HIT Think

How to improve defenses against health data security threats

Healthcare institutions are trusted with our most valuable information. Within their networks they store highly sensitive data such as medical records, treatment plans, financial records, contact information and more. This data is essential for healthcare providers to effectively communicate with patients and provide the best care possible.

However, having this information is also what makes them so attractive to cyber criminals. This is just the sort of information that cyber criminals seek to steal in order to sell or commit fraud.

Additionally, healthcare institutions are also preferred targets due to their status as a critical infrastructure. Beyond traditional attacks such as ransomware seeking monetary payout or the theft of PII, they are also targeted by hacktivists and nation-state groups seeking to disrupt critical operations at a national level.

As is the case in many industries, digitization has significantly expanded the potential attack surface of most healthcare institutions. Through the adoption of Internet of Medical Things (IoMT) devices and applications, the movement of workloads into the cloud, support for digital consulting with remote healthcare providers, and an increasingly mobile and online medical staff, new potential network entryways have been created for cybercriminals to exploit.

HDM-062817-ransom.png

As such, IT teams need to maintain constant visibility into and across the network to understand what devices are connected, what level of security those devices have, and what portions of the network they can access. This is especially challenging because many connected devices are neither owned by the hospital nor one of their providers. For example, if patients connect their phones or tablets to the network, IT teams have no way of ensuring that the operating system and each app loaded on the devices are up to date or include all necessary patches.

This expansion of the attack surface is compounded by increasingly sophisticated threats. Cybercriminals are constantly devising new ways to enter health networks – to the point that it is no longer a question of if an organization will be hacked, but when. In fact, data breaches in healthcare are reported at a rate of more than one per day.

The best defense then, is knowing what to expect and then preparing to minimize the efficacy of an attack the moment it is detected, if not before, to reduce patient and financial risk and ensure regulatory compliance.

Our most recent Threat Landscape Report not only looked at attack trends seen in Q4 of 2018, but also reviewed 2018 as a whole, in order to help healthcare IT teams understand where they should be focusing their security efforts.

During the last quarter, and over the year at large, there were three threat trends that stand out as especially threatening to the healthcare space.

Internet of Things: Connected Internet of Things (IoT) devices were the top targets for cybercriminals seeking to infiltrate networks in 2018. In fact, half of the top 12 global exploits specifically targeted IoT devices. This is especially noteworthy for healthcare providers that are increasingly deploying connected devices in their facilities, whether connected medical devices essential to life-saving care, or headless smart devices deployed to increase energy efficiency or ensure physical security, etc.

Another trend that health IT teams must be wary of is advancements in IoT botnets to incorporate destructive tendencies. For example, VPNFilter, an IoT malware, was able to not only steal credentials, monitor traffic, and inject malicious code back into the network session, but it could also flip a “kill switch” to destroy a targeted IoT device. This is an example of an IoT-focused threat that could be catastrophic if deployed on a medical device.

Agile Malware: Our Threat Landscape Report also revealed the increasingly agile nature of malware. Cybercriminals have become more adept at developing malware that evades detection, while releasing new iterations of threats on a faster, more regular schedule. One example of this is the GandCrab ransomware. A notable feature of GandCrab is that it also operates using a Ransomware as a Service model. Ransomware has caused trouble in the healthcare space in the past, locking down electronic health records and impacting care. But with RaaS, the number of potential attackers who now have the ability to engage in these sorts of attacks has significantly expanded. With agile Ransomware as a Service available, health IT teams must ensure they are backing up data and storing data off-network in a compliant way, and implementing necessary security controls to stay a stay ahead of morphing malware.

Zero Day Exploits: In Q4 of 2018 there were 8,309 unique exploits detected and 15 zero-day exploits discovered by FortiGuard labs. Zero-day threats such as Meltdown and Spectre were able to successfully infiltrate so many networks at the beginning of the year because organizations did not know to expect them, nor did they have any advance warning to administer patches and updates. This points to the need for healthcare IT teams to rely on regularly updated threat intelligence to protect networks and sensitive data. This is especially true as networks become more distributed and thus more vulnerable to zero days.

There are many steps that healthcare IT teams can take to secure their networks against these and evolving threats.

First, establish a security-oriented culture. Ensure that employees are aware of common cyber risks, encourage them to update devices regularly, and educate them on avoiding opening links and attachments from unknown senders. The fact is that over 90% of network compromises begin with some employee clicking on a malicious link delivered to them by email or SMS. Teaching employees how to spot and avoid phishing, spearphishing, and smishing attacks can significantly contribute to reducing vulnerabilities in the network and decreasing the risk of things like a successful ransomware attack.

When it comes to securing IoMT devices, IT teams need to take a learn, segment, protect approach. This begins by implementing network access control tools that can provide visibility into every device connected to the network. Once each device is identified they need to be granted access to a segmented network divided into security zones to ensure that devices only have access to essential data that has been isolated for that purpose. Such segmentation should also be policy and role-based, so that a patient’s device or the finance team is not able to reach all of the same network resources as a senior physician. Once segmented, each device must then be continuously monitored for anomalous activity, and if strange behavior is detected, the device must be automatically isolated and quarantined.

Next, to stay ahead of the speed and sophistication of modern attacks, be sure to incorporate automation, machine learning, and threat intelligence into your security strategy. Due to the increasingly agile nature of malware, it is essential that IT healthcare security controls can adapt to new iterations of malicious code, and respond to threats the moment they are detected. Automation is the only way to keep pace with modern attacks.

Finally, all threat prevention and detection activities need to be enhanced through the use of reliable and comprehensive threat intelligence. Intelligence feeds provide IT teams with an understanding of the types of attacks currently being that they need to be prepared for, as well as the entryways that cybercriminals will try to exploit to deliver those attack components. With this information in place, IT teams can make necessary adjustments to network defenses to minimize risk and ensure they will not be caught off guard by an attack, as many were by Spectre and Meltdown.

The healthcare attack surface is expanding at the same time that attacks are becoming more sophisticated. That is why it is essential that healthcare IT teams regularly consult threat intelligence sources like Fortinet’s quarterly Threat Landscape Report to not remain aware of key trends, but to also adapt their security processes, controls, and strategies accordingly.

For reprint and licensing requests for this article, click here.