During the recent global WannaCry malware outbreak, one of the largest healthcare security threats on record, services at up to 40 hospital trusts across the U.K. were affected. Surgery operations and appointments were cancelled, and ambulances were diverted away — not because of a shortage of doctors, beds or parking bays, but because they were under cyberattack.
CIA keeps malware away
Malware is the collective term used to refer to a variety of hostile or intrusive software actors, including viruses, worms, Trojans, ransomware, spyware, adware, scareware and other intentionally malicious programs. Malware, at its core, aims to disrupt the CIA triad of information security:
- Confidentiality means ensuring only those with appropriate rights are able to access information, and that information is not lost or leaked.
- Integrity is ensuring that information is not altered or tampered with.
- Availability is ensuring that information is available when required in a timely fashion.
To examine these three dimensions within the context of healthcare information, let’s assume that the data in question is a patient’s health record, which could include sensitive medical data, personally identifiable information (PII) and even credit card information. The rising usage of mobile computing and growing bring-your-own-device (BYOD) culture increase the likelihood that this data will be breached.
An attack against medical information integrity could literally kill people. A more benign attack might aim to alter someone’s address to reroute his or her formal correspondence. But what happens when a threat actor changes a patient’s drug dosage, prescription or blood type? Such a breach could be catastrophic — even fatal.
Other healthcare security threats seek to compromise the availability of critical information. For example, an injection attack aims to disrupt or take down a system. This is often done to either halt the availability of a service, lock the information it hosts or access the underlying operating system or environment. With this additional information, an adversary would be well-armed to mount a more advanced attack against assets.
Cryptomalware such as the WannaCry family is designed to render information unavailable through the process of encryption. This ransomware attack is a direct attempt to quickly monetize the inherent value of the information you hold.
Patching is not enough
Many guidelines urge healthcare security professionals to ensure that all systems are patched, both at an operating system and application level, to thwart malware. This is sound advice, but in reality, sometimes machines cannot be patched, either due to mission criticality or software incompatibility.
In the healthcare industry, software often runs on old and outdated operating systems or application stack platforms — or, in the case of Internet of Things (IoT) devices, on old embedded operating systems. Some platforms have aged out of vendor support and thus cannot be patched. Other systems are so critical that halting them temporarily might mean compromising the entire environment.
Healthcare organisations require a defense-in-depth approach, and patching is only one method. Organisations need to consider implementing alternative and complimentary controls, as well as following risk-based evaluation and management best practices. Examples of complimentary or compensating controls include separated or dedicated network access, enhanced intrusion detection system (IDS) or intrusion prevention system (IPS) capabilities, or changes to business and human processes to reduce the residual risk to organisations and the threat to the CIA of information they hold.
Get back to basics
To securely manage information, a healthcare organisation’s most valuable asset, it is essential to build your cybersecurity strategy and operations around three key domains of competency:
- Prevent. Know what information you hold, where it is stored, how it is managed and accessed, and the threats to the CIA of these assets. Then, use a defense-in-depth approach to ensure that the information is protected, patch systems and endpoints, perform encryption and establish the least permissive controls over information access.
- Detect. Identify both regular and irregular access at an enterprise-wide level, and understand the behaviour and fingerprinting of information access. This means knowing nonfunctional characteristics such as the type of device being accessed, tracking the access method and the permissions used, and identifying patterns and changes in user behaviour.
- Respond. One of the biggest cost savers during a data breach is a battle-tested cybersecurity response plan. A lack of coordination can make it difficult to react quickly and contain the costs of an incident. Additionally, after a security event, health care organizations must be able to reflect on the incident and return to regular business operations. They must also be able to measure the effectiveness of controls and response activities, including communication across the business.
Curing healthcare security threats
Healthcare organisations need a holistic enterprise approach to addressing risks to the confidentiality, integrity and availability of sensitive information. It’s critical to build a security strategy that balances risks to data while embracing disruptive healthcare technologies such as bedside entertainment systems, IoT-enabled medical devices and more. While these capabilities can certainly enhance the patient experience, they all pose entry points for malware that did not exist in decades past.
A security immune system provides an ecosystem of capabilities, underpinned by services and products that allow organisations to create a safer online environment. This strategy can be mapped specifically to the healthcare sector to help IT professionals manage the risks and threats to valuable medical information — and prevent their facilities from going on bypass.
