Providers, payers and pharma must work together to thwart cyber criminals
When it comes to building cybersecurity defenses against bad actors in healthcare, generally speaking each provider organization, payer or pharmaceutical company relies on its own self-developed strategies and self-selected technologies.
But what if there was a more concerted effort by all of these players to work together to thwart hackers and other cyber criminals? That would be a better way of going about cybersecurity, argues Greg Conti, senior security strategist at IronNet Cybersecurity.
Beefing up your own security is not enough
“At first glance, it may seem that hardening only your own organization and standing alone makes sense as a cost-efficient security and business strategy,” Conti said. “For sure, hardening your own systems and people is necessary, but it is not sufficient. First, I believe that a tenacious state actor can successfully breach even the best-resourced companies given sufficient time, resources and motivation.”
Second, the healthcare industry is a complex and interconnected ecosystem; an ecosystem that all member organizations depend upon to thrive, he said.
"Hardening your own systems and people is necessary, but it is not sufficient."
Greg Conti, IronNet Cybersecurity
“No organization truly functions in isolation,” he explained. “Smaller, less-resourced and more vulnerable organizations are part of this system, too. Attackers will probe the perimeter of this system looking for vulnerabilities, and they will find them. Whether the attacker finds an exploitable vulnerability in their target directly, or compromises someone else and moves laterally to a better-defended target, the end result is the same – a successful attack.”
Conti said he thinks of the healthcare industry not as an isolated listing of organizations, but as a graph where each organization resides and interconnects with many other organizations.
The attack surface of the entire industry
“But even the word ‘organization’ does not capture the complexity,” he remarked. “Every employee, hardware device, network connection, endpoint, server, database and customer is a component. This represents the attack surface of the industry and includes all physical and virtual entities and the analog and digital interconnectivities that bind them.”
The complexity is off the scale, he said. And this is where the attacker explores and finds paths to their target and the means to achieve their goals.
“We have to understand this and defend the ecosystem as a whole, while also defending ourselves individually,” he argued. “This will increase the work factor of attackers and improve our ability to detect and mitigate attacks quickly. No military fights a battle as individual soldiers or tanks, a team is far stronger.”
A disruption in one area of healthcare can cause cascading effects for many others.
“As an example, ransomware attacks against hospitals have caused patients to be turned away,” Conti noted. “This would cause patients to seek treatment elsewhere or delay their procedures. Drugs they might have purchased would be delayed, insurance claims would not be filed, doctors would not be paid for the procedures, patients may become more ill, possibly even dying, emergency rooms in other hospitals might become overcrowded.”
A chilling effect on the whole industry
Another example is the Tylenol murders of 1982, Conti pointed out. Tainted Tylenol made consumers question the safety of all over-the-counter medications, creating a chilling effect on the market.
“Congress, and later the FTC, were forced to take action, putting in place legislation making it a federal offense to tamper with consumer products and mandating tamper-resistant packaging, respectively,” Conti recalled. “The effects of the Tylenol scare reverberated for many years until consumer confidence was regained.”
Attacks on the healthcare industry can cause many different types of effects: Delaying the delivery of needed medicines, degrading trust in healthcare companies, deceiving individuals as to the safety of medical procedures and vaccines, destroying shared medical databases, or corrupting patient data.
“It is easy to see that any of these effects impact not just an isolated organization, but many: patients, medical staff, device manufacturers, pharmacies and numerous others,” Conti said. “The key idea is that it is all interconnected and many people and systems will be affected. Some effects are obvious and expected, some effects we will not discover until the event unfolds due to hidden interdependencies.”
Even if an event is relatively isolated, social media can cause the spread of disinformation to far outpace true information, particularly early in a crisis, he added.
The potential of cascading effects
“It is not easy to negate the potential of cascading effects, I tend to think more in terms of minimization, but I believe hardening one’s organization and creating a collective defense for the industry as a whole are essential strategies,” he contended.
“Detecting and mitigating attacks early in the kill chain can stop attacks before we feel the effects. Sharing of threat information and creating visibility and situational awareness for not just an individual company but the healthcare industry as a whole will allow you to see attacker activity in advance and take appropriate measures.”
Automated detection and response systems also are important as they increase the speed at which healthcare organizations can react, he added.
So what are a couple of the first steps healthcare provider organization CIOs and CISOs can take to start achieving this goal of a holistic, all-industry approach to cybersecurity? Conti has some thoughts.
“As a starting point, I believe in H-ISAC membership,” he said. “The efficacy of ISACs varies by industry, but I believe in the vision and their utility will grow over time. The H-ISAC is forward-leaning and innovative. I like the idea of supporting industry, and even sub-industry, level SOCs as they emerge.
“At work,” he added, “I’ve put a lot of energy into developing collective defense technologies and believe they offer great promise both now and in the future as they mature and exploit the network effect of many participants.”
A culture of mutual protection
Industry leaders also can create a sense of urgency around security and facilitate a culture that supports mutual protection and collective defense across many organizations, Conti continued.
“Companies should participate in training and exercises that bring together multiple companies and ideally law enforcement and government agencies,” he advised. “The government possesses a monopoly on the use of force and has many tools to make an attack stop, be it economic sanctions, legal indictments, demarches, cyber operations, even military force.”
A healthcare organization probably does not want its first interaction with the government to be during a crisis, he added.
“Companies should also carefully analyze their interdependencies, particularly their physical and virtual interfaces with other organizations, again thinking holistically, and then develop most likely and most dangerous scenarios to prioritize defensive efforts,” Conti suggested.
“Additionally, we can learn from the energy sector and think more in terms of mutual support agreements,” he said. “When a hurricane hits Florida, repair crews from neighboring states rally to the cause. Can we do the same with technical talent in healthcare?”