A perspective on what healthcare organizations should be thinking about during cybersecurity month.
October is dubbed National Cybersecurity Awareness Month (NCSAM). This means we can expect to see story after story touting the latest and greatest cyber defense tool or tactic – we can expect to hear about the ‘newest, shiniest’ thing we can’t (shouldn’t) live without. But when I look at the state of cybersecurity in healthcare, I am struck by the fact that many of these new tools are really the icing on a cake that isn’t fully baked yet.
Sure, they are cool solutions and innovative mechanisms to protect the organization from critical threats and an absolutely valuable layer in a healthcare delivery organization’s (HDOs) defense in depth strategy, but they are the cherry on top of the sundae. Most HDOs are still missing the elementary, ‘vanilla’ components that are required before they can start to think about any of the extras. Most still need to cover the basics.
If healthcare organizations don’t have a solid foundation for their cybersecurity, they will find themselves in a perennial loop of fighting fire after fire, with no ability to get to the root of a problem and fix it once and for all. We see evidence of this daily, as breaches in 2019 within the healthcare sector have skyrocketed, with most going on for an extended period of time.
This is because the cybersecurity of many healthcare organizations lack elementary elements. In general, they lack the visibility and basic controls needed to quickly identify and remediate breaches. To start to protect the privacy of their data and the safety of their operations, hospitals need, at minimum, the following:
HDOs need to know what’s in their network. They need to know what’s connecting at any given time and what it’s doing – what other devices it’s connecting to, how much it’s being used, what types of risks it introduces, etc. Given that more and more medical and Internet of Things (IoT) devices are connecting every day to help make operations more efficient and improve the delivery of patient care, it has never been more difficult and critical to see exactly what’s active in the environment.
Visibility needs to provide:
A real-time detailed device inventory, including current information on each and every connected device in the environment, including insights into its manufacturer, make, model, operating systems, embedded software, and protocols, as well as its location and utilization.
This information can improve maintenance, patching and overall security, allowing HDOs to identify and appropriately address issues, based on the device type and function. For example, when a software vulnerability is announced, if an organization has visibility into the embedded software in all their devices, they can quickly and easily identify impacted systems and prioritize patching or take steps to keep the most critical devices secure (isolate them, restrict access, etc.).
An ongoing assessment of device risks, that delivers a real-time understanding of the potential vulnerabilities and threat levels that different medical and IoT devices introduce to the environment. This enables organizations to effectively prioritize security measures and activities and ensure they are aligned with organizational objectives.
HDOs can use relevant and established frameworks, such as the ones from the Association for the Advancement of Medical Instrumentation (AAMI) and U.S. Department of Health and Human Services (HHS) or the National Institute of Standards and Technology (NIST), to understand where they may be vulnerable and identify potentially risky configurations. They should also try to correlate common vulnerabilities and exposures (CVEs) as soon as they are released to their granular device profiles to identify the extent of the risk within their environment.
Effective Firewall Controls
Firewalls are a tried and true layer of defense, providing basic controls for critical network entry and exit points. Surprisingly, many healthcare organizations are not using their firewalls effectively to help them mitigate risks. I’m not talking about internal firewalls or the more granular controls that can be deployed to protect against lateral attack movement, I’m referring to basic perimeter firewalls that control north-south traffic. These firewalls need to:
Be cleaned up and strengthened, to ensure policy enforcement is effective. Unfortunately, it is not uncommon for a hospital’s firewall policy to look more like a sieve than a control point. The reality is most firewalls don’t recognize many of the protocols used by medical devices, so hospitals have had to default to either blocking or allowing almost everything, severely diminishing its effectiveness.
If the organization has visibility into what devices are in their environment, they can translate that insight into better firewall policies. For example, they can create rules to ensure that a medical device can talk to its manufacturer, but no one else. There are legitimate reasons why an MRI might need to communicate with the manufacturer’s external servers (to get updates, perform system analysis, etc.), but there is no reason for an MRI machine to be connecting to a general server on the Internet.
Include IoT devices, in firewall policies. With the explosion of IoT in HDOs – Accenture expects IoT in healthcare to be a $163 billion market by 2020 – it is important they are included in all cybersecurity practices.
Once organizations have visibility into the IoT devices in their environment, they can create firewall policies to stop these devices from communicating externally to protect against data leakage and theft. A security camera may need to send data to a cloud service for analysis and storage, but there is no reason it should be communicating with anything else.
With effective firewall policies, HDOs can start to establish some control over the traffic in and out of their environment to make it that much more difficult for an attacker to infiltrate the network.
Basic Internal Segmentation
With visibility into the network and more effective perimeter (firewall) controls, HDOs can start to implement basic segmentation policies that better protect hospital resources and assets and help contain the impact and proliferation of successful attacks. Again, I am not talking about super sophisticated internal controls; I am talking about starting with the basics:
Device type segmentation. Most hospitals today segment based on geographic location – the first floor, a specific office, or wing of a building. This isn’t really effective. It’s not narrowing down the risks to particularly critical assets or preventing attackers from gaining access to a wide swath of devices.
With visibility into all the medical and IoT devices in the network, HDOs can start to apply basic segmentation policies, based on groups of devices. For example, they can segment IV pumps or MRIs into their own distinct VLANs. This starts to mitigate the risks that different device types pose.
(Later on, the HDO can start to apply even more granular segmentation (micro-segmentation) and clinically-based policies to ensure only devices that should be talking to one another can, with everything else blocked.)
If HDOs go back to the basics and put foundational security elements in place – visibility and basic controls – it will go a long way towards advancing their overall ability to quickly detect, respond and recover from attacks when they occur. Of course, I would be remiss, if I didn’t say that we can and are helping a number of HDOs get the visibility and control they need, putting them on a path to stronger, more efficient and effective security. If you would like to know more, please request a demo.