Q&A: SonicWall Threat Expert on Effective Strategies for Healthcare Cyber Resilience

HEALTHTECH: What are the biggest cyberthreats facing healthcare organizations today?

MCKEE: Ransomware is still one of the biggest threats to healthcare. We’ll soon be publishing a report specific to healthcare in 2024, and to give you a sneak peek of some of those stats, we’re seeing that 91% of data breaches in the healthcare sector result in a ransomware attack. Ransomware is still a huge problem when we’re talking about healthcare.

Something that’s unique to the industry is medical device vulnerabilities. The number of connected devices continues to increase in the medical space, and what’s interesting about that is a lot of these medical devices were unfortunately never architected or designed to be connected to an active network. This means that a lot of the appropriate security controls were not included, which is not the fault of the developers because it was never part of the original threat model for them to consider. There’s a lot of low-hanging fruit for attackers, or easy things for them to exploit.

The third threat, in conjunction with medical device vulnerabilities, is supply chain attacks, which can come in many forms. We often forget that a vulnerability in a dependency, or a security issue in a library that’s used by a larger piece of software or hardware, is considered a supply chain attack.

One of the biggest examples of this in recent times is Log4j, which is still a very big problem across the world. In fact, we reported last year that 43% of the widespread attacks that we’re seeing are still leveraging Log4j. The reason that’s relevant to the healthcare industry is that there are connected medical devices, typically with older libraries that are more susceptible to software-based supply chain attacks due to the difficulty of updating and patching these devices.

WATCH: Follow these best practices to improve cyber resilience in healthcare.

HEALTHTECH: What is the current state of cyber resilience in healthcare?

MCKEE: I want to preface this by saying it’s very different across the board depending on the healthcare organization. I’ll approach this question in two ways: the good and the bad that we’re seeing related to healthcare resilience capabilities.

From a positive perspective, over the past five years, we’ve seen a huge improvement in awareness of just how important cybersecurity is in the healthcare industry. Organizations are realizing that cybersecurity is actually connected to patient safety. When talking to CISOs and executives in the healthcare industry, we’re hearing a lot more awareness and understanding that this is a problem. They know it needs to be a priority, and that’s a very positive thing. We can’t see change in security if there’s no awareness of it. We’re also seeing more awareness on the ground: When talking to doctors, practitioners and nurses, there’s an increasing awareness that cybersecurity is a growing issue. I think that’s a positive.

Another thing the healthcare industry is starting to improve on is adopting more advanced technologies. This is going to be a slow process due to the nature of the regulatory requirements placed on healthcare, but we’re starting to see things like complete encryption. While it sounds basic, complete encryption was not seen in healthcare for the longest time. There were all kinds of protocols going over the network that were just completely unencrypted.

We’re also starting to see device manufacturers ensure that end-to-end encryption is implemented within medical devices. Now, whether those devices are adopted in healthcare is a different conversation and struggle, but at least we’re seeing more secure technologies being used in medical devices. That’s trending in the right direction.

READ MORE: Zero trust stands as a secure foundation for healthcare’s IoMT devices.

On the flip side of things, where healthcare organizations are struggling relates to resources and having the right people or technology in place to provide the right protections. Healthcare has one of the biggest struggles in any industry, and that’s because it’s hard to do anything when you have two No. 1 priorities: human life, which is the most critical thing, and cybersecurity. Organizations have to consider the fact that cybersecurity is connected to human life, and it needs to be one of their most critical priorities. Rectifying those two things is difficult. When an organization has limited resources, how does it compete for time, dollars, etc.? That continues to be a struggle in healthcare.

Last, as a result of having two major priorities, the healthcare industry is extremely focused on regulatory compliance. However, those compliance focuses often aren’t cybersecurity focused. They haven’t taken into account cybersecurity related to patient safety. Regulation is always a slow thing. I think it’s improving, but it’s still an area of struggle for healthcare organizations.

HEALTHTECH: What are some strategies and solutions healthcare organizations can implement to improve their cyber resilience?

MCKEE: People are often surprised by my answer to this question because it’s actually nothing technology-related. Most of the things that healthcare organizations can implement to improve cyber resilience are often process-based, believe it or not. A healthcare organization is never going to have enough resources, whether that’s people or technology, which means that prioritization is extremely important.

Prioritization and baselining are probably the two most important things that can improve an organization’s cyber resilience. Healthcare organizations shouldn’t rely on generalizations and say, “The attackers are coming for everything.” That might be true, but it’s not going to allow them to align their resources appropriately with what needs to be protected.

Instead, healthcare organizations should focus on what truly is mission-critical to their business. A good example of that is electronic health record solutions. Are we making sure that the security of an EHR, if that’s our business-critical system, is priority No. 1 when it comes to cybersecurity? If that means we have to pay less attention and time to some other things, then that’s OK, because we know that this is the crown jewel. Organizations have to prioritize the limited resources they have.

In conjunction with that is baselining, or the understanding of what is normal for a network and for an organization. If we don’t understand normal, we can’t identify abnormal, and it’s a losing battle at that point. I often find that organizations skip the baselining. They have all of these alerts in place and they’re trying to detect bad things, but then they’re just spinning their wheels trying to understand if that alert is good or bad. Is that a false positive or false negative? That process becomes a lot easier if you first know what’s normal on your network.

Baselining is having visibility into what’s running on our networks, which is one of the most important things. When you have that visibility, you can implement adaptive controls. You can have the training required to work on the appropriate protocols or technologies.

I want to quote a coworker of mine, Michael Crean, who is the executive vice president of managed services at SonicWall. He often talks about people, process and technology, in that order. The order is important. You must have the right people in place to implement the right processes to use the technology.

We often put technology first on that list, and that’s setting us up for failure. Technology is important, but we need the right people to leverage that technology. While the technology provides us visibility, if it’s not set up properly and we don’t have a process around it, then it’s just going to create alert fatigue. We might have all this technology in place, but if we don’t have the right training for the people to use that technology, then it’s not going to be effective.

EXPLORE: Greater visibility can make your organization more resilient.

HEALTHTECH: What best practices should healthcare organizations follow to bolster their security environments?

MCKEE: The obvious answer: Use them. Use best practices. You’d be amazed how many times you walk into an organization and they’re not using industry best practices. And that extends beyond healthcare. So, the first piece of advice is to make sure you’re using industry best practices, because they are extremely important to ensure that you’re implementing security properly for your organization.

Microsoft recently reported that only 38% of Entra ID monthly active users use multifactor authentication. If that’s the level of adoption of an industry best practice, then we’re always going to continue to struggle in those areas.

Another industry best practice that’s important specifically to healthcare is network segmentation, which ties into zero trust. The reason that’s important is because we have network-connected medical devices that were never intended to be network-connected. They are more exposed to supply chain attacks, and we need to ensure that they are segmented off from other critical systems as much as possible. It’s important for organizations to mitigate the risk to the best of their ability.

It’s important that an organization be more difficult to attack than the next one, because if its IT team just raises the bar by using industry best practices such as network segmentation and multifactor authentication, then a hacker will likely look for an easier target. So, if you can implement those things, follow those guidelines and be more secure than the next organization, you’re going to be putting yourself in a better situation.

DISCOVER: Zero trust supports cyber resilience for healthcare organizations.

HEALTHTECH: How can partnerships help healthcare organizations improve their cyber resilience?

MCKEE: Partnerships are critical for any organization, and healthcare is no exception. We can define partnerships in many ways, but how I think about it is leveraging industry intelligence or publicly available information specific to the healthcare industry. You can even get region-specific with that intelligence to drive your mitigation and defensive strategies as an organization.

For example, we put out two threat reports a year. We just released our SonicWall 2024 Mid-Year Cyber Threat Report, and we’re coming out with a healthcare-specific threat brief soon. Simply reading that information and understanding what attackers are doing in your industry is extremely important for how you frame your prioritization and which defensive strategies you put in place.

If attackers aren’t leveraging a certain type of what we call TTP (or tactics, techniques and procedures), then it’s a waste of your limited resources to put time and effort into building up mitigations for that tactic. Leveraging partnerships and industry intelligence is critical to appropriately prioritizing and using your limited resources.

I also encourage collaboration with other cybersecurity companies as well as other healthcare providers that might be seeing certain types of cyberattacks. All of that is going to be good for any healthcare organization.