Healthcare Innovations Add Value While Increasing Security Risks
The healthcare industry in particular, he notes, faces numerous threat challenges because of the high-value patient data providers need to maintain a high standard of care.
“Adversaries have figured that out too,” he says. “Ransomware is the biggest thing they’re facing, because they know you need it so badly that if they have it and lock it up, you’re willing to pay exorbitant amounts to get it back.”
That vulnerability, coupled with new technology innovations in healthcare — such as self-service health portals for patients, video-based remote appointments and continuous monitoring units — challenges organizations to secure an expanded threat landscape with multiple potential breach points that exist outside on-premises IT infrastructure.
“You have multiple endpoints, everything is connected, and all of these relatively new methods of consumer access, like patient portals, are now providing opportunities for adversaries to punch holes and get in,” says Aboud.
For healthcare organizations to take a risk-based vulnerability management approach, they need to go beyond the artificial borders of traditional IT environments.
“That includes analyzing vulnerability data, including the criticality of assets and the current attack activity, and continuously updating it, instead of scanning just once a month,” Aboud says.
He recommends conducting these types of security scans two or three times a week — and automating the process — as a better defense for the dynamic threat landscape.
“Once you’ve done that analysis, you need to take the appropriate action: remediate, mitigate, accept,” he says. “If it’s a supercritical component that can’t be taken down, or you don’t have ownership of it, or the risk of patching it is greater than having the infection and dealing with it, you may just choose to accept it.”
Holistic Risk Assessment Supports a Proactive Strategy in Healthcare
In healthcare, critical business services extend from electronic health records and scheduling systems to patient telemetry systems and portable IV pumps.
“All of those things are web-connected, including heart monitors that may have to go across town,” he says. “Healthcare organizations have to be able to do vulnerability management for all those things.”
Off-premises assets that are hosted in the cloud or in containerized environments are often a blind spot, he says, especially if a healthcare organization is using legacy vulnerability management that scans only on-premises IT environments.
Aboud stresses that recognizing asset criticality is a major piece of the puzzle, and it’s an area that organizations can easily overlook.
As an example, he says, suppose an organization uses a vulnerability scoring index that goes from 1 to 10. “I could have a vulnerability that scored a 10, and it’s critical, but it’s a lab system, so the criticality of that asset might be a 4,” he says. “On the other hand, I might have a vulnerability that’s only a 6 out of 10, but it’s on an asset that’s considered a 10 — tied directly to an EHR or a patient, perhaps — you need to fix that one first.”
It’s also important to pair measurement of vulnerability management to effective communication of security progress.
“It comes down to robust reporting,” Aboud says. “You have to really measure your KPIs, and those reporting and analytics tools are important on many levels, because you want to maintain management’s confidence in your capabilities.”
In the complex ecosystem of a healthcare organization, nonmedical departments, such as legal and finance, care about security reports too, he points out. Anyone with responsibility for risk management needs to know that the amount of risk is going down.
“Having tools in place that can analyze and effectively report the vulnerability management program is super important,” he says.
Mobile devices present an additional factor that’s important to fold into any vulnerability management strategy, especially for healthcare organizations with BYOD policies. Here, organizations must assess the firewall or VPN protections that such devices have, as well as where and how they connect to the network and what segments of the network they touch.
“If you don’t understand that a device is critical and needs to be locked down, you might deprioritize some of the vulnerabilities,” says Aboud. “Those things are really important, because if you’re a physician with a vulnerable device looking at a patient’s health record, you’re creating an opportunity for adversaries to get in.”
Brought to you by: