In 2019, we saw a record number of information security breaches. According to the IBM X-Force Threat Intelligence Index 2020, a total of 8.5 billion records were compromised — three times the number from 2018.
The healthcare industry saw its fair share of attacks and was the 10th-most targeted industry, accounting for 3 percent of all attacks last year. The industry was particularly plagued by Ryuk ransomware, which, in one case, demanded a $14 million ransom payment to decrypt files and allow nursing homes in the U.S. to restore their operations.
Interestingly, the 2019 Cost of a Data Breach Report found that 24 percent of reported data breaches globally were due to negligent employees or third parties. Employees, despite being a company’s greatest asset in many respects, continue to be one of the weakest links in the security chain. Although organizations are now investing more in security awareness and training for employees, attackers continue to find more creative ways of breaching organizations.
Emerging Threats and Medical Technologies Will Challenge Current Security Models
In addition to new threats, the last few years have brought about a number of technological breakthroughs within the healthcare industry, and with further advancements in these emerging technologies, the next decade will certainly challenge the industry’s current security operating models and the trust assumptions within them.
Some prominent emerging technologies that will scale in the next decade include:
- The internet of medical things (IoMT) — IoMT devices have obvious benefits for both patients and healthcare organizations and are still in their infancy compared to their potential in transforming services for patients. For example, in 2018, the National Health Service (NHS) of the U.K. announced a smart continuous glucose monitoring (CGM) device that allows patients with Type 1 diabetes to monitor their blood glucose levels on their own. At the moment, the device stores the information locally, but in the future, the collected information will be available for viewing in third-party mobile apps and will also be monitored by remote workers to allow them to intervene if needed. The increase in these devices will only expand the attack surface to be defended by security professionals who will need to catalog and track all IoMT devices connecting to the network and accessing, storing and processing information.
- Robotic helpers — Robo helpers have been tipped as the next big wave in healthcare. The daVinci system has already proven its use in surgery; however, the future will see an expansion of robots in other aspects of healthcare, including patient care. In 2018, the Nagoya University Hospital in Japan trialed the use of robots to deliver drugs and test samples. These robots were 125 cm tall and capable of traveling at speeds of up to 3.6 kph carrying up to 30 kilograms. The use of such robots will have interesting implications for the future, as security professionals will have to apply the same identity and access controls to robots that they currently apply to humans.
- Augmented reality (AR) — AR is currently being trialed in areas such as patient and doctor education, surgical visualization and disease simulation to enhance patient treatments and outcomes. For example, one AR application “maps a patient’s body, showing the exact location of veins so medical staff can hit the mark the first time when drawing blood or administering an IV prior to surgery.” Manipulation of such information by hackers could have life-threatening consequences for patients, not to mention the reputational damage for the healthcare organization.
- Advanced persistent threats (APTs) — Healthcare will see an increase in attacks from APT groups trying to obtain intellectual property. APTs will require healthcare organizations to have heightened awareness of sophisticated tactics, techniques and procedures, including custom malware tailored for state interests.
Given the interconnected nature of the future with IoMT devices, augmented reality, robot helpers and more, it is clear that the current perimeter-based security model that most healthcare organizations use will no longer be effective. To stay ahead of these trends, healthcare organizations must continue to invest in the basics while making a fundamental shift from the castle-and-moat approach to a Zero Trust model. Security professionals in this area must:
- Ensure a strong foundation — Focus on the basics: Maintain up-to-date policies and procedures, good cyber and data hygiene, strong identity and access management (IAM), asset management, data classification and protection, cyber incident response, and security training and awareness.
- Continuously assess and prioritize risk — Implement a threat- and risk-driven security strategy, continuously perform risk assessments to identify key risks and adjust security priorities accordingly by performing risk quantification.
- Invest in cloud security — The future will drive an increased use of software-as-a-service (SaaS) tools and other cloud-based applications. Securing cloud-based workloads as well as how data is accessed and stored in the cloud will determine how successful healthcare organizations are in their digital transformation journeys.
- Innovate and automate — While IT has made quite a few strides when it comes to automation, security is still catching up. Healthcare organizations must use automation and artificial intelligence (AI) to their advantage when it comes to improving breach identification and incident response times. Possible applications for AI in security include orchestration and automation of incident response, user behavior analytics (UBA), threat hunting, deception technologies and unified endpoint management (UEM).
- Embrace a Zero Trust model — Move the perimeter from the edge of the network to individual users and devices. Access must no longer be provided solely on the basis of a user’s credentials but based on a point-in-time security risk evaluation that considers attributes such as a user’s location, device and the information they are trying to access.
The Benefits of a Zero Trust Approach to Healthcare Security
A Zero Trust model can help healthcare organizations provision access in a more effective manner by focusing on data, workloads and identity.
Data security in a Zero Trust model is intrinsically linked with the data and travels with data across locations and devices, be they in-house or third-party. Data classification schemes and associated controls can no longer be bound by the perimeter of a corporate network and must apply to the data wherever it resides.
In a Zero Trust model, the perimeter is the workload itself. Security policies are applied granularly at the workload level, thereby creating microsegments that not only ensure tightly controlled access but also that any potential compromises can be contained to the workload. This prevents any lateral movement of unauthorized traffic. While the implementation of microsegmentation was previously restricted to organizations that could afford costly hardware such as next-generation firewalls, organizations today can achieve this without major hardware changes using software-based microsegmentation technologies.
Along with a data-centric and workload-first approach, a Zero Trust model requires the ability to identify all users and devices on the network at all times. In order to achieve this, organizations can utilize a combination of existing endpoint security controls as well as network access control (NAC) solutions.
It’s Underpinned by Visibility and Analytics
You cannot secure what you cannot see. In a Zero Trust model, security professionals must have visibility into all applications and data flows to ensure they can apply the right access controls. Security staff must use tools for network analysis and visibility (NAV) and security information management (SIM) together in order to comprehend what is happening on the network.
It Reinforces Security Orchestration and Automation
A Zero Trust model recommends orchestrating key security workflows and rules to eliminate the grunt work from security incident response and reduce incident resolution times.
To help combat evolving cyberattacks and address challenges associated with emerging technologies, healthcare organizations should adopt a data-centric, workload-first and identity-aware model that is underpinned by visibility, analytics, and security orchestration and automation. When it comes to safeguarding critical hospital operations and patient health, Zero Trust is the best way forward.
Senior Managing Consultant, IBM
Aaditya a Senior Managing Consultant with IBM's Security Transformation Practice in UK & Ireland. He is passionate about Cyber and has over 10 years expe...