No quick fix for healthcare security
From test results and lab equipment to monitoring equipment and patient records, the healthcare industry is increasingly reliant on digital solutions.
However, an ever-growing skills shortage and a lack of financial resources to implement the right security measures means there’s a constant battle raging to stay ahead of a shifting threat landscape, says Tristan Liverpool, senior director of systems engineering, F5 Networks.
New dimensions of risk
The stakes are high. Healthcare organisations have significant humanitarian and ethical dimensions to consider.
Unsurprisingly, healthcare organisations conform to strict regulations. In the UK, the National Health Service (NHS) has specific security policies, and so does the US via the Health Insurance Portability and Accountability Act or HIPAA. Patient data should only be accessible on a need-to-know basis and patients must have control over how their data is used and what is kept on file.
While that is all well and good, it is hardly a deterrent to determined hackers.
A recent study by Vanderbilt University‘s Owen Graduate School of Management found that it takes healthcare facilities hit by a data breach or ransomware an extra 2.7 minutes to respond to a patient with a suspected heart attack. This could result in as many as 36 additional deaths per 10,000 heart attacks that occur each year.
Then there’s the WannaCry ransomware cryptoworm, which hit the NHS hard in 2017. Appropriate security patches had previously been pushed out but remained ineffective without machine reboots. The clean-up cost? Around £92 million (€105 million).
Establishing a secure culture
One of the weakest links in the cybersecurity chain is human error. Phishing remains a favourite to catch people out. Based on analysis from the past year, F5 Labs believes phishing is now the most prominent attack method used to breach data, with the healthcare sector one of the most at risk.
Attackers don’t have to worry about hacking through a firewall, finding a zero-day exploit, or rappelling down an elevator shaft with a set of lockpicks in their teeth. The hardest part is coming up with a good trick email pitch to get people to click on.
Phishing and spear-phishing attacks are no longer easy to spot. A key recurring trend is that phishers continue to push for deceptive credibility, with as many as 71% of phishing sites using HTTPS to appear more legitimate. F5 Labs also found that 85% of analysed phishing sites using digital certificates are signed by a trusted Certificate Authority (CA).
Organised crime
Organised cybercrime groups and nation-states expend significant effort to understand their victims and take advantage of social engineering techniques, such as targeting victims when they are busy and overwhelmed.
This is exactly why healthcare organisations need to ensure all employees understand the importance of securing the business’s IT infrastructure and the consequences of not doing so. Recommended technical security controls include multifactor authentication (MFA) and web filtering solutions to inspect encrypted traffic for malware and prevent users from inadvertently visiting phishing sites. At the same time, there is no room to skimp on cultural enhancements. Mandatory compliance sessions and best practice courses can help. This should include a streamlined method for users to flag suspected attacks.
Implementing new technologies responsibly
IT teams across the healthcare industry need to learn from mistakes and oversights of the past, working closely with all end-users of the technology to create processes that ensure patches are carried out regularly.
Healthcare organisations also need to invest in technology that maintains data security to expand across the entire network. For example, a web application security solution could simplify regulatory audits by tokenising sensitive data and help providers control the flow of data, while maintaining the confidentiality standards.
In an ideal world, the healthcare sector will evolve to be more agile, adaptable and attuned to the flourishing application economy. This means moving away from managing traditional reliability models to a more strategic, service-based approach that focuses on application-level service provisioning, automation, and orchestration. It will also mean creating, deploying and modifying services quickly to address variables impacting the security, reliability, and performance of applications and networks.
Securing board-level buy-in
Unfortunately, too many boards still overlook the importance of security.
Disconnects are prevalent. Studies among US and UK C-level executives by the domain registry Nominet found that 78% admitted to gaps in their knowledge about malware. And 68% conceded to knowledge gaps about phishing, while 66% said they need to learn more about ransomware.
One obvious tactic to deal with this is to elevate the importance of the Chief Information and Security Officer (CISO).
If the board doesn’t take security seriously, nobody will. All too often, the board sees cybersecurity as a bolt-on insurance policy rather than a fundamental element of both IT and business strategy. That can no longer be the case if healthcare organisations want to adequately and continuously protect staff and patients.
The author is Tristan Liverpool, senior director of systems engineering, F5 Networks.
Comment on this article below or via Twitter@IoTGN