Healthcare’s Unique Cyber Risk Management Challenges

The healthcare industry has experienced an onslaught of cyber-attacks over the last year, primarily driven by the fact that patient records are highly prized assets among cyber criminals.

Protected health information sells for 30 times more than financial information on the dark web, since it contains a full identity profile including social security numbers. Being in the cross hairs of motivated cyber gangs is forcing the healthcare industry to address some stiff cyber risk management challenges. Let’s look at what steps the industry can take to reduce the likelihood of data breaches.

According to data provided by the United States Department of Health and Human Services, Office of Civil Rights (HHS OCR), the number of data breaches in the healthcare sector increased by 63 percent in 2016. In addition, the survey exposed two new trends: the acceleration of medical device hijacking and an increase of ransomware attacks.

In the case of medical device hijacking, cyber-attackers are exploiting backdoors in hardware devices such as X-ray machines and life-support equipment to plant malware. Once installed, it can be used to move laterally across the network to access and exfiltrate health information. 

While medical device hijacking requires sophistication, ransomware attacks are easier to conduct and show immediate return on investment. That’s why the industry has seen a wave of these attacks. The criticality of operations makes healthcare providers an easy target. Since lives are often at stake, it is essential for healthcare providers to ensure business continuity. The recent WannaCry ransomware attack had devastating impacts on the United Kingdom’s National Health Service, illustrating the severity of cyber security threats in the healthcare industry. 

Unique Challenges

Traditionally, healthcare providers’ mission is to save lives. As a result, IT security departments are typically not a top priority when it comes to budget dollars and are often chronically understaffed. This explains why many healthcare IT environments are outdated and consequently woefully unprepared to deal with these new types of cyber-attacks.

Another contributing factor is that many medical systems use older operating systems and proprietary software. Thus, they are often not being actively patched or are exposed by lengthy patch release cycles, making them a welcome target for cyber criminals.

To complicate matters, the increased digitalization and exchange of healthcare information between services providers has dramatically broadened the industry’s attack surface. This is placing healthcare providers in an even more defensive position. The Internet of Things, which is targeting the healthcare market as one of its prime beneficiaries, will only make things harder. At the same time, healthcare organizations face strict standards and regulations (e.g., HIPAA, HITECH, HIMSS) relative to privacy and security.

Improving the Odds

The increased focus of cyber criminals on the healthcare industry makes it critical for providers to implement up-to-date security measures and prepare incident response plans to assure business continuity. The following best practices provide a solid foundation for reducing the threat of falling victim to cyber-attacks:

• Drive cultural change in the organization to incorporate security practices into day-to-day operations and secure the financial resources required to implement them.

• Frequently train employees to minimize the risk of Phishing attacks and social engineering. 

• Adopt basic safeguards such as data back-up, anti-malware tools, firewalls, and data encryption.

• Include IT security staff members in the buying decision process for medical systems and devices in order to raise transparency and awareness, and negotiate proper patch release cycle policies with suppliers.

• Increase the frequency of vulnerability scans to gather more timely security intelligence, which can assist in the detection of security gaps, control failures, and also verify if remediation actions were effective.

• Supplement vulnerability assessments with penetration testing to determine whether the specific vulnerability is actually exploitable or not.

By implementing these measures, while correlating and contextualizing external threat data with internal security intelligence and business criticality, healthcare organizations can operationalize their cyber security practices to shorten time-to-detection and ultimately, time-to-remediation of cyber threats.