Imagine that your health care organization just went on bypass due to a cyberattack. For those unfamiliar with the term, bypass is when a health care facility is unable to provide services for one reason or another. When an emergency room parking bay area is literally full of ambulances, for example, the hospital may go on bypass to ensure that any additional emergencies are routed to the nearest available facility.

During the recent global WannaCry malware outbreak, one of the largest health care security threats on record, services at up to 40 hospital trusts across the U.K. were affected. Surgery operations and appointments were canceled, and ambulances were diverted away — not because of a shortage of doctors, beds or parking bays, but because they were under cyberattack.

CIA Keeps Malware Away

Malware is the collective term used to refer to a variety of hostile or intrusive software actors, including viruses, worms, Trojans, ransomware, spyware, adware, scareware and other intentionally malicious programs. Malware, at its core, aims to disrupt the CIA triad of information security:

  • Confidentiality means ensuring only those with appropriate rights are able to access information, and that information is not lost or leaked.
  • Integrity is ensuring that information is not altered or tampered with.
  • Availability is ensuring that information is available when required in a timely fashion.

To examine these three dimensions within the context of health care information, let’s assume that the data in question is a patient’s health record, which could include sensitive medical data, personally identifiable information (PII) and even credit card information. The rising usage of mobile computing and growing bring-your-own-device (BYOD) culture increase the likelihood that this data will be breached.

An attack against medical information integrity could literally kill people. A more benign attack might aim to alter someone’s address to reroute his or her formal correspondence. But what happens when a threat actor changes a patient’s drug dosage, prescription or blood type? Such a breach could be catastrophic — even fatal.

Other health care security threats seek to compromise the availability of critical information. For example, an injection attack aims to disrupt or take down a system. This is often done to either halt the availability of a service, lock the information it hosts or access the underlying operating system or environment. With this additional information, an adversary would be well-armed to mount a more advanced attack against assets.

Cryptomalware such as the WannaCry family is designed to render information unavailable through the process of encryption. This ransomware attack is a direct attempt to quickly monetize the inherent value of the information you hold.

Patching Is Not Enough

Many guidelines urge health care security professionals to ensure that all systems are patched, both at an operating system and application level, to thwart malware. This is sound advice, but in reality, sometimes machines cannot be patched, either due to mission criticality or software incompatibility.

In the health care industry, software often runs on old and outdated operating systems or application stack platforms — or, in the case of Internet of Things (IoT) devices, on old embedded operating systems. Some platforms have aged out of vendor support and thus cannot be patched. Other systems are so critical that halting them temporarily might mean compromising the entire environment.

Health care organizations require a defense-in-depth approach, and patching is only one method. Organizations need to consider implementing alternative and complimentary controls, as well as following risk-based evaluation and management best practices. Examples of complimentary or compensating controls include separated or dedicated network access, enhanced intrusion detection system (IDS) or intrusion prevention system (IPS) capabilities, or changes to business and human processes to reduce the residual risk to organizations and the threat to the CIA of information they hold.

Get Back to Basics

To securely manage information, a health care organization’s most valuable asset, it is essential to build your cybersecurity strategy and operations around three key domains of competency:

  • Prevent. Know what information you hold, where it is stored, how it is managed and accessed, and the threats to the CIA of these assets. Then, use a defense-in-depth approach to ensure that the information is protected, patch systems and endpoints, perform encryption and establish the least permissive controls over information access.
  • Detect. Identify both regular and irregular access at an enterprisewide level, and understand the behavior and fingerprinting of information access. This means knowing nonfunctional characteristics such as the type of device being accessed, tracking the access method and the permissions used, and identifying patterns and changes in user behavior.
  • Respond. One of the biggest cost savers during a data breach is a battle-tested cybersecurity response plan. A lack of coordination can make it difficult to react quickly and contain the costs of an incident. Additionally, after a security event, health care organizations must be able to reflect on the incident and return to regular business operations. They must also be able to measure the effectiveness of controls and response activities, including communication across the business.

Curing Health Care Security Threats

Health care organizations need a holistic enterprise approach to addressing risks to the confidentiality, integrity and availability of sensitive information. It’s critical to build a security strategy that balances risks to data while embracing disruptive health care technologies such as bedside entertainment systems, IoT-enabled medical devices and more. While these capabilities can certainly enhance the patient experience, they all pose entry points for malware that did not exist in decades past.

A security immune system provides an ecosystem of capabilities, underpinned by services and products that allow organizations to create a safer online environment. This strategy can be mapped specifically to the health care sector to help IT professionals manage the risks and threats to valuable medical information — and prevent their facilities from going on bypass.

Learn More About Protecting Data with a Security Immune System

More from Healthcare

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Healthcare Breaches Costliest for 12 Years Running, Hit New $10.1M Record High

IBM Security and the Ponemon institute release an annual report known as one the most significant industry benchmarks. The Cost of a Data Breach analysis examines real-world breaches in great detail, producing insights into the factors that impact the cost of cyber-attacks. In the 2022 report just released, the healthcare sector stands out for extremely high breach costs on the global average chart. Furthermore, the sector has kept its leading position in that respect for the 12th year in a…

Incident Response for Health Care IT: Differences and Drivers

Threat actors continue to target the health care industry. IBM’s Threat Intelligence Index for 2022 rates the industry as the sixth most targeted. That puts it close behind the energy and retail and wholesale sectors. Certain regions seem to be more prone to attack as well. The Asia-Pacific region accounted for 39% of all health care-related attacks, while North America trailed next at 33%. Coming as no surprise, ransomware is the leading known method of attack, representing 38% of cases.Some…

Hospital Ransomware Attack: Here’s What a Cybersecurity Success Story Sounds Like 

Major ransomware attacks are scary, but against hospitals, they are even worse. One notable attack in August 2021 forced Ohio’s Memorial Health System emergency room to shut down (patients were diverted to other hospitals). In all hospital attacks, the health, safety, privacy and lives of patients face risk. But this incident also shows that whether targets are hospitals or any other kind of organization, the time and money spent preventing attacks is almost always worth it.  But what do you do…