“Security requires ­multiple layers because it’s that overlap that will ­probably save you,” says Jon Booth, IT director of Bear Valley Community Healthcare District in Big Bear Lake, Calif.

Oct 15 2021

Layered Security Is Essential to Healthcare Systems' Incident Response Planning

In an environment bristling with cyberthreats, healthcare organizations need to deploy tiers of security technologies and procedures as part of the instrumentation phase of incident response.

Healthcare systems across the U.S. face a daunting cybersecurity landscape. Some 34 percent of healthcare organizations were targets of ransomware attacks in 2020, according to a Sophos report.

But ransomware is just one of the constantly evolving cyberthreats looming over his hospital and clinics, says IT Director Jon Booth of the Bear Valley Community Healthcare District, which serves the resort area around Big Bear Lake, Calif., east of Los Angeles.

“The threats are increasing exponentially for us,” Booth says. “Health records are prime targets for malicious actors. If they go after credit cards, they just get financial information. With health records, they get everything. It’s about the most integrated record anyone can get access to.”

To protect those records, the rest of its data and all its systems, BVCHD deploys both targeted and overlapping defenses, Booth says, an approach to cybersecurity that healthcare organizations are relying on in the face of expected attacks.

“No one technology is perfect. There will always be something that gets through or around it,” he says. “Security requires multiple layers because it’s that overlap that will probably save you.”

Click the banner below to dig deeper into incident response with planning guidance from CDW.

A Full Cybersecurity Toolbox for Healthcare

When healthcare services were almost exclusively provided on-premises, IT could focus on securing the perimeter with tools such as firewalls and intrusion monitoring, says Frank Dickson, program vice president at IDC. That task has been complicated by network-connected medical equipment and the widespread use of personal mobile devices.

The COVID-19 pandemic also forced a number of workers offsite and spurred the accelerated adoption of virtual care, breaking down hardened perimeter defenses.

“As people, data and apps move off-premises, protecting the perimeter isn’t enough,” Dickson says. “What tools should healthcare organizations use to defend their assets? All of them.”

Cybersecurity most effectively focuses on four control points, Dickson says. The endpoints of the network require a variety of responses; protecting a nursing station computer is different from defending a simple network-attached sensor.

MORE FROM HEALTHTECH: How can purple teaming improve healthcare organizations’ security posture?

Identity management, usually in the form of least-privilege access policies and multifactor authentication, controls who is on the network. From there, organizations need to add the strata of tools to safeguard applications and data, Dickson says.

To fend off or mitigate ransomware and other cyberattacks, an organization must identify critical and vulnerable assets, Dickson says. IT teams should then deploy technologies and processes to protect those assets, such as intrusion detection tools.

Finally, a response plan to defuse the threat should flow into a recovery plan to restore data and systems.

“Some people think that having good backup keeps you safe, but you need a whole plan that you’re ready to execute quickly,” Dickson says. “When malware interrupts any business, it loses money, but in healthcare, people can lose their lives.”

Security Alerts at the Ready

Round-the-clock attention to emerging threats and the technologies that can block them are the foundation of effective cybersecurity, Booth says. “Complacency is the biggest enemy. You always have to think about what’s next,” he adds.

To get the clearest picture of threats on the horizon and how to deal with them, it’s important to hire trained and experienced security professionals, Booth says. In the current threat environment, “you need people on your team with specific security expertise.”

As its frontline weapon against ransomware, BVCHD relies on Sophos Intercept X, which detects ransomware and other malware attacks and isolates the contaminated messages from the healthcare organization’s network.

BVCHD tackles the special problems presented by network-attached medical equipment with Palo Alto Networks IoT Security. The technology identifies, profiles and continuously monitors traffic on network devices, detects anomalies and sequesters affected equipment from the network.

The last bastion of defense from a cyberattack is backup, Booth says. Backups should be frequent and encrypted, and backup systems should be air-gapped from the main network, he adds.

“Many organizations design their backup systems so they can be easily accessed, but that’s a huge mistake,” Booth says. “Recovery speed is important, but if achieving that means you make it possible for the backup also to be breached, you have a catastrophe instead of a recovery.”

Click the banner below for more security and incident response planning content from HealthTech.

Centering Coordination for Healthcare Security

Layers of technology and processes are necessary but not enough to protect today’s expanded cyberattack surface. All those defenses have to work together, says Sanjeev Sah, CISO of Centura Health, a network of 17 hospitals, numerous hospital affiliates and other healthcare facilities in Colorado and Kansas.

“Our security posture relies on many tools and many people, and we are continually trying to enhance that posture,” Sah says. “For security to work, an organization needs tools, processes, talented people and clear insights into threats and the environment. You have to coordinate the tools and continually work to optimize the security posture. You have to have all the elements, and all the elements need to work together.”

To cope with the demands of the expanded cybersecurity battlefield, Centura Health has adopted a zero-trust security model along with its coordinated ranks of protective technologies, Sah says. Zero trust emphasizes strict user access controls, network segmentation with restricted communication among the segments and enhanced application-level monitoring.

GET THE WHITE PAPER: Find out how to establish an effective incident response program.

“We have a very good understanding of the assets in our core environment and how to protect them — but, for example, we worry about the devices and users you don’t know about,” Sah says. “We have many partners, such as physicians, who come into our environment for perfectly legitimate reasons, but we have to have the tools to authenticate them and their devices. So, we keep striving toward zero trust.”

As security tools and strategies continue to multiply, basic cyber hygiene, such as prompt patching, password changes and frequent backups, remains central to protecting the organization and its assets, Sah says. “These are the activities we should all be taking care of as the most basic component of good defense,” he says.

Stay Guarded to Defend Against Cyberthreats

Ransomware, denial of service attacks and poorly protected personal devices are all real concerns for Tim Thompson, CIO of BayCare Health System, which operates 15 hospitals and numerous outpatient facilities in the Tampa Bay area. However, his concerns lie in the unknown.

“The thing that worries me the most is the unknown,” Thompson says. “It’s a constantly changing environment. There are threats popping up weekly, if not more often.”

As healthcare adopts newer technologies to improve patient care, vulnerabilities multiply along with varieties of malware. Network-attached medical equipment is a major focus for BayCare, which uses several technologies to monitor the devices and evaluate potential risks, Thompson says.

Bring-your-own-device policies present the challenge of keeping critical assets safe and separate from the portions of the network open to infected devices or even potential bad actors. And now, remote work triggered by the pandemic has created a mirror-image security headache, Thompson says.

Tim Thompson
The thing that worries me the most is the unknown. It’s a constantly changing environment. There are threats popping up weekly, if not more often.”

Tim Thompson CIO, BayCare Health System

“We’re used to worrying about devices on our network that aren’t ours,” he says. “Now, our devices are in everyone’s homes and on home networks that might not be so well protected. We’ve added technology to cover that new set of vulnerabilities as well.”

BayCare had been offering virtual care services for several years before the pandemic, with telemedicine sessions protected by network isolation along with monitoring and threat mitigation tools.

A multitiered and multivendor approach is the heart of BayCare’s cyber defense.

“For us, security means not relying on one product or one vendor,” Thompson says. “We are constantly looking at new tools. One of the reasons we’ve chosen to partner with some vendors is that their teams are incredible at identifying and blocking new threats.”

To fund and execute a complex cybersecurity strategy, support from upper management has been critical, he adds.

“You have to make sure leadership understands the importance of security,” Thompson says.

DISCOVER: Learn 8 ways to create a strong security culture at your healthcare organization.

Photography by Matthew Furman