Recent cyber-attacks against COVID-19 vaccine development facilities highlight a broader issue with healthcare security globally. In July 2020, an espionage group known as APT29 targeted several healthcare organizations which are involved in COVID-19 vaccine development in Great Britain, Canada and the United States. It is believed that the hacker group aimed to steal information related to vaccines and treatments for the coronavirus.
However, the issue is not limited to COVID-19. A recent study in the JAMA Network estimated that, on average, it takes nine years and nearly $1bn to bring a new drug to market – clearly a tempting target for cyber-criminals and nation-state hacking groups. However, it’s not just drug formulas, the confidential personal data stored by healthcare organizations is also of significant value. What’s more, it can cause significant disruption. It’s estimated that the cost of a healthcare breach amounts to $6.4m.
The challenge is that the industry is often an easier target than it should be. Certainly, big pharma companies have the resources to put up a strong defense, but hospitals, research labs, clinics and doctors’ offices often lag behind in their cybersecurity. Security flaws can range from outdated software to employees’ lack of basic cybersecurity knowledge.
This situation is further exacerbated by fragmented care delivery and the segregation of financial systems, which make comprehensive reforms extremely difficult. Failure can mean the exposure of patients’ personal information or risks to connected lifesaving devices.
Indeed, the COVID-19 pandemic has expanded the risk profile of healthcare organizations, with a greater threat surface exposed due to the rise of remote transmission of data through telehealth technologies. The current pandemic has accelerated the use of video technology between healthcare professionals and patients: for meetings, education, therapy sessions and doctor’s visits.
Six Recommendations for Improving Cybersecurity
In this rush online, healthcare organizations have done well to support patients during lockdowns, but now, leaders of these organizations need to step back for a moment and decide how to create a highly adaptive security ecosystem. Here are six tips for achieving that goal.
1. Create a Robust Infrastructure and Hardening Guidelines
Companies should quickly create standardized processes to ensure that security updates are immediately installed. This also applies to remote connected devices, which should be replaced if sufficiently outdated. If replacing or upgrading those systems is not possible, firms need to build new security controls to compensate.
2. Embrace a Zero-Trust Model
Existing systems should be augmented using zero-trust principles; ones that do not assume anything and verify everything. To prevent unauthorized access, firms need to implement 100% multi-factor authentication rather than requiring employees to connect to the corporate network. With this approach, only certain remote access applications are exposed and all users are verified. This can be accomplished through secure web gateways instead of traditional VPNs. To prevent the spread of malware and limit an attacker’s access, hospitals should use network segmentation to segregate life support systems from the less critical ones. To reduce the attack surface, companies need to manage identity access by implementing the principle of least privilege. This way, only those users, processes or programs that have legitimate rights to access certain information will be able to get the job done.
3. Have Laser Focus on Data Security
Organizations should automate processes such as data identification, classification, encryption and masking. To monitor data loss in real time, companies should use data loss prevention systems for email, network and endpoints. Firms can also conduct periodic reviews to ensure only authorized users gain access to each system.
4. Build Security into System Design
Security must become a part of all programs and thought through across the entire business, applications, infrastructure, cloud and data. It is crucial to create the end-to-end visibility of security metrics, which can be leveraged to continuously enhance security. Secure coding guidelines, using DevSecOps, will help to design code faster and more cheaply. Also, companies should improve cybersecurity literacy among employees through awareness campaigns, mandatory quizzes and certifications.
5. Create Compliance and Risk Management Programs to Evaluate Partners
Organizations should use risk-based partner segmentation to ensure third parties have the appropriate level of access. The use of zero-trust principles, along with questionnaires and industry-standard security posture assessments, will help evaluate each partner’s access. It is also necessary to establish an integrated governance and escalation framework with clear ownership and integrated workflows.
6. Use Managed Detection and Response Tools
These tools help quickly identify and remediate risks by using endpoint detection and response solution. The use of artificial intelligence and automation reduces false positives and allows organizations to hunt threats. To reduce costs, increase visibility and protect against data breaches, healthcare organizations can hire managed detection and response services providers. Not everything must be done in-house.
Cybersecurity risks are increasing due to digitalization, remote work and telemedicine. Healthcare providers need to prioritize security, before it is too late. Now it’s time to design an integrated approach to cyber-defense that will be in line with a company’s goals and priorities.