Plan for sophisticated threats and evaluate IT tools on the horizon to be as ready as possible for what’s ahead.
Hospital information security teams and IT shops are in a precarious spot: They have to not only protect information cybercriminals increasingly see as more valuable than other types but they also have to safeguard against the next big threat when it’s impossible to know what it will be or when it might strike.
New types of attacks and security incidents are emerging just about every month, too. It’s not merely WannaCry and the Petya-NotPetya debacles either.
Ransomware was found percolating in a factory’s coffee machine in Europe over the summer, Outlook calendar invites can now carry malware, U.S. CERT and the Ukraine have separately reported that groups are plotting attacks against critical infrastructure, to name just three potential nightmares.
And there’s reason to believe that even nasty cyberthreats not originally targeting hospitals or insurance companies specifically can still be teaching sessions for cybercriminals and nefarious nation-states from which they gain new sophisticated tactics and techniques.
That backdrop explains why cybersecurity is top of mind for nearly all healthcare organizations — and paints a picture of just how difficult it is to protect health information today while planning for the future.
The art of cyberwarfare: Understand your enemies
While ransomware and malware are commonly used to serve some productive aim for the criminals -- receive ransom money, acquire info they can use to steal identities -- a new and worrisome trend is the use of these tool for simple, destructive aims.
“NotPetya really is the first time someone has weaponized malware in a way that did not care about gaining some ransom or getting into someone’s data,” said John Houston, vice president of information security and privacy and associate counsel at the University of Pittsburgh Medical Center. “It was the first malware that’s sole purpose was to destroy.”
This past summer's NotPetya attack changed everything. Expect more weaponized malware in the years ahead and know that it will be worse than ransomware. We are in a new era now and that makes it more important for hospitals to not just craft cybersecurity strategies inside their own minds and four walls but, instead, to understand the Dark Web and to educate themselves about the why and how, the factors driving the mindset of hackers, organized cybercrime and nation-states.
“We need to learn what it’s like to be a hacker,” said Michael Figueroa, executive director of the Advanced Cyber Security Center.
Figueroa recommended also translating that understanding into language that your end users can grasp and think about working with them to create protocols that succeed.
“Instead of best practices I like to say ‘effective practices,’” Figueroa added. “What’s working today might not work tomorrow.”
Know thyself: The state of healthcare security
Over the last two years, the industry has been in the crosshairs of hackers, who have hit hospitals and insurance companies alike with a barrage of attacks ranging from massive phishing campaigns to ransomware.
On any given day, in fact, an IT or infosec team can face anywhere from 50 to 100,000 security events, according to a Ponemon Institute report. So far this year alone, insider threats and hacking have breached more than 4 million patient records, security firm Protenus estimated.
The number of attacks and the wide range of methods cyberattackers employ, when taken together, create a dilemma for security teams hoping to institute frameworks, protocols, technologies and practices that will last three, five or even more years into the future.
Infosec and IT departments, to that end, must regularly assess their own needs and evaluate the tools being offered by vendors. Some should even consider hiring an outside security firm to provide an unbiased audit that can also pull from threats experienced by other organizations.
Because the threats landscape is ever-evolving and hackers have shown no signs of letting up anytime soon, if hospitals have any hope against cyberthreats, they must constantly improve.
Case study: Inside Elliot Health System and UPMC's security shops
Let’s take a look at what two proactive organizations are doing to prepare for the years ahead.
A substantive part of the challenge is that healthcare entities have an even greater need for security, due to regulations, HIPAA, server protection, mobile devices and the like, according to New Hampshire-based Elliot Health System Chief Information Security Officer Andrew Seward.
Such a broad threat vector can place a lot of stress on an organization, Seward said.
“All these things were not designed with security in mind,” Seward said. “They were designed to make valves open and close, and things like that.”
Without security baked in the threat is real for software systems as well as medical and internet of things devices. The worst approach is denial or thinking an attack cannot happen to you.
“It’s almost become shellshock. So how do you futureproof?” Seward said. “You have to know the environment you’re in and come up with a plan.”
For Elliot Health, that means focusing on its firewall and other tools, like intrusion detection, in order to defend the hospital network.
The basic blocking and tackling of any infosec strategy is generally a good place to start. On top of that infrastructure, Elliot focuses on three main components: compliance, security tools and capabilities, and people.
The health system performed a compliance security risk assessment and an analysis of the results. Seward explained that this helped his organization begin to take action on the areas that need improvement through a managed corrective action plan. A checklist of these things can put into motion a process with the organization’s support team.
“You have to do it. But even if you do everything according to the book, it’s not enough,” Seward said. “Organizations can’t just focus on compliance, or they won’t be able to see what’s happening on firewalls or user devices.”
Tech security and cyber operations are Elliot’s next area of focus. The right security tools are faster than humans and can not only detect what is currently going on within the system, but also prevent something bad from happening.
“You can buy a bunch of cool tools and put them into place, based on the needs of the organization,” said Seward. “But the right tools are able to detect what’s going on, predict what’s going to happen and prevent something bad from occurring. And then if something does happen, it will be able to respond and react.”
Security software, however, is never of the set-it-and-forget-it ilk. Instead, the tools must be regularly evaluated to ensure they’re still applicable to your organization’s needs, UPMC’s Houston said.
“I’m lucky to find a security tool that I implement a year ago that is still doing what it needs to do,” Houston added. “That’s not an indictment of the tools we select, but the threats are changing so quickly that what’s a great tool today and gives us great results can be outdated soon.”
So UPMC is constantly on guard for new technologies to keep the organization up-to-date. Houston’s team can’t just find the perfect tools, get everything in place, and decide it’s done.
For example, an endpoint protection product used today might do everything UPMC wants at that point in time. While the tech still may be functional, there may be another product out there doing a better job dealing with current threats — even if that vendor is working to keep pace.
“The evolution is ongoing,” Houston said.
Which brings us back to Seward’s third element for planning cybersecurity strategy of the future: the human element.
“You should spend a lot of time educating and making your people aware. It’s the right thing to do for your business, because it makes the security relevant to them,” Seward said. “I tell everyone ‘You need a healthy skepticism around these phishing emails.’ Teach your staff how to detect a phishing email.”
Keeping infosec skillsets current
Cyberattackers are always picking up new tricks, trying out new tools and, as such, hospital security teams must do everything they can to stay fresh, if not a step ahead.
Houston and Seward agreed that there are no tools a hospital can simply implement and consider its security work complete and the same, naturally, goes for infosec professionals and the skills they acquire.
Seward said Elliot needed an IT team with special skill sets, focused on a particular area. So they hired a security engineer, for instance, who is also an ethical hacker and a Certified Information Security Systems Professional, aka CISSP, with a background from the tech industry.
“You can set the conditions for success,” Seward advised. “You can’t know everything, but you can never go wrong with hiring the right people and building a condition of trust.”
For Houston, that means addressing strategic security plans about every three months to make sure the team — UPMC’s comprises about 60 very specialized professionals — is focused on the right things. Further, they make sure there are no gaps in capabilities.
UPMC’s security team is also segmented and narrowly focused on specific areas such as incident response and security, among others.
Another significant challenge is that security, much like IT, is often considered a cost center by C-suite executives.
Seward explained that hospitals leaders need to recognize the goal of bolstering a security budget is to ensure it doesn’t lose continuity of business, intellectual property and the like.
“It takes forward-thinking individuals who can see the risk and determine security is a business risk,” Seward said. “When you’re doing futureproofing, you have to determine how much is enough to manage security, and then how much security is enough.”
Cyberinsurance, BAAs and aligning with business needs
As indispensable as technology and crack security teams are to a long-term cyber strategy, so too are a fistful of other steps hospitals can take now.
Much like they do for other parts of the business, hospitals should at the very least evaluate the pros and cons of taking out a cyber insurance policy.
“These hacks are happening — it happens to all of us,” Seward said. “This is the world we live in: You just have to accept that as a condition, an environmental condition.”
To that end, healthcare entities also need to look at their interactions with any vendor that has access to or directly touches protected health information and personally-identifiable information and verify which are trustworthy. Hence, business associate agreements are key because, if done properly, they provide prospective partners or IT vendors with questions to verify security measures.
To Seward, if an organization can impact these areas as it is setting the expectations for the business, that equates to laying the bricks of a foundation that can last into the future.
Emerging infosec tools: AI, analytics, machine learning
There are bound to be those in healthcare tempted to think artificial intelligence and machine learning will at some point come to the rescue, ferret out any would-be-attackers and then promptly and autonomously end the incident. Don’t fall into that trap but do understand the potential emerging technologies bring.
Security vendors are working on AI and machine learning technologies and, in fact, even they are realistic about the possibilities.
“Today, machine learning is the focus but it’s difficult to determine when we are successful,” said Axel Wirth, Distinguished Technical Architect at Symantec. “AI is real, it’s here, we’re using it, but the bad actors are using it a well.”
Wirth said that hospitals and other industries need AI and machine learning but added that the industry needs to make sure those systems don’t get hijacked or used against us.
Along with AI and machine learning as emerging options, add advanced analytics. Stewart Bradley, Vice President of the Cybersecurity Business Unit at SAS, pointed to three anomalies that security analytics should be able to detect: data exfiltration, adversary reconnaissance work and an adversary making lateral movements within your network.
“We need to detect the things that are most important to detect,” Bradley said.
If AI, security analytics and machine learning are making information security teams think that these new tools coming down the pike are just one more thing to manage in an already overflowing network, Richard Staynings, Cybersecurity Healthcare Life Sciences Leader at Cisco Systems, said what hospitals really need is to consolidate to a smaller toolbox so they can work smarter, not harder.
“Security is an industry we’re constantly developing new solutions without understanding the problem we’re trying to fix,” Staynings said. “We need to get away from that.”
Strategies don’t last forever
Technology changes, risk changes, cyberthreats get more sophisticated, even regulations are adjusted. Nothing stays the same for very long and, instead, the one constant is change itself and that only gets more furious.
“The time horizon continues to get shorter and shorter and shorter,” UPMC’s Houston said. “We need to get more aggressive with how we’re structured and the types of tools we have.”
Hospitals cannot just throw products at the security problem, added Stephen Nardone, Practice Director of Security and Mobility at Connection. “People, process and technology all have to work in a symbiotic way.”
Elliot Health’s Seward suggested gazing into the future to gauge how you might look back on the current state of security and, in turn, set conditions for success down the road.
“Part of this has to do with the business needs,” Seward said. “Organizations need to see what changes have to be done. The security should follow the business.”
Healthcare IT News Editor-in-Chief Tom Sullivan contributed to this report.