Former FBI agent, CISO share tips for planning endpoint security to ward off hackers
Given the widely recognized near-inevitability of cyber breaches, it's crucial that hospitals and other healthcare organizations adequately allocate resources to put a crimp in the efforts of potential hackers.
The challenge, then, is picking and choosing which elements to home in on when allocating security resources.
That starts with the budgeting process, of course, which should encompass: end-point security technologies, talent acquisition and retention, risk management and business continuity plans.
Mapping IT topology
Chris Tarbell, a former FBI special agent who infiltrated Anonymous and Silk Road and is now director of cybersecurity and investigations at Berkeley Research Group, said tamping down the efforts of intruders requires organizations to formulate a security plan that accounts for the systems they have in place, and where – with deep understanding of what they need to protect, and how to manage that.
To help identify those variables, Tarbell recommended that clients provide a topology map to reflect what their network looks like, and maintain it to keep a handle on all the various endpoints.
Cambridge Health Alliance chief information security officer Arthur Ream said that a critical part of the plan — and the budget — is risk management.
"You accept certain risks then invest in technology that guards you best," Ream said.
[Special Report: Ransomware to get worse, hackers hit whales, IoT opens new holes]
Managing risk and implementing appropriate technologies are critical as CISOs and hospital executives are up against an evolving threat landscape. Healthcare information, in fact, has become more valuable to hackers than credit card data because they carry billing information, birth dates and policy numbers, which can be resold in large quantities to file false claims.
"You need staff and technology in place to monitor your network's security on a second by second basis," he said.
Watching each other
Endpoint security technology – which helps safeguard networks and remotely connected wireless devices by following patterns to makes spotting aberrations easier – is one area that deserves close attention.
While "you're watching them, someone else is watching" too, said Ream. Consequently, "you're regularly trying to watch for anomalies based on your baseline patterns.”
Take phishing campaigns, for instance.
"These guys are pumping out as many as 500,000 to one million emails a day," Ream said.
That means if only one percent of those phishing emails make it past the gateway, healthcare organizations still have a significant number to grapple with.
"When your IT people see that an endpoint's going out to financial servers – which it's never done before – and a lot of data is being downloaded, you immediately get an alert on that endpoint and shut it down," Ream continued.
On another front, organizations should also protect their infrastructure against constant hits by having security in place right at their company website, he added.
"You have policies that say, 'This is how we're going to protect the assets,' and you wrap your technology around that," Ream said.
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
While Cambridge Health Alliance also uses educational initiatives directed at threats such as phishing campaigns, the message doesn't always stick.
"You can keep educating people and hope they don't, but someone's going to click on something," said Ream. "If you don't understand the human nature aspect of people who work for you, that's a vulnerability you failed to address. You're remising your security structure."
Never quite enough
Even organizations that seemingly cover all the bases struggle with gaining enough money, time and talent.
"If you talk to the IT guys, there's never enough resources," said Tarbell. "The boards and CEOs – and especially the CFOs – never want to pay for anything."
And Tarbell explained that CFOs should never be the ones making ultimate security decisions.
"It should come down to the general counsel, because it's a business risk,” he explained. “You need business continuity – you can't just pull the plug on networks."
Nor can healthcare organizations simply buy themselves out of trouble. It takes a plan with elements of business continuity, endpoint security, risk management as well as appropriate prioritization.
"You don't have to spend $1 million [on endpoint tools] in order to have a secure network," Tarbell said. "You just have to spend it correctly."