How Healthcare Organizations Can Reduce Their Security Risk

HEALTHTECH: Why is cybersecurity such an important issue in healthcare?

STAFFORD: If we go back 10 years, I’d say it wasn’t a big issue because we weren’t electronic. Now, every healthcare system across the U.S. has become very electronic, and clinicians are reliant on the electronic healthcare record.

The biggest thing cyberattackers do in healthcare is ransomware attacks. We hear about those across the nation, and we’re seeing more of them. Imagine going to work one day and not being able to get to your email. That’s what happens to a clinician when they work out of these EHR systems. They can’t do their job or access information that they’re normally able to access.

DISCOVER: What you need to know about ransomware crisis planning in healthcare.

They still can provide care, and they do, but it does disrupt care and cause slowness. It may cause hospitals to divert patients elsewhere, affecting patient care. Then the other side of the coin is that if you’re breached, that breached data may affect patients in adverse ways that we want to avoid. When I was a CIO, I was emphatic and passionate about protecting patient information because as soon as that patient came through our doors, we were the stewards of their data and we had to protect it.

DEFORD: The one thing that we talk about all the time now is how difficult it is to do sustainable digital health innovation without cybersecurity transformation. We are motivated, especially through the pandemic, to do a lot more projects involving digital health innovation, from telemedicine to improving patient engagement programs. Protecting the infrastructure created by all our efforts and all that deeper integration of technology into the delivery of modern health care becomes a critical component of healthcare today.

HEALTHTECH: How has the security landscape changed for healthcare in recent years?

DEFORD: Adversaries really have become bolder, faster and more sophisticated, but the most concerning part is how they collaborate with each other now. CrowdStrike refers to it as an “eCrime ecosystem” because those cybercriminal companies are just as sophisticated as our healthcare organizations in many ways. They’re more sophisticated than our healthcare organizations when it comes to cybersecurity.

There are companies that act as brokers. They focus on figuring out how to break into your network and very quietly find credentials. Then they sell those on the dark web to other parts of the eCrime ecosystem, to companies that specialize in using those credentials to explore your network, discover vulnerabilities, unpatch systems and even see if they can elevate those login credentials to gain higher levels of access to more important systems on your network. Then they take that nice little portfolio of information and sell it on the dark web to ransomware criminals who quietly come back into your network. They exfiltrate important data and set off the ransomware attack, which often is the endgame.

We know that by the time we’re called in to help an organization that is in deep trouble with ransomware, the emissary has often been in the organization’s network for, sometimes, hundreds of days. Cybercriminals are good at building this sense of urgency. They’re top-notch negotiators; they’re experts in cryptocurrency and crypto exchange. They have partners that are also part of this ecosystem who don’t just write encryption and decryption software, but also, for example, chatbots, because they want to make sure their victims, who they call clients, have an easy path to pay that ransom.

READ MORE: Find out why layered security is essential to incident response planning.

If you were really good, and you decided that you had air gap backups and you were going to restore and not pay the ransom, if they’ve exfiltrated your data, you’re now a target of a second level of extortion. They could ask you to pay them to delete that data, or they’ll sell it in a secondary data leak market.

Again, that data includes information that nobody wants to have exposed such as a patient’s name, Social Security information, insurance company, health information, etc. All of that is part of this sophisticated eCrime ecosystem that we’re dealing with now. It’s not just one adversary, it’s a whole conglomerate of adversaries that work together.

STAFFORD: And boy, have they taken advantage of it during the pandemic. We sent the workforce home; we were entering the cloud more, and everybody was nervous. They took advantage of that. We’ve had five or six advisories this year, and prior to the pandemic, I think there was one ever. So, it’s a tough time.

Click the banner below for more HealthTech content on security and incident response planning.

HEALTHTECH: How are healthcare organizations working to address the changes you just described in the threat landscape?

DEFORD: Part of this is understanding what an attack looks like. There’s a lot of great research on how the cyber kill chain works and how adversaries progress through that kill chain. Every attack has witness marks, these telltale signs that different adversaries leave that give us some indication of who the attacker is. Like us, cybercriminals have habits and patterns of behavior. Those things are important to understand, and they help us figure out how they gain access, elevate credentials and move laterally.

Once the adversary breaks out of that first machine and has a lateral movement to another machine, containment and control of that event becomes significantly more complicated. The time when the endpoint is initially compromised is critical.

LEARN MORE: Find out why partnerships are important to healthcare security and incident response.

In healthcare, when we talk about trauma centers and emergency rooms, the first hour is the golden hour. If you can get to a patient in the first hour, from the point of the injury or the time they start to demonstrate symptoms, then you’re way more likely to be able to save them. It turns out the same thing is true in healthcare cybersecurity. Our research shows that it takes about an hour and a half for an adversary to break out of that first device and move laterally.

You’ve got to have the tools and the capabilities that let you resolve the issue in less than an hour. At CrowdStrike, we talk about 1-10-60 as a standard, where you can detect an attack on an endpoint in a minute, you can triage it in 10 minutes, and you can eradicate the attack within 60 minutes. If you can do that 24 hours a day, then it’s likely that you won’t fall victim to these kinds of cybercriminals.

STAFFORD: It’s still a struggle for hospitals to do this because they’re challenged by resources and they have competing priorities. What’s been the most valuable for our healthcare customers is focusing on existing threats, because you don’t have endless resources.

HEALTHTECH: What are some best practices that IT professionals should know to reduce the security risks they’re facing?

STAFFORD: You need to have executive involvement. You want to start having discussions with your board early because you don’t want to get executive involvement during a cyber incident. You already want this stuff understood because it’s only a matter of time before the hackers attack you. Discussions with executives about how you’re protecting the organization also helps you get more resources to focus on today’s threats.

It’s also important to follow the threats and create deterrent chains. Hackers only have so much time and so many resources. If they try to attack you and they can’t get in, they’re going to go off and attack someone else. The next thing is to know your landscape. That’s probably one of the first commandments a cybersecurity expert must follow. You need to know your devices, including all your endpoints in your server and your infrastructure environment.

DEFORD: I’m a retired Air Force officer, and I’ve spent a fair amount of time in combat zones. There’s a concept we use called preparing the battle space. It’s the reality that, of course, it would be best if we could avoid the fight altogether, but assuming we can’t, we want to make sure we take the fight on our terms. We want to use our tools and tactics to give us the advantage in the fight whenever possible. A lot of this stuff Tom is talking about is really preparing the battle space and preparing your own network better than anybody else.

That means you need to patch and train end users. And if, for some reason, you have to make exceptions through your cybersecurity protocols and processes, have a good way to keep track of those exceptions so that you can come back and fix them. The pandemic was a perfect example of that. We bought equipment from people we weren’t used to buying equipment from. We were getting it on the network as quickly as possible because patients and families needed it. We did work from anywhere, we attached to new vendors because we were trying to buy personal protective equipment that we couldn’t get access to in any other way, we were doing telehealth, etc. We made a lot of exceptions to our rules, and that’s left us with some holes that the bad guys are exploiting.

Anytime you have to make an exception, pandemic or not, you have to go back and figure out how you’re going to fix it and how you’re going to protect it effectively in the meantime.

STAFFORD: Hackers don’t attack during the day, they attack after hours, on weekends or on three-day weekends. If you’re not doing a managed stock, at least have some level of threat protection that comes in from different organizations. That will help because a lot of these organizations that provide these services, they’re seeing all the threats as they happen across the nation or across the globe, and they can see when cyberthreats are coming at you. That happened to me once. On a Friday at 4:54 p.m., there was a credential hashing attack in one of my hospitals. We were able to thwart it within four minutes thanks to a service provided by one of our cybersecurity manufacturers. They called us and said, “Hey, you’re part of this campaign.” That alerted my security engineers to go in and figure out what was going on and prevent the attack from happening. Don’t be afraid to get help, and make sure your internal security team has the proper certifications.

Overprepare and test. Do tabletop exercises. Everyone should do a ransomware tabletop exercise. You need to have the executive team in a room and say, “Hypothetically, we just got hacked.” You need to focus on it because when that meeting really happens, it’s probably going to happen at 2 a.m. on a Saturday morning and you don’t want to do it for the first time then.

Today, the best deterrent is the end user. Current attacks are coming from email. People are clicking on attachments or links, or they’re going to an adverse website. I would suggest everyone spend time training your physicians, clinicians and entire staff about cybersecurity.

HEALTHTECH: How can ethical hacking services, such as penetration testing, help healthcare organizations improve their security posture?

STAFFORD: I think it’s the best money ever spent in cybersecurity because it’s black and white. It’s not an audit where you’re discussing the grayness of how a procedure is written. You bring these folks in, who are white hats, not black hats, and they test everything. It’s amazing the ways they try to get in. If they do get in, you actually see exactly how it happened and then you have a prescriptive way to solve that. Another benefit of ethical hacking and pen testing is that it really exercises your security incident response team. When I used to do this, the only folks that knew that the ethical hackers were coming were me and one other person on the audit team. You’ll get to see how strong you are. The best thing about that is you learn from it, and you build on it.

MORE ON SECURITY: Learn 3 benefits of boosting your security program with purple teaming.

DEFORD: The only other thing I would add to that is make sure that when you’re making your agreement with the outside company that will act as the red team, part of the agreement includes not just that they will tell you about their ability to compromise a portion of your network and what they got to, but also a full-blown, end-to-end, in the weeds discussion about how they did it, what tools they used and what they found. They need to give you advice and coaching on what you can do to solve the problem after it’s been revealed.

We hear people talk about red, blue and purple teams. The purple team part of this isn’t really an actual group. It’s more of a function. That is making sure that the red team and blue team work closely to make sure the result of the penetration test is that the blue team gets better and better. You don’t want them to be left in the dark or feel ashamed because they were breached. Failure is how you learn. That’s why we do these pen tests.