Despite being on the cutting edge of technology in some areas, healthcare has traditionally lagged behind with cybersecurity.
Legacy systems, IoT devices, and over-burdened staff make for a uniquely challenging environment for the IT professionals charged with guarding hospitals and other healthcare entities from cyberattacks.
Additionally, there are differing opinions in the industry about what constitutes sufficient cybersecurity. Organizations will often focus on protecting personal health information (PHI) to remain HIPAA compliant (the Health Insurance Portability and Accountability Act of 1996), but feel like once that checkmark has been ticked, the work is done – when in fact healthcare is a lucrative target for bad actors who aren’t just looking to obtain PHI.
Perhaps counterintuitive to the healthcare industry’s reliance on bleeding edge technology to provide patient care, the industry still has an anachronistic reliance on fax technology. A recent survey of senior IT and business decision makers’ in the UK and Europe by eFax found some interesting numbers: while 62% of respondents from healthcare organizations said that security is critical to deciding to move to cloud- based fax systems, only 21% said their technology was “extremely” secure. The survey found that 21% of the respondents still use at least some traditional (non-cloud) faxing, and 17% are still using a traditional fax machine. Less than half (42%) send and receive confidential documents through password protected emails, and a quarter use email encrypted software.
“As someone who has experience working to secure hospitals from cyberattacks, the healthcare industry is extremely behind which is why they continue to be one of the most lucrative targets for adversaries,” says Taylor Ellis, customer threat analyst with Horizon3.ai.
That the industry is still relying on fax isn’t surprising, she says.
Hospitals are such a boon for exposing PHI and they suffer from ransomware attacks almost more than any other industry.”
Taylor Ellis, Customer Threat Analyst
“Unfortunately, sensitive documents are also often sent over via email, and despite the fact this method is a big no-no in security, healthcare administrators believe the information is safe because the emails are encrypted.”
The frequency with which healthcare organizations are hit with ransomware is a big indicator of how ineffective these solutions are. According to a recent document from the U.S. Department of Health and Human Services (HHS)”, the number of data breaches in healthcare organizations has nearly doubled in the first five months of 2022 as compared to the same time period last year. From January 1 to May 31, there were 244 electronic data breaches of healthcare organizations with at least 500 victims, as compared to 137 such incidents in 2021.
These numbers make the reliance on older, less secure technology all the more problematic for the industry.
“Are we forgetting that the last time somebody felt it was absolutely necessary to send a fax, Bill Clinton was still president? Why are we moving backwards?” says Ellis. “Security requires continual advancement.”
Any knowledgeable professional in the IT sphere knows there’s no such thing as 100% safe, but, Ellis says, the industry is always improving and moving ahead to cope with the fact that there’s no way to ensure data is completely protected.
“Other industries have started to accept the reality of security and the challenges of progress that come with it, but the healthcare industry is certainly lagging in comparison to others,” she says.
“Surprisingly, there are numerous people across the board (including doctors, HR, medical vendors, legal practitioners, etc.) who argue against improved security,” says Ellis. “One of the main reasons for the pushback on such procedures is not wanting to sacrifice patient health for the ‘limitations’ of hospital functions.”
Additional security can, admittedly, add some inconvenience or hassle to the workday for healthcare professionals, but it’s not an excuse to return to the past, says Ellis. Other, better options exist.
“An encrypted Dropbox link sent directly to the patient or user would be more appropriate. It’s easy to use, it’s more private, and most importantly, it is more acceptable for the time,” she says.
Any method used to share patient information needs to be secure.
Regular autonomous pentesting can show where your lines of communication are vulnerable – weak passwords, unencrypted data, and more.
With attacks against healthcare organizations being a constant looming threat, now is not the time to go backward. These organizations need to look for new, innovative ways to improve overall cybersecurity posture. They must not only ensure that patient information is safe and compliance checkboxes are marked, but that they’re continuously striving to strengthen their cyber resilience. Find vulnerabilities, fix them, and then verify your fixes worked with NodeZero to make sure the chain of custody for your data is now secure.
“It’s critical for the healthcare industry overall to focus on ways they can strengthen their cybersecurity posture – and that starts identifying potential weaknesses in their processes,” says Ellis. “The more these organizations understand their risks, the more actionable insight their network and security teams will have to better harden their systems.”
Understanding which risks need to be addressed immediately is also necessary. NodeZero addresses criticality in its findings, so organizations know exactly which vulnerabilities need their attention right now and which are false positives that don’t require cycles better spent elsewhere.
Following HIPAA Does Not Guarantee Security
For many IT professionals in healthcare, it’s a struggle to get buy-in for security that goes beyond simply complying with HIPAA. A refresher on HIPAA: HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge
“Medical vendors who are trying to sell medical devices and new applications to hospitals will often smudge how ‘secure’ they really are and will say that they are HIPAA compliant trying to pass their device or app off as 100% foolproof,” says Ellis. “Often, we see that they actually have multiple security flaws, sometimes using DES (old data encryption standard) or an outdated version of SHA (Secure Hash Algorithm), or even no encryption at all! When examining their SOC2 reports the truth is only apparent, never when talking to the salesperson.”
This mindset has carried over to doctors and healthcare practitioners who want to rush the implementation of unsecured medical devices or apps for better of the patient, Ellis explains.
Bottom Line: the same old defense strategies are not working, while attacker tactics are. Professionals and practitioners alike are starting to echo “If you can’t beat them, join them.”
IT and Patient Care Need to Work Together
Industrial control systems security: a SCADA system is a combination of hardware and software that enables the automation of industrial processes by capturing Operational Technology (OT) data. SCADA connects the sensors that monitor equipment like motors, pumps, and valves to an onsite or remote server.
“The industry needs more incident response exercises with healthcare professionals (doctors, nurses, etc.) working hand in hand with security and IT operations to solve a problem,” says Ellis. “Some of the reasons for pushback against advanced security procedures is a fear that progress of security will get in the way of progress for the patient, limiting hospital functions. That’s the biggest challenge, as is for any other industry.”
Healthcare and security are two groups that rarely communicate with one another, Ellis says. But for the sake of protecting patient data, it is necessary that they become more familiar with each other’s jobs and areas of expertise.
“When a breach occurs, multiple teams from different departments must work together to arrive at the solution and achieve a viable result of mitigating the compromise,” she explains. “The security team cannot fix problems without the information provided by healthcare professionals on site, and healthcare professionals need security to be the guiding force in dealing with a breach.”
One of the best ways to create synergy between medical and security teams is to test their collaboration skills in an incident response exercise.”
Taylor Ellis
“This can be accomplished by organizing meetings between the two groups once every few months of the year, assigning a problem (Ex: a medical SCADA system has been corrupted), and allowing the two groups to walk through the steps of incident response together,” she says. “In order to obtain the best results of synergy between the groups, communication should be as open and free to personnel of all levels. All ideas should be heard equally, and the discussion of ‘what to do next’ guided by a security monitor who may specialize (or be very talented at) security awareness training.”
After working through the response exercise, security and medical teams will benefit equally from their effective cooperation and teamwork.
“Hopefully, such exercises will strengthen the relationship between medical science and the concepts of healthcare that security is trying to protect,” says Ellis.
How Can Autonomous Pentesting Help?
Where healthcare can often focus too much on the annual compliance requirements of the industry, the ability to regularly run penetration testing at will, and then find, fix, and verify quickly and easily that those issues have been addressed, can take a weight off the shoulders of both the healthcare IT professionals and the providers they want to protect from cyberattacks.
With NodeZero, organizations get feedback on how critical each risk or vulnerability is. Healthcare organizations are well aware that there are legacy devices running on older, less secure operating systems; they also know that because of this, these systems are siloed from the internet for their own protection.
Under traditional pentesting, such devices show up as vulnerabilities that need to be addressed. NodeZero is able to identify what vulnerabilities are actually actionable by attackers so you can focus your limited resources on addressing the risks that leave the organization most vulnerable. As the industry focuses so much on protecting PHI, it’s also important to remember that it’s not just patient information attackers are after.
Any cyberattack can cause reputational harm; and attacks that impact any operational impact on a hospital’s ability to treat patients, even without putting patient data into the hands of bad actors, is pivotal to address.
NodeZero takes the attacker’s perspective, looking at every option for getting past your defenses, and chains attacks just like a hacker would in order to exploit vulnerabilities and cause havoc to your network.
Whether it’s discovering shadow IT or unapproved devices on the network; gaps in securing legacy devices; poor password management; unpatched vulnerabilities and more, the autonomous pentesting capabilities of NodeZero can find the cracks in a healthcare organization’s cyber defenses far beyond just protecting private patient information to prevent reputational and financial harm.
For more information on NodeZero, schedule a demo today.
