Is your hospital hacker bait? Here's how to change that
Ransomware hits slowed during the first quarter of 2017, and that’s good, right? Wrong. This indicates hackers are retooling, rapidly improving delivery techniques and, in fact, looking for the next stage of profitable malware.
With a new report from PhishMe finding that, in reaction to ransomware slowing at least recently, cybercriminals are upping the ante, healthcare CIOs and CISOs need to be implementing cybersecurity best practices to not only thwart attacks and protect data today but in lockstep to transform themselves into less appealing targets.
Information security experts David Nickelson of Sapient Health and Kate Kuehn of the BT Group shared a variety of best practices, including a few that are sometimes overlooked.
Nickelson, Sapients’ director of strategy and behavior, said three tactics can help hospital security teams stay one step ahead of cyberattackers.
“First, build device cybersecurity into the procurement process and assess the risk on par with clinical efficacy,” Nickelson said.
That involves talking to vendors and setting expectations about vulnerabilities, taking ISO’s 2014 guidelines into account and preparing for the new ones due in 2019, as well as incorporating those into your own policies and procedures.
Second, Nickelson stressed the need to make basic cyber-hygiene a requirement.
“With the growing popularity of bring-your-own-device, hospital policies and procedures for these devices should be on par with those of a hospital’s own network devices,” he said.
Citing a HIMSS survey from 2016 that found only 56 percent of hospitals actively deploy protocols for medical device management, Nickelson said that “IT managers must think like care providers: Preventing an infection is better than treating one.”
And Nickelson’s third cybersecurity best practice is to assess risk and patch vulnerabilities. In late 2016, he pointed out, the FDA provided specific direction about how to address an identified cybersecurity risk across the entire health IT ecosystem without alarming patients and providers or tipping off would-be hackers interested in exploiting a known vulnerability.
“The most significant guideline is the FDA’s statement that manufacturers can reach back and fix security issues without having to resubmit a device for recertification,” he said. “Prior to this explicit guidance, many manufacturers were reluctant to make changes that could be seen as fundamental alteration, which could trigger the need for recertification.”
Kate Kuehn, BT's vice president of security in the Americas, suggested best practices like keeping firewalls up to date, training employees not to click on suspicious emails, and making sure to protect the right resources.
“The first thing we recommend is an in-depth understanding of your assets; while that seems obvious, what we find is more than half of the companies we work with actually are protecting the wrong things,” Kuehn said. “Organizations need a deep understanding of where they sit in the threat arena, which includes hacktivism, terrorism, nation-state and criminal.”
Every organization has some kind of experience with cybersecurity, but an organization needs to figure out what is most interesting about itself in these threat vectors, she said.
“It’s important to really understand where your organization would be appealing in the threat perspective,” she added. “Then, if you can understand your assets and get them right, you’ll know where to invest.”
That includes being very aware of your perimeter in order to have an all-around defense, Kuehn said.
“From a borderless standpoint, what is a device on the network, what connects in, what about supply chain IT, what are you doing with mobile devices – have a really deep understanding and doing an annual assessment of what is connecting to see where that shadow IT is,” she said. “Printers now carry a lot of personal data. Cameras are being used for attacks. How do your employees use mobile devices? Mobile devices can be taken over in less than a second.”
While many hospitals security teams think they have a handle on this, when they actually conduct an assessment Kuehn said they find more shadow IT and backdoors into the network than expected.
Kuehn’s final tip? Do not overlook shadow IT.
“Security at its heart is a math problem. You have risk plus your probability equals your security stance,” she said. “There really is not a threat that cannot be narrowed down to that equation. All of the things we are talking about concern a disciplined security practice. And especially in healthcare, whenever you can take the offensive rather than the defensive, you become less appealing to attackers.”