If there’s one key lesson to take away from 2016 it’s that, in a relatively short period of time, the healthcare sector has become one the most highly-targeted industries by cyber-criminals seeking to get hold of sensitive and personal data. As the year progressed we saw a raft of ransomware attacks on the NHS and medical practices across the globe, with some hospitals forced to cancel appointments and operations as a result of their files and information being locked down.
It also became clear that the healthcare sector has serious security problems, with hospitals often relying on outdated systems and unpatched software/devices, leaving them open to attack. However, what separates the medical sector from say, the financial industry, is that a data breach for a hospital can mean much more than financial repercussions or embarrassment; when the delivery of patient care is affected, it really can be the difference between life and death.
There’s no escaping the fact that healthcare faces a challenging 2017 in terms of improving its security, and that there are serious issues that need to be addressed to ensure we don’t see a repeat of the breaches of 2016.
Secure access solutions firm Bomgar has a history of supporting NHS groups in securing their networks, and I recently spoke with William Culbert, the company’s director of solutions engineering, to get his insight on the topic, learn how healthcare can fight back and ask him where he sees things going in the future.
Why has the healthcare sector developed into one of the most at risk institutions when it comes to cyber-threats, and why did we not see this coming?
The easiest way to make money as a cyber-criminal is to obtain personal records and data and sell them on the dark web, and which is one of the industries with the largest collection of data? Healthcare. Not only this, but NHS and healthcare trusts are perhaps one of the most data rich institutions, with the smallest budget allocated to cybersecurity. Lastly, with healthcare employees working hard to care for patients, especially in stressful and time-sensitive environments, it’s no surprise that cybersecurity isn’t at the top of their agenda. It has been found in healthcare especially that employees use a lot of workarounds to bypass security measures (i.e. sharing access credentials) if it makes delivering care to a patient easier and quicker.
The increased adoption of connected devices into medical services and processes is one reason why cyber-threats have crept up on healthcare. IoT is streamlining and improving the manner in which medicine can be tracked, developed, sourced and distributed. On call/off site medical staff are also able to access information and source medicine on site, improving service levels and productivity. However, the exponential advantages of integrating connected devices into this industry, of which many have been rushed to market without security considered at the design stage, can potentially open up points of vulnerability which have increased security fears for decision makers. This coupled with employees who are not aware and do not prioritize cybersecurity could lead to a rise in insider threats.
We have seen ransomware have a huge impact on the healthcare sector this year, but why has that particular threat vector proved to be such a big problem?
The biggest threat to any organization is understanding who actually has access to information and at what levels within the network. For the healthcare industry, access can come in many forms, from an off-site doctor accessing medical history and prescription requirements, to ambulance and emergency staff needing to log cases. Therefore they must ensure that the right person is accessing the network or device, each time a request takes place with the correct level of attributed trust.
However, even when an authorized access has been made to a network, there is no guarantee that a hacker hasn’t ‘piggy backed’ the connection or placed ransomware on the device through rogue emails or remote access trojans. These are the methods hackers can utilize the open connection to the network to gain the same level of access as the member of staff.
The healthcare sector is particularly susceptible to ransomware attacks because losing access to patient records can cripple the ability to provide services to patients, putting the health of consumers at risk. Hackers know this risk and won’t hesitate to target organizations with inadequate security controls in place.
For the healthcare industry, employing access controls could be vital in eliminating the wide spread impact of hacks and ransomware, containing the threat to only the specified areas the target could access and identifying any large scale data extractions, inevitably stopping them at the source.
How can healthcare organizations be more diligent regarding their processes and protocols?
Managing the access to customer data and sensitive network resources is the number one thing healthcare organizations can do to quickly reduce risk and increase security. A strong firewall perimeter is important, but like a physical wall, it has doors. How many doors allow people in? By limiting access to ‘least privilege necessary’, businesses can not only reduce the number of doors, but also make it a lot harder to get in the ones that remain. Technology such as privileged access management monitors who’s going in and out of those doors, and password vaults keep the keys needed for those doors more secure.
What are some best practices that healthcare providers can learn from other sectors (such as the finance industry) as they try to strengthen their security?
Healthcare providers are going to be desirable targets for hackers for similar reasons as companies in the financial sector as they collect large amounts of sensitive personal data about thousands or even millions of people. Financial companies with strong security practices utilize not only technology to reduce risk, but also focus on the education of employees across the organization on things they can do in their everyday jobs to ensure the security of company data and assets. We are seeing healthcare draw on these best practices in some aspects, such as the launch of the CareCERT portal for NHS staff to learn more about cybersecurity, but healthcare still has a way to go before it has employed the state of the art technology that the financial sector is utilizing, including biometrics and other anti-fraud measures.
What can we expect to see five to 10 years from now?
In five to 10 years cybersecurity professionals will find themselves struggling to prevent massive attacks on critical infrastructure, driverless vehicles, smart buildings and connected medical systems and devices. The challenge we face today with the explosion of connected devices (IoT) is comparable to what we saw when the private sector realized they could monetize the internet. It was so exciting that manufacturers and developers pushed the boundaries as quickly as they could, without much thought or even realization that security might be important. Fast forward 20 years to today, and companies are at least being more thoughtful about how their cybersecurity decisions will affect us tomorrow, but my guess is that in five and 10 years from now, there will be a general feeling that businesses weren’t thoughtful enough.