to the leak of the Mirai malware source code.
“[IoT threats] are becoming more resilient by creating decentralized C2, meaning they communicate via peer-to-peer, making it harder to take down,” Giandomenico explains. “In addition, many of the IoT botnets have the ability to target multiple vulnerabilities cross-platform, resulting in much faster spreading.”
These vulnerabilities also open devices up to cryptojacking, or malicious cryptomining, dedicated denial of service attacks, and other vulnerabilities.
To protect IoT devices from these new threats, Fortinet recommends a “learn, segment, protect” approach.
This starts with establishing secure access controls and inventory systems to learn more about devices connected to networks, how they’re configured and how they authenticate. Once complete visibility is achieved, organizations can then dynamically segment IoT devices into secured network zones with customized policies. These segments can then be linked together by an integrated, intelligent and protective fabric across the network — especially at access points, cross-segment network traffic locations, and even into multicloud environments.
Mobility Makes Healthcare Networks Vulnerable
As mobility takes off, many hospitals and healthcare systems are adopting secure messaging solutions and integrating security into mobility strategies. But for many healthcare organizations — and, more importantly, the users on their networks — mobile security is still a mystery.
“Many users don’t think that their phones are as vulnerable as their laptops and PCs, which, in turn, lowers their guard when determining if, for example, an email is legitimate or not,” explains Giandomenico.
What can providers do to better spot mobility attacks? One simple option, according to Giandomenico, is to make sure the healthcare system incorporates mobile attacks into user-awareness training programs. This will ensure “the users understand that attackers are targeting mobile devices more and more, and can identify how to spot various attacks such as phishing or SMS attacks.”
Since many employees connect to their networks via their private devices, Giandomenico suggests that providers offer some basic protection steps to hospital staff in trainings, including:
- Encouraging users to regularly check for updates and make sure they are installed
- Ensuring devices carry malware protection
- Checking device settings often, as some can help prevent installation of apps from untrusted sources
- Disabling Wi-Fi auto-connect, so devices are only connecting to known or trusted Wi-Fi networks
Encryption, Evaluation and Training Can Keep Care Networks Safe
With new and old threats brewing in healthcare, it can be tough to know where to start. Arista has three recommendations:
1. Encrypt where possible: In recent years, cryptographic science has significantly advanced, Arista notes, and no longer immediately introduces latency into a system. “Think hard about potential consolidation within the software portfolio and narrowing the breadth of varying endpoint images, configuration and operating systems in infrastructure,” she says.
2. Evaluate new tools: “Evaluate the environment through the lens of identified threat vectors, business (and potential clinical) risk and the overall operational cost of effectively managing security outside the boundaries of your environment,” Arista says. For example, artificial intelligence and machine learning-based technologies could offer tremendous new capabilities to inject visibility and awareness into network activity and better identify any unusual new activity without having to defend against a specific threat.
3. Train staff on cybersecurity: “Don’t overlook the most important and effective method of prevention: the human factor,” Arista says. “Training, consistent messaging and cyberawareness campaigns have tremendous return in mitigating and avoiding incidents.”