Jan 27 2021

Risk-Based Vulnerability Management Pays Off in Healthcare

In a dynamic threat landscape, organizations need ongoing risk management assessment and response.

A rapidly shifting threat landscape and multiplying points of exposure, coupled with the devastating effects a security breach can incur, requires healthcare organizations to rethink their vulnerability management strategy.

That means moving away from reactive strategies toward a comprehensive, risk-based approach that continuously identifies, evaluates and maps potential threats using data analytics and, in response, proposes remediation or mitigation techniques.

Jeff Aboud, director of marketing at cybersecurity company Tenable, says that security teams today are buried with more vulnerabilities than they can handle, and they’re discovering more every day — to the extent that they can’t keep up.

“By using risk-based vulnerability management, they’re able to back up and understand vulnerability in the context of business risk, including the criticality of assets, and use that data to prioritize what’s most likely to hurt them,” Aboud says. “They can focus on the vulnerabilities and assets that matter most, instead of wasting that valuable time on vulnerabilities that have a low likelihood of being exploited.”

DISCOVER: Learn how to strengthen your organization's risk management strategy.

Healthcare Innovations Add Value While Increasing Security Risks

The healthcare industry in particular, he notes, faces numerous threat challenges because of the high-value patient data providers need to maintain a high standard of care.

“Adversaries have figured that out too,” he says. “Ransomware is the biggest thing they’re facing, because they know you need it so badly that if they have it and lock it up, you’re willing to pay exorbitant amounts to get it back.”

That vulnerability, coupled with new technology innovations in healthcare — such as self-service health portals for patients, video-based remote appointments and continuous monitoring units — challenges organizations to secure an expanded threat landscape with multiple potential breach points that exist outside on-premises IT infrastructure.

“You have multiple endpoints, everything is connected, and all of these relatively new methods of consumer access, like patient portals, are now providing opportunities for adversaries to punch holes and get in,” says Aboud.

For healthcare organizations to take a risk-based vulnerability management approach, they need to go beyond the artificial borders of traditional IT environments.

“That includes analyzing vulnerability data, including the criticality of assets and the current attack activity, and continuously updating it, instead of scanning just once a month,” Aboud says.

He recommends conducting these types of security scans two or three times a week — and automating the process — as a better defense for the dynamic threat landscape.

“Once you’ve done that analysis, you need to take the appropriate action: remediate, mitigate, accept,” he says. “If it’s a supercritical component that can’t be taken down, or you don’t have ownership of it, or the risk of patching it is greater than having the infection and dealing with it, you may just choose to accept it.”

RELATED: Get four ways to fight phishing attacks that could lead to a breach.

Holistic Risk Assessment Supports a Proactive Strategy in Healthcare

In healthcare, critical business services extend from electronic health records and scheduling systems to patient telemetry systems and portable IV pumps.

“All of those things are web-connected, including heart monitors that may have to go across town,” he says. “Healthcare organizations have to be able to do vulnerability management for all those things.”

Off-premises assets that are hosted in the cloud or in containerized environments are often a blind spot, he says, especially if a healthcare organization is using legacy vulnerability management that scans only on-premises IT environments.

Aboud stresses that recognizing asset criticality is a major piece of the puzzle, and it’s an area that organizations can easily overlook.

As an example, he says, suppose an organization uses a vulnerability scoring index that goes from 1 to 10. “I could have a vulnerability that scored a 10, and it’s critical, but it’s a lab system, so the criticality of that asset might be a 4,” he says. “On the other hand, I might have a vulnerability that’s only a 6 out of 10, but it’s on an asset that’s considered a 10 — tied directly to an EHR or a patient, perhaps — you need to fix that one first.”

RELATED: Learn why healthcare organizations are moving toward zero-trust strategies.

It’s also important to pair measurement of vulnerability management to effective communication of security progress.

“It comes down to robust reporting,” Aboud says. “You have to really measure your KPIs, and those reporting and analytics tools are important on many levels, because you want to maintain management’s confidence in your capabilities.”

In the complex ecosystem of a healthcare organization, nonmedical departments, such as legal and finance, care about security reports too, he points out. Anyone with responsibility for risk management needs to know that the amount of risk is going down.

“Having tools in place that can analyze and effectively report the vulnerability management program is super important,” he says.

Mobile devices present an additional factor that’s important to fold into any vulnerability management strategy, especially for healthcare organizations with BYOD policies. Here, organizations must assess the firewall or VPN protections that such devices have, as well as where and how they connect to the network and what segments of the network they touch.

“If you don’t understand that a device is critical and needs to be locked down, you might deprioritize some of the vulnerabilities,” says Aboud. “Those things are really important, because if you’re a physician with a vulnerable device looking at a patient’s health record, you’re creating an opportunity for adversaries to get in.”

Brought to you by:

ivanastar/Getty Images