Digital transformation, powering advances in holistic healthcare yet exposing larger attack surface to malicious forces.
The dark web facilitates the sale of stolen patient data for profit now, and the healthcare sector has some catching up to do. In a recent global survey of 20 healthcare CISOs, the most confident organizations could only rate their cybersecurity standing at a dismal C.
Medical records contain sensitive data that can be used for identity fraud, prescription forgery, or insurance and tax fraud. Generally, information contained in medical records is more ‘permanent’ than financial information like credit card numbers – so this type of information fetches higher payouts on the dark web.
However, aside from the profit motive, hackers also engage in cyber terrorism, espionage and sabotage when attacking hospitals. More than 80% of surveyed organizations noted an increase in cyber attacks for the past year, while two-thirds were cited increased sophistication in attacks, including ransomware incidents.
“Healthcare data is itself a highly lucrative target for attackers,” said Dave Sheppard, vice president for Asia Pacific and Japan, Bitglass. “On the other hand, healthcare organizations have also become a popular target for ransomware attacks. With patient care potentially at risk if there are any delays in accessing data, these organizations are often likely to pay a ransom.”
With acute laws for personal data protection such as Europe’s General Data Protection Regulation (GDPR) in force, we are seeing stronger efforts at government policy levels to mandate tighter security measures in their healthcare sector, especially since the global waves of digital disruption are necessitating the integration digital transformation drives across the medical, financial and government sectors.
Securing the way forward
Leonard Kleinman, chief cybersecurity advisor, APJ at RSA, noted that “the bitter truth is that there is no easy fix, but having better visibility into the enterprise IT environment is a fundamental first step. Ultimately, it’s going to take a concerted, ongoing effort by hospitals, healthcare practitioners, contractors, legislators and even patients themselves, to ensure that the future of healthcare data is a secure one.”
“Organizations must adopt solutions that can respond to any threat from anywhere,” added Dave Sheppard. On the preemptive side of the security stance, healthcare organizations need to beef up on threat-hunting. In the global healthcare CISO survey, only one-third of respondents currently have such a practice.
Survey analysts state that it is no longer realistic to base security strategy on reactive defense alone. “The inevitability of breach puts pressure on organizations to start proactively detecting and neutralizing attack vectors by improving visibility, hunting threats and developing effective measures to combat counter incident response.”
In recent surveys around the globe, the vast majority of CISOs reported that threat hunting significantly improved their overall security posture. Threat hunting is also no longer an activity reserved for the security elite. Modern and easy-to-use threat hunting software is helping businesses of all sizes gain visibility across their businesses.
From the survey results and the trends discerned, the report has distilled a set of five recommendations for the healthcare industry:
- Increase endpoint visibility: All connected assets must be seen as a potential target.
- Harden the entire system against emerging attacks: With the potential attack surface growing and evolving quickly, leverage a variety of technologies from whitelisting to streaming analytics to behavioral prevention.
- Run automated compliance and vulnerability testing: With the risk of island hopping ever present, audit systems regularly and establish remediation steps across the security infrastructure.
- Work with healthcare-focused managed detection-and-response vendors if necessary: When manpower and skilled resources are short, these vendors can quickly improve your security posture.
- Mandate best practices for data backup and recovery: Employ best practices for data backup to ensure your data is never at risk from destructive attacks, including ransomware.
Prevention is better than cure
As is often said by security leaders, “compliance does not equal security”. Too many healthcare organizations that were “compliant” ended up becoming breach victims. It is notable that “compliance” was the biggest concern among healthcare CISOs surveyed.
Together with prevention, compliance is part of the prescription for a cure. This can be achieved through regular education of all levels of employees about modern threats. The work of threat hunting teams to deter and detect attacks also becomes easier when staff offer their fullest cooperation due to their willing compliance with sometimes-cumbersome processes.
The survey analysts noted that, in raising compliance standards, security programmes should be built to meet the specific needs of each organisation rather than as some dogmatic blueprint for building effective security. Rather, a holistic and circumspect approach towards prevention and crisis management is key, especially since the volume and frequency of healthcare-sector attacks will be abating anytime soon.