Maintaining CIA to Keep Health Care Security Threats at Bay

Imagine that your health care organization just went on bypass due to a cyberattack. For those unfamiliar with the term, bypass is when a health care facility is unable to provide services for one reason or another. When an emergency room parking bay area is literally full of ambulances, for example, the hospital may go on bypass to ensure that any additional emergencies are routed to the nearest available facility.

During the recent global WannaCry malware outbreak, one of the largest health care security threats on record, services at up to 40 hospital trusts across the U.K. were affected. Surgery operations and appointments were canceled, and ambulances were diverted away — not because of a shortage of doctors, beds or parking bays, but because they were under cyberattack.

CIA Keeps Malware Away

Malware is the collective term used to refer to a variety of hostile or intrusive software actors, including viruses, worms, Trojans, ransomware, spyware, adware, scareware and other intentionally malicious programs. Malware, at its core, aims to disrupt the CIA triad of information security:

  • Confidentiality means ensuring only those with appropriate rights are able to access information, and that information is not lost or leaked.
  • Integrity is ensuring that information is not altered or tampered with.
  • Availability is ensuring that information is available when required in a timely fashion.

To examine these three dimensions within the context of health care information, let’s assume that the data in question is a patient’s health record, which could include sensitive medical data, personally identifiable information (PII) and even credit card information. The rising usage of mobile computing and growing bring-your-own-device (BYOD) culture increase the likelihood that this data will be breached.

An attack against medical information integrity could literally kill people. A more benign attack might aim to alter someone’s address to reroute his or her formal correspondence. But what happens when a threat actor changes a patient’s drug dosage, prescription or blood type? Such a breach could be catastrophic — even fatal.

Related to this Article

Other health care security threats seek to compromise the availability of critical information. For example, an injection attack aims to disrupt or take down a system. This is often done to either halt the availability of a service, lock the information it hosts or access the underlying operating system or environment. With this additional information, an adversary would be well-armed to mount a more advanced attack against assets.

Cryptomalware such as the WannaCry family is designed to render information unavailable through the process of encryption. This ransomware attack is a direct attempt to quickly monetize the inherent value of the information you hold.

Patching Is Not Enough

Many guidelines urge health care security professionals to ensure that all systems are patched, both at an operating system and application level, to thwart malware. This is sound advice, but in reality, sometimes machines cannot be patched, either due to mission criticality or software incompatibility.

In the health care industry, software often runs on old and outdated operating systems or application stack platforms — or, in the case of Internet of Things (IoT) devices, on old embedded operating systems. Some platforms have aged out of vendor support and thus cannot be patched. Other systems are so critical that halting them temporarily might mean compromising the entire environment.

Health care organizations require a defense-in-depth approach, and patching is only one method. Organizations need to consider implementing alternative and complimentary controls, as well as following risk-based evaluation and management best practices. Examples of complimentary or compensating controls include separated or dedicated network access, enhanced intrusion detection system (IDS) or intrusion prevention system (IPS) capabilities, or changes to business and human processes to reduce the residual risk to organizations and the threat to the CIA of information they hold.

Get Back to Basics

To securely manage information, a health care organization’s most valuable asset, it is essential to build your cybersecurity strategy and operations around three key domains of competency:

  • Prevent. Know what information you hold, where it is stored, how it is managed and accessed, and the threats to the CIA of these assets. Then, use a defense-in-depth approach to ensure that the information is protected, patch systems and endpoints, perform encryption and establish the least permissive controls over information access.
  • Detect. Identify both regular and irregular access at an enterprisewide level, and understand the behavior and fingerprinting of information access. This means knowing nonfunctional characteristics such as the type of device being accessed, tracking the access method and the permissions used, and identifying patterns and changes in user behavior.
  • Respond. One of the biggest cost savers during a data breach is a battle-tested cybersecurity response plan. A lack of coordination can make it difficult to react quickly and contain the costs of an incident. Additionally, after a security event, health care organizations must be able to reflect on the incident and return to regular business operations. They must also be able to measure the effectiveness of controls and response activities, including communication across the business.

Curing Health Care Security Threats

Health care organizations need a holistic enterprise approach to addressing risks to the confidentiality, integrity and availability of sensitive information. It’s critical to build a security strategy that balances risks to data while embracing disruptive health care technologies such as bedside entertainment systems, IoT-enabled medical devices and more. While these capabilities can certainly enhance the patient experience, they all pose entry points for malware that did not exist in decades past.

A security immune system provides an ecosystem of capabilities, underpinned by services and products that allow organizations to create a safer online environment. This strategy can be mapped specifically to the health care sector to help IT professionals manage the risks and threats to valuable medical information — and prevent their facilities from going on bypass.

Learn More About Protecting Data with a Security Immune System

Share this Article:
Stephen Burmester

Industry Security Advisor, IBM Australia

Stephen is IBM’s Industry Security Leader and having been a CISO himself prior to joining IBM, Stephen is a security subject matter expert across a number of Industry verticals. Stephen’s responsibility is to ensure security strategy and messaging input into all industry led solutions. Stephen is also responsible for liaising with the various IBM Industry teams and keeping them enabled and updated on the latest security market trends and solutions. Prior to joining IBM, Stephen was the Chief Information Security Officer (CISO) for the National eHealth Transition Authority (NEHTA) where he had responsibility for all information security and cyber activities for the National entity, as well as leading and managing the NEHTA Security practice. Stephen led the design team for establishing the Personally Controlled Electronic Healthcare Record for all Australians, as well as National Identifier and Authentication systems for the healthcare sector. Stephen's passion for digital identity and technology skills were also put to the test in leading the design for Australia's first smartcard drivers licence (Queensland) bringing together smartcard, PKI and facial biometric technologies for the transport sector. Stephen is a senior ICT Professional and Manager with over 20 years of cross industry experience in large and complex environments. He has also been an advisor to many CIO's across State and Commonwealth governments as well as the private sector. Stephen is an ISC2 Certified Information Systems Security Professional (CISSP), and about to complete his ISC2 Certified Cloud Systems Professional (CCSP).