Light Dark
June 29, 2017 By Stephen Burmester 4 min read
Healthcare
Risk Management

Imagine that your health care organization just went on bypass due to a cyberattack. For those unfamiliar with the term, bypass is when a health care facility is unable to provide services for one reason or another. When an emergency room parking bay area is literally full of ambulances, for example, the hospital may go on bypass to ensure that any additional emergencies are routed to the nearest available facility.

During the recent global WannaCry malware outbreak, one of the largest health care security threats on record, services at up to 40 hospital trusts across the U.K. were affected. Surgery operations and appointments were canceled, and ambulances were diverted away — not because of a shortage of doctors, beds or parking bays, but because they were under cyberattack.

CIA Keeps Malware Away

Malware is the collective term used to refer to a variety of hostile or intrusive software actors, including viruses, worms, Trojans, ransomware, spyware, adware, scareware and other intentionally malicious programs. Malware, at its core, aims to disrupt the CIA triad of information security:

  • Confidentiality means ensuring only those with appropriate rights are able to access information, and that information is not lost or leaked.
  • Integrity is ensuring that information is not altered or tampered with.
  • Availability is ensuring that information is available when required in a timely fashion.

To examine these three dimensions within the context of health care information, let’s assume that the data in question is a patient’s health record, which could include sensitive medical data, personally identifiable information (PII) and even credit card information. The rising usage of mobile computing and growing bring-your-own-device (BYOD) culture increase the likelihood that this data will be breached.

An attack against medical information integrity could literally kill people. A more benign attack might aim to alter someone’s address to reroute his or her formal correspondence. But what happens when a threat actor changes a patient’s drug dosage, prescription or blood type? Such a breach could be catastrophic — even fatal.

Related: Why Has Health Care Become Such a Target for Cyberattacks?

Other health care security threats seek to compromise the availability of critical information. For example, an injection attack aims to disrupt or take down a system. This is often done to either halt the availability of a service, lock the information it hosts or access the underlying operating system or environment. With this additional information, an adversary would be well-armed to mount a more advanced attack against assets.

Cryptomalware such as the WannaCry family is designed to render information unavailable through the process of encryption. This ransomware attack is a direct attempt to quickly monetize the inherent value of the information you hold.

Patching Is Not Enough

Many guidelines urge health care security professionals to ensure that all systems are patched, both at an operating system and application level, to thwart malware. This is sound advice, but in reality, sometimes machines cannot be patched, either due to mission criticality or software incompatibility.

In the health care industry, software often runs on old and outdated operating systems or application stack platforms — or, in the case of Internet of Things (IoT) devices, on old embedded operating systems. Some platforms have aged out of vendor support and thus cannot be patched. Other systems are so critical that halting them temporarily might mean compromising the entire environment.

Health care organizations require a defense-in-depth approach, and patching is only one method. Organizations need to consider implementing alternative and complimentary controls, as well as following risk-based evaluation and management best practices. Examples of complimentary or compensating controls include separated or dedicated network access, enhanced intrusion detection system (IDS) or intrusion prevention system (IPS) capabilities, or changes to business and human processes to reduce the residual risk to organizations and the threat to the CIA of information they hold.

Get Back to Basics

To securely manage information, a health care organization’s most valuable asset, it is essential to build your cybersecurity strategy and operations around three key domains of competency:

  • Prevent. Know what information you hold, where it is stored, how it is managed and accessed, and the threats to the CIA of these assets. Then, use a defense-in-depth approach to ensure that the information is protected, patch systems and endpoints, perform encryption and establish the least permissive controls over information access.
  • Detect. Identify both regular and irregular access at an enterprisewide level, and understand the behavior and fingerprinting of information access. This means knowing nonfunctional characteristics such as the type of device being accessed, tracking the access method and the permissions used, and identifying patterns and changes in user behavior.
  • Respond. One of the biggest cost savers during a data breach is a battle-tested cybersecurity response plan. A lack of coordination can make it difficult to react quickly and contain the costs of an incident. Additionally, after a security event, health care organizations must be able to reflect on the incident and return to regular business operations. They must also be able to measure the effectiveness of controls and response activities, including communication across the business.

Curing Health Care Security Threats

Health care organizations need a holistic enterprise approach to addressing risks to the confidentiality, integrity and availability of sensitive information. It’s critical to build a security strategy that balances risks to data while embracing disruptive health care technologies such as bedside entertainment systems, IoT-enabled medical devices and more. While these capabilities can certainly enhance the patient experience, they all pose entry points for malware that did not exist in decades past.

A security immune system provides an ecosystem of capabilities, underpinned by services and products that allow organizations to create a safer online environment. This strategy can be mapped specifically to the health care sector to help IT professionals manage the risks and threats to valuable medical information — and prevent their facilities from going on bypass.

Learn More About Protecting Data with a Security Immune System

 |  |  |  |  |  |  |  | 
Stephen Burmester
Industry Security Advisor, IBM Australia

More from Healthcare
October 29, 2024

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

September 26, 2024

Ransomware on the rise: Healthcare industry attack trends 2024

4 min read - According to the IBM Cost of a Data Breach Report 2024, the global average cost of a data breach reached $4.88 million this year, a 10% increase over 2023.For the healthcare industry, the report offers both good and bad news. The good news is that average data breach costs fell by 10.6% this year. The bad news is that for the 14th year in a row, healthcare tops the list with the most expensive breach recoveries, coming in at $9.77…

September 18, 2024

Cybersecurity risks in healthcare are an ongoing crisis

4 min read - While healthcare providers have been implementing technical, administrative and physical safeguards related to patient information, they have not been as diligent in securing their medical devices. These devices are critical to patient care and can leave hospitals at risk for cyberattacks, causing major disruptions to patient care. In fact, 88 million individuals were affected by large breaches, compromising vast amounts of electronic protected health information (ePHI) last year according to the U.S. Department of Health & Human Services. This year,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature