Days away from HIMSS 2016, the year's largest healthcare IT conference in the United States, the stage has never been brighter on healthcare organizations trying to evade cyber crime.
A recent survey of U.S.-based health care executives paints a harrowing picture. When executives were asked how many times they tracked attempted cyber incursions into their networks, 44 percent said between one and 50, 38 percent said between 50 and 350, and 13 percent said more than 350. The top information security worries included malware infecting their systems, compromising patient data privacy, and incurring HIPAA violations.
IBM called 2015 “the year of the healthcare security breach” – and 2016 is already shaping up to be no different. The news about a hospital in California paying ransom to hackers who infiltrated and disabled its computer network is a worst-case scenario many in the healthcare industry want to avoid at all costs.
There is no magic vaccine to cure this. The reality is that healthcare organizations will need to continue investing in cybersecurity to keep up with these online attacks that are increasingly able to exploit their networks.
Where should you start? If you’re like most healthcare organizations, your network infrastructure and support technology is disjointed and out of date. Multipleinfrastructure technologies may be layered upon one another, as it’s uncommon (and costly) to rebuild a network from the ground up every time business requirements change.
Digging deeper, let’s take a look at the two major categories of infrastructure that healthcare organizations – particularly medium-to-large ones – possess:
- Business network: This includes systems related to personnel management, general IT systems and servers, business and partner related systems, billing, patient record systems, voice systems, and many others used to operate the organization from day to day.
- Clinical network: This includes point-of-care systems and the servers used for configuring and controlling those systems.
In a perfect world, you would have security that’s segmented to specifically address your various networks to keep cyber attacks at bay. However, most healthcare organizations operate entirely flat networks using switch technologies such as virtual local area networks (VLANs) to attempt to provide some traffic segmentation. The problem with this is that it doesn’t allow for a great deal of security controls you can assign to specific segments of your network and systems. The workaround is an intricate patchwork of firewall and routing rules in an attempt to bolt on security.
Attackers know this, which is why they are targeting attacks to IT and infrastructure rather than employees losing data. Phishing, social engineering, and web/database attacks (such as SQL injection) are currently the most common ways large healthcare organizations are breached.
If an attacker manages to get a foothold onto a healthcare organization that is poorly segmented and controlled, personal health information as well as all the critical care devices running on the same flat network are at risk for possible damage or attack. In addition, most healthcare organizations have connections to many outside partners and vendors that essentially become extensions of their own internal networks. Attackers can compromise connected organizations and utilize their foothold within an organization’s network to migrate to other critical parts of the organization.
So, how do healthcare organizations protect themselves? A good start is shoring up process, technology, and people.
- Process: Instill policies relating to data classification and handling, IT governance, regulatory compliance, and comprehensive user education.
- Technology: Properly configure technology to address the security needs of different points throughout the network. Endpoint technologies should include malware detection and execution prevention, full hard disk encryption, and centralized asset control. Network technologies will include security and event monitoring with monitoring in each network segment or area, centralized logging, firewalls controlling the separation of critical network segments, and encrypted communication links.
- People: Train employees to run your information security program, and the program will train employees to correctly operate on your network. All the latest technology in the world cannot mitigate the risk of cyber attack if employees aren’t trained properly.
Does this give you a headache? Download our free healthcare study to learn how you can mitigate your risk for a data breach. If you are going to be at the HIMSS conference from February 29 through March 4, visit our booth at #9908-9. I look forward to helping you work through these complex problems pervading the healthcare industry today.
Written by Rob LaMear, CEO, US Cyber Vault
Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community. Receive our next issue by signing up here.