Healthcare organizations must establish a boundless defense in-depth approach that they can depend on when providing safe, reliable and uninterrupted patient care
Patient care is shifting from treating acute medical problems to a new model: fostering ongoing wellness and quality of life. This transition is significantly transforming healthcare operational norms: today, there are many digital health innovations helping make patient-provider engagements more interactive, personalized and flexible throughout the patient-care continuum.
The addition of remote and mobile care workers accessing these same computer systems and digital records from virtually anywhere using unmanaged personal devices also adds to healthcare cybersecurity’s growing challenges and complexities.
The Indian healthcare sector is one of the fastest-growing sectors in the country and is estimated to reach a market size of USD 320 Million by end of 2022. Along with supportive government policies, accelerated technology adoption and leveraging emerging tech innovations, across the country, is one of the key drivers of growth for the sector. From robotics and AI to ML, IoT, Nanotech, and 3D Printing, the Indian health tech is fast progressing to become world leaders. The pandemic has further accelerated digital adoption across smaller, non-urban health service providers, making it accessible to the masses.
Because of the unique nature of healthcare’s critical infrastructure, the diverse roles of its personnel, and the demand for anytime, anywhere access to medical records, protecting data and computer systems is a complex mission. So, when security risks increase in every threat category, healthcare organizations must establish a boundless defense in-depth approach that they can depend on when providing safe, reliable and uninterrupted patient care. This approach should map into healthcare cybersecurity three fundamental care-critical missions guided by the Confidentiality, Integrity, and Availability (CIA) Triad security model as the standard for:
1. Safeguarding the confidentiality and privacy of personal health information (PHI) against misuse.
2. Protecting the integrity of electronic health records (EHR) for patient safety.
3. Ensuring the availability of critical infrastructure and business operations with a defense in depth security approach.
How healthcare hacks occur
Hacking incidents involving network servers and email remain the leading attack vectors, making up more than 80% of the total count
Each patient profile contains rich demographic and health information, consisting of eighteen identifiers as defined under the HIPPA privacy rule. The 18 identifiers include: Name, Addresses, All dates, including the individual’s birthdate, admission date, discharge date, date of death, etc., Telephone numbers, Fax number, Email address, Social Security Number (SSN), Medical record number, Health plan beneficiary number, Account number, Certificate or license number, Vehicle identifiers and serial numbers, including license plate numbers, Device identifiers and serial numbers, Web URL, Internet Protocol (IP) address, Biometric identifiers, such as finger or voice print, Full-face photo, Any other characteristic that could uniquely identify the individual.
Threat actors favor electronic health records (EHR) or personal health records (PHR) because they’re useful in a wide array of criminal applications, such as identity theft, insurance fraud, extortion and more. Because there are so many ways this data can be used fraudulently, cybercriminals are able to fetch a higher price for it on the dark web. Meanwhile, these illegal actions cause long-term financial and mental stress for those whose information has been stolen.
Even though we have well-funded, fully equipped anti-hacking agencies across international jurisdictions, cybercriminals can still act with impunity and without fear of getting caught. With hacking tactics, techniques and procedures (TTP) evolving and getting better at evading detection, healthcare facilities can no longer risk having inadequate or unprepared defensive capabilities.
Besides the risks that data breaches pose to healthcare delivery organizations (HDOs), they can also dramatically affect facilities’ ability to provide lifesaving care. In a recent Ponemon Institute report, 36 percent of surveyed healthcare organizations said they saw more complications from medical procedures and 22 percent said they experienced increased death rates due to ransomware attacks.
Why healthcare needs a boundless connected cybersecurity approach
The increase in sophistication and frequency of cyberattacks continues to be a material risk. The security challenges HDOs collectively face are multi-dimensional. Threats come in many different forms and are used by various threat actors who wish to do harm without regard for patient wellness. Whether socially, economically or politically motivated, the results of these attacks are the same: the loss of something of considerable value, such as PHI data or operational continuity, that puts patient lives at risk and providers out of business.
The expansion of critical infrastructures and the proliferation of IoMT, mobile, wireless and cloud applications enlarge the attack surface with boundless exposure points. Threat actors can deliver ransomware using multiple attack vectors and hack your organization through any vehicle, traffic, network or device.
As cyber-defenses are a challenge at every enforcement point, from the endpoint to the network and the cloud, there has been a trend toward the proliferation of security tools pieced together to stop these threats. The resulting security tool sprawl is a big concern with regards to management, efficiency and cost. In addition, security teams with rigid lines of responsibilities and controls create security siloes, making it nearly impossible to work as a unified team. The less these units communicate with one another, the more threat intelligence is isolated.
The danger behind unconnected security is that it creates a security system in which each independent enforcement point is only as strong as the weakest enforcement point in the collective defense. An integrated security system can aggregate information on threats and provide a more complete perspective on threat actors’ Tactics, Techniques and Procedures (TTP), thus strengthening the overall security posture. A security system that is not interconnected can allow an attacker to succeed with multi-vector campaigns. To combat these attacks, healthcare organizations need a boundless, connected approach.
Zero-Trust is reshaping access security for safer anytime/everywhere care
The digital transformation journey for healthcare had already gained tremendous momentum when COVID-19 threatened the wellness of the entire human race. Overnight, the pandemic began reshaping the future of healthcare services, expanding the front lines of healthcare at scale and flexibly connecting providers with patients outside of traditional care facilities.
Advances in medical technologies, medical devices, electronic health informatics, cloud data exchange, and mobile and virtual communication enable this new “anytime/everywhere” care approach. Unfortunately, although these new capabilities improve the quality of care and patient satisfaction, they also raise significant privacy and security risks for healthcare organizations.
Healthcare personnel, such as doctors and nurses, often move from hospitals to other care facilities, workstation to workstation, and device to device with varying privileges to access patient health information. The addition of remote and mobile care workers accessing these same computer systems and digital records from virtually anywhere using unmanaged personal devices also adds to healthcare cybersecurity’s growing challenges and complexities. In this environment, continuing with the outdated security model of “trust first and then verify” increases susceptibility to human error and data misuse, resulting in compliance violations, fines and classaction lawsuits.
Healthcare organizations adopt a new zero-trust (ZT) and least-privilege security model to protect the integrity and privacy of patient health information. The foundation of this ZT security concept is the belief that organizations must always assume that attackers can be anywhere, inside or outside the perimeter. Therefore, without exception, no persons, machines or locations (even within the corporate network) should be inherently trusted; instead, verify every employee and device before granting access to care-critical resources.
Assuming all endpoints are risk vectors is the safest policy
Healthcare professionals typically roam around, accessing various endpoint devices such as tablets, laptops and workstations to record medical notes and access health data during care engagements. If not managed, patched and protected with modern security, these endpoints are often open targets for threat actors to easily exploit and orchestrate an attack.
The consequences of a network or data breach are too dangerous to bear for both patients and providers, so treating all endpoints as risk vectors that must be tracked and monitored actively and constantly is the safest policy. The management and security of endpoints are more mission-critical now than ever in protecting healthcare data and systems and, ultimately, patient safety. Healthcare must employ next-generation endpoint security that can stop all threat forms and methods of attack.
Reduce the human risks factor
The growing adoption of cloud office applications like Microsoft 365 gives employees many different channels to access and share healthcare data that IT never intended to allow. Data exchanges — deliberate or accidental — between employees, partners and customers via emails, attachments and file sharing/collaboration platforms are not just customary but prevalent in today’s remote workforces and cooperative business partnerships.
The sources and mechanics of data leaks are endless. Although employees pose the highest risk, account compromise, application vulnerabilities, social engineering and configuration errors are still the top root causes that companies must address.
Keep phishing messages out of the Inbox
Phishing attacks are a top concern cited in healthcare despite the increase in security education provided to workers. Medical staff are focused on clinical analyses and treatment decisions for many patients, making healthcare systems highly vulnerable to phishing attacks that prey on distracted workers. Even the most trained and security-conscious users can be tricked by phishing emails that are crafted to look genuine and are sent from stolen or fake but known identities
Boundless Cybersecurity solutions should be scalable with cyber-defense architecture that can cater to healthcare IT needs. They should be flexible, easy-to-deploy tools to strengthen healthcare cybersecurity, making patient care delivery more efficient, resilient and secure. An integrated, centrally managed security stack will then protect all assets and workers and ensures care continuity, patient safety and data confidentiality. Whether it is ransomware, targeted phishing, or vulnerability in healthcare systems, a Boundless Cybersecurity approach enables healthcare to counter all threat forms, attack vectors and exposure points with the highest security efficacy and performance.
- The author is Vice President, Regional Sales APJ at SonicWall Inc.