From prevention to mitigation: How to identify, understand and manage IT security risk
What keeps CIOs and CISOs up at night? What’s their biggest security concern?
It is every executive’s nightmare: These well-publicized breaches involving patient information that lead to an inability to function, particularly those that cause actual physical harm to a patient.
Healthcare has a wealth of valuable data that makes it attractive to theft: Social Security numbers, credit cards and bank routing data ― and even information that could be used for extortion purposes. This is compounded by the fact that healthcare networks typically have such a wide variety of systems that it is difficult to track and secure them all. This makes them particularly vulnerable to ransomware software that can lock out their data until a payment is made. Such an attack is not only costly, but also could result in tangible harm to patients as the inability to access health records, such as charting, could result in a delayed or mistaken medical decision.
Unfortunately, these concerns aren’t going away anytime soon. As technology and IT environments continue to evolve at a rapid pace, security risks will evolve right alongside them.
What are some best practices for healthcare organizations to deploy to strengthen their cybersecurity program?
Since healthcare is so vulnerable to cybercriminals, the biggest shift in thinking needs to be away from prevention and toward mitigation. It is practically a given that an incident will eventually happen. Every organization needs to be able to limit the scope of a breach and understand exactly which systems and data are affected. To achieve this, it is essential to combine a good data classiﬁcation and handling system with continual testing of security controls.
Ongoing risk management is absolutely critical to preserve the health of both patients and the organization. Every new technology is going to bring new risks, so any strong security program is going to involve continuous evaluation and continuous improvement. Yes, it requires the time and attention of multiple subject-matter experts, both internal and external, to understand the risks an organization faces. But if you cannot adequately identify your risks, you cannot plan for them ― either in prevention or mitigation.
How can healthcare organizations protect and manage the data coming into their IT systems from IoT devices and apps?
The two biggest ways to manage the risk from IoT devices are to effectively manage the vulnerabilities on these devices and implement segmentation.
Many healthcare organizations have more online systems than they can accurately track in an inventory, let alone keep secure. Comprehensive risk assessments through network scanning and active asset management software can help with identifying these devices.
At CDW, we’ve found that a number of operations are crucial in this assessment, including
• discovery of the breadth of IT assets, including previously unknown assets or networks;
• in-depth penetration testing to analyze multiple paths to compromise;
• a complete vulnerability scan of internal and external systems, as well as a credentialed scan of a sampling of internal systems; and
• scanning and assessment of websites and applications.
Once the devices have been identiﬁed, segmentation is the best approach to limiting risk. This is normally thought of in terms of network segmentation: limiting these devices from talking to devices other than those that are absolutely necessary for functionality. The other way to think about this is in terms of segmentation of privileges, such as not using administrator passwords that are used by other devices and ensuring that all default and “back door” accounts have been secured. Either way, medical device segmentation provides assurance that, in the event of a hacker successfully compromising one portion of an organization, devices on other networks will remain safe. Given healthcare’s expanding device landscape and the evolution of digital threats, I believe this is a strategy more providers need to pursue.
What steps should healthcare organizations take when they have experienced a data breach?
If you have a breach, the most important thing is to be organized. Immediately identify one or more individuals to start performing triage activities ― in other words: Decide what steps need to be taken, how important these steps are, and who will perform them. A simple spreadsheet that tracks an ID, criticality, issue and assigned resource is often adequate.
A triage list usually begins on the ﬁrst day, with steps that help to preserve evidence, communicate with internal and external stakeholders, identify the scope of the breach, identify other security weaknesses, and begin remediating known holes by updating devices and conﬁgurations. With HIPAA regulations, the clock starts “ticking” as soon as the breach is ﬁrst discovered so it’s critical to plan for a breach ahead of time.
“Since healthcare is so vulnerable to cybercriminals, the biggest shift in thinking needs to be away from prevention and toward mitigation.”
-MARK LACHNIET, CDW
CDW Healthcare is a leading provider of technology solutions focused exclusively on serving the healthcare marketplace. Working closely with healthcare organizations nationwide, its customers range from small rural providers to large integrated delivery networks. The dedicated healthcare team leverages the expertise of CDW technology specialists and engineers to deliver best-in-class solutions from data center infrastructure through the point of patient care. For more information, visit CDW.com/healthcare.