The Health Care IT Security Challenge
A data breach impacting personal identifiable information (PII) can ruin someone's life, but an attack on critical health infrastructure can actually end it. Find out how the health care industry can guard against cyberattack.
Given the significant rise of cyberattacks against leading government and industrial entities last year, the world has become painfully aware of how vulnerable its critical IT infrastructure has become. But while most breaches tend to focus on the theft of financial records and other forms of personally identifiable information (PII), a growing number of incidents are starting to target medical providers.
This represents a serious escalation in the security wars, given that malicious code or even something as common as ransomware has the potential to put patients’ lives at risk if they targeted critical medical infrastructure. To date, no deaths have been directly attributed to a cyberattack, but it is certainly not in the industry’s best interests to wait until the unthinkable happens before taking action. (To learn more about attacks in this area, see The Growing Cybersecurity War on the Health Care Industry.)
Perhaps the most serious attacks in the past year were the WannaCry virus that infected multiple thousands of computers around the world, including some at the U.K. National Health Service, followed shortly by the NotPetya attack that shut down leading organizations like Merck and Nuance, with some systems not coming back on line for several weeks. As Mac McMillan, CEO of cybersecurity firm Cynergistek pointed out to Modern Healthcare, these attacks showed that “threat actors” are now willing to risk patient safety in order to commit their crimes.
One of the key vulnerabilities for these kinds of attacks is email. Trojan horse programs often penetrate IT firewalls by tricking email recipients to open false weblinks. Once inside, they can roam freely within a data network, stealing data or rewriting code to shut down critical systems at a given time or with a given prompt. Many organizations, in fact, have implemented new employee training protocols designed to help identify fraudulent emails.
But a potentially more serious threat lies in the fact that the health care industry is under tremendous pressure to deploy cutting-edge technology as a means to improve patient outcomes and control costs. Unfortunately, this leads many organizations to add new capabilities before their security vulnerabilities can be fully vetted, leaving providers open to attack vectors they may not be aware of. (New technology always gives rise to new threats. For more, see Cybersecurity: How New Advances Bring New Threats - And Vice Versa.)
A case in point is the emerging internet of things (IoT), which is already flooding hospitals and other providers with a plethora of connected life-saving devices. According to tech writer Zehra Ali, health-related IoT is sure to improve patient care, data analysis and cost control, but it is also susceptible to malicious intrusions that can compromise patient data or even interfere with a device’s ability to communicate. To counter this, providers will need to take extra care to confirm and authorize access to networked systems and implement advanced data encryption on IoT traffic flows.
Another effective tool to help boost health care security is automation, says HIT Infrastructure’s Elizabeth O’Dowd. When it comes to protecting critical health systems, closing the breach after the damage has been done is not an option. Providers will have to adopt a more proactive defensive posture that can only be accomplished through deep visibility and high-speed data analysis to track and isolate anomalies before they reach critical stages. A key area for automation to flourish is in network verification, which can continuously ascertain that all entities interacting with the health care network are cleared to do so.
At the same time, artificial intelligence (AI) and machine learning (ML) can significantly improve the ability to adapt security postures in the face of evolving threats and to identify hidden vulnerabilities that may otherwise have gone undetected. Although the idea of a fully autonomous security environment is still a little far-fetched, it is reasonable to expect vastly improved security at less cost and with less human involvement in the relatively near future.
Technology alone cannot protect critical systems, however. The healthcare industry should adopt a broad range of best practices to reduce both the risk of a breach and the potential damage it can cause. Groups like the HiTrust Alliance, the U.S.Computer Emergency Readiness Team (US-CERT) and even the FBI all provide resources to help health care groups and other organizations maintain cyber-readiness, says Campus Safety Magazine’s Zach Winn. But perhaps the most detailed program comes from the American Health Information Management Association (AHIMA), which offers guidance on risk analysis, record retention, mobile device management and a host of other factors. The important thing to remember is that no organization is alone in this fight – the more engaged you are in maintaining communications with your peers, professional organizations and law enforcement, the better off you’ll be.
It should be evident by now that cybercrime is a fact of life for the modern enterprise, and even the most forward-leaning security posture has a limited shelf-life. The same basic technologies that can be used to defend an enterprise can be used to attack it, and the speed at which advanced capabilities, even quantum computing, enter the public sphere means IT executives must remain on their guard – not just to prevent today’s potential threat, but tomorrow’s as well.
Credit, identities – even someone’s life savings – can all be restored. When health-related systems are taken down, the loss may be irreplaceable.