The WannaCry outbreak that reportedly raked in US$1B in damage costs also forced doctors to cancel scheduled appointments, among other things, brought on warranted concern over pervasive ransomware attacks that could stem from oft-overlooked components of healthcare networks—exposed medical cyber assets and third-party partners.
It’s a well-known fact that advances in medical technology and information systems are key reasons for the rise in life expectancy worldwide. Integrated modern diagnostic, monitoring, and treatment systems that allow information to quickly and efficiently flow through are enabling cooperative patient care. What some may not know, however, is that the hospital information system is the backbone of this data flow. It caters to aspects of hospital operations beyond medical services—administrative, financial, record keeping, and even legal processes. And as we have learned time and again, any sufficiently complex system that combines or builds on individual systems is bound to introduce weaknesses and broaden the attack surface.
Our latest joint research with HITRUST, Securing Connected Hospitals, highlights two crucial aspects of the healthcare ecosystem that IT teams need to consider as part of their overall security strategy—exposed devices and third-party partners.
We may think hospitals would be extremely sensitive to device exposure on the internet because of the fines that the Healthcare Insurance Portability and Accountability Act (HIPAA) and similar regulations impose for data exposure violations. But when we looked for healthcare-related cyber assets using Shodan, we were surprised to find a large number of exposed hospital systems.
Aside from the risks brought on by unsecured medical devices and systems online, healthcare organizations also run the risk of compromise via weaknesses in the supply chain. Exposure stemming from security gaps in the supply chain could put connected hospitals at risk of threats such as device firmware attacks, mHealth mobile app compromise, and source code compromise during manufacturing, among others.
Healthcare organizations are beginning to understand the risk of suffering a cyberattack that will affect hospital operations (staff schedule database, hospital paging, building controls, and other systems), data privacy (patient and employee personally identifiable information [PII], patient diagnosis and treatment data, insurance and financial information, etc.) and patient health (diagnoses, treatments, and monitoring data of patients). Operational risks of cyberattacks are the new norm. Threat actors can abuse, steal and monetize exposed medical devices and supply chain weaknesses, including PII, intellectual property, research findings, and others and monetize the stolen data in various ways (identity theft, privacy violation, financial fraud, among others). Even more menacing is the exponential growth of digital extortion attacks that are affecting hospitals resulting in operational downtime that result in life and safety risks to patients and financial losses, including penalties, reputation damage, and legal troubles.
It’s true, healthcare IT teams have competing priorities, making it critical to use risk-based strategies. The HITRUST Alliance’s Common Security Framework (CSF) does exactly this. It provides a risk-based approach that is prescriptive not descriptive and harmonizes and cross-references standards from the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), the Payment Card Industry (PCI), and HIPAA. HITRUST even offers a free assessment tool—MyCSF.
Adopting frameworks such as the CSF is just a start to help hospital systems stay up and running to deliver life-preserving services and securing said systems from malicious actors. But we can’t stress the importance of evaluating risks enough, as threats can interrupt operations and cause financial damage. So we recommend starting with sound security architecture and using technical solutions such as network segmentation, breach detection and next-generation firewalls/Unified Threat Management (UTM) gateways, and dynamic threat intelligence among others as a baseline.
To address the also-critical human aspect, healthcare IT teams should conduct regular social engineering drills and provide training for all employees and relevant third-party partners. An incident response protocol and team, consisting of people from different hospital departments, should be established. This team should be ready to act at a moment’s notice when a breach is discovered.
To address supply-chain-specific threats, we recommend that healthcare IT teams perform vulnerability assessments of new medical devices and include authentication using Network Access Control (NAC) before allowing network access in bring your own device (BYOD) programs, among others.
As highlighted in our latest joint research with HITRUST, Securing Connected Hospitals, healthcare organizations, to stay secure while remaining connected, need to address two aspects of their networks as part of their overall security strategy—exposed devices and third-party partners.