No quick fix for healthcare security


Share

From test results and lab equipment to monitoring equipment and patient records, the healthcare industry is increasingly reliant on digital solutions.

However, an ever-growing skills shortage and a lack of financial resources to implement the right security measures means there’s a constant battle raging to stay ahead of a rapidly shifting threat landscape.

New dimensions of risk

The stakes are high. Healthcare organisations face entirely different dangers to the average business, with significant humanitarian and ethical dimensions to consider.

A recent study by Vanderbilt University’s Owen Graduate School of Management found that it takes healthcare facilities hit by a data breach or ransomware an extra 2.7 minutes to respond to a patient with a suspected heart attack. This could result in as many as 36 additional deaths per 10,000 heart attacks that occur each year. The study also found that at least 10% of the more than 3,000 Medicare-certified hospitals of the on the US’ Department of Health and Human Services (HHS) list were hit by a cyberattack.

Then there’s the WannaCry ransomware cryptoworm, which hit the NHS hard in 2017. Appropriate security patches had previously been pushed out but remained ineffective without machine reboots. The clean-up cost? Around £92m.

Establishing a secure culture

One of the weakest links in the cybersecurity chain is human error. The IT team can’t cope alone, and every employee needs to buy into a security-first culture.  

Phishing remains an enduring favourite to catch people out.  Based on analysis from the past year, F5 Labs believes phishing is now the most prominent attack method used to breach data, with the healthcare industry one of the most at risk (rubbing shoulders with other prone sectors like finance and education).

Attackers don’t have to worry about hacking through a firewall, finding a zero-day exploit, deciphering encryption, or rappelling down an elevator shaft with a set of lockpicks in their teeth. The hardest part is coming up with a good trick email pitch to get people to click on, and a fake site to land on.

Meanwhile, phishing and spear-phishing attacks are evolving and no longer crude and easy to spot. A key recurring trend is that phishers continue to push for deceptive credibility, with as many as 71% of phishing sites using HTTPS to appear more legitimate. F5 Labs also found that 85% of analysed phishing sites that make use of digital certificates have them signed by a trusted Certificate Authority (CA).

Organised cybercrime groups and nation-states expend significant effort to understand their victims and take advantage of social engineering techniques, such as targeting victims when they are busy and overwhelmed (which, as most healthcare professionals will attest, is not an uncommon situation).

This exactly why Healthcare organisations need to ensure all employees understand the importance of securing the business’s IT infrastructure and the consequences of not doing so.

Recommended technical security controls include Multifactor authentication (MFA) and implementing web filtering solutions to prevent users from inadvertently visiting phishing sites. It is also essential to inspect encrypted traffic for malware.

Implementing new technologies responsibly

Healthcare organisations need to invest in technology that maintains data security that can expand across the entire network. For example, a web application security solution could simplify regulatory audits by tokenizing sensitive data and help providers control the flow of data, while maintaining the highest confidentiality standards and increasing the quality of care.

Securing board-level buy-in

Unfortunately, too many boards still overlook the importance of security.

Disconnects are prevalent. Studies among US and UK C-level executives by domain registry Nominet found that 78% admitted to gaps in their knowledge about malware. 68% concede to knowledge gaps about phishing. 66% need to learn more about ransomware.

Budgets are also sometimes assigned without context and overall performance suffers accordingly. Today, the voices of security experts should be heard loud and proud at the top table. There are many ways this could happen, but one obvious tactic is to elevate the importance of the Chief Information and Security Officer (CISO).

If the board doesn’t take security seriously, nobody will. If they don’t know what’s going on, everyone is at risk.  All too often, the board sees cybersecurity as a bolt-on insurance policy rather than a fundamental element of both IT and business strategy. That can no longer be the case if healthcare organisations want to adequately and continuously protect staff and patients.


Leave a reply