[BreachExchange] Breaches Are All Over The Place. And, So Is Your Cybersecurity Tech Stack
Destry Winant
destry at riskbasedsecurity.com
Tue Feb 19 01:27:56 EST 2019
https://www.healthitoutcomes.com/doc/breaches-are-all-over-the-place-and-so-is-your-cybersecurity-tech-stack-0001
Healthcare systems have built out increasingly complex and overlapping
technology stacks. For many years, the focus has been on electronic
health records (EHR) systems – how to streamline solutions and achieve
interoperability. But, in 2019, the industry needs to turn its
attention to cybersecurity solutions.
Healthcare systems were late to adopt security technology. This has
left many IT teams in healthcare without the experience of other
industries – like financial services. Many systems have exacerbated
this issue by deploying overloaded security tech stacks. This hampers
teams further by requiring they learn many different tools. Then add
to this the fact that many smart health devices or IoHT end-points are
incompatible with end-point security agents and require more advanced
security solutions. Lastly, layer on many open networks required in
healthcare to allow collaboration with other clinics, laboratories,
universities, and more.
The current situation must change. According to the U.S. Health and
Human Services Office for Civil Rights, the organization tracking
healthcare data breaches, there were more than 300 breaches in 2018.
This is the highest on record, and they were primarily categorized as
"unauthorized access/disclosure" and "hacking/IT incidents.”
While some of these challenges are harder to address, like finding a
common end-point security solution for connected health devices, there
are immediate cost, security and sanity benefits to simplifying the
cybersecurity stack, and fully utilizing the solutions you keep.
Health system IT and technology leaders can begin to rationalize their
stacks if they understand how they “over” stacked in the first place,
and how to get started in culling.
Did You Overdose On IT Security?
Many healthcare organizations have security technology stacks built
from solutions from as many as 10-20 different vendors, each with its
own maintenance and training requirements. This results in many
facilities using a little as 30 percent of the capabilities in each
offering. Most could get similar or better security coverage with a
compressed and focused security stack.
So, how did we get here? Solutions have been purchased to protect
against threats from yesterday in a piecemeal approach, even as
technology and services have changed or merged, security threats have
rapidly evolved, and we’ve entered into a cross-industry cyber skills
gap.
A typical security stack includes the following solutions: firewall,
intrusion detection or prevention system (IDS/IPS), malware detection,
data loss prevention (DLP), forensics and analytics, and security
information and event management (SIEM). It’s all to likely that your
organization has multiple iterations of each solution, and that
several distinct solutions have overlapping capabilities.
Newer security offerings converge tools from traditionally distinct
categories. However, most healthcare systems have purchased new
solutions without getting rid of previous offerings, increasing
overlap. It’s safe to say that if your security tech stack isn’t
currently overloaded and under-functioning today, it will be in the
near future. It’s time to change how healthcare systems vet and
acquire cybersecurity solutions.
Evolving Aliments Require New Meds
Many cybersecurity solutions are purchased as a siloed tool versus
part of a holistic security platform. For example, many malware
solutions claim to be content-aware for DLP, meaning they can “see”
and flag content such as sensitive or HIPPA-regulated information
hidden in messages or files that are heavily obfuscated and buried
many layers within the payload, etc. However, malware solutions only
run through three or four layers of decoding and inspecting and if
nothing is found, assume that the content is safe. A DLP solution
needs to dynamically unwrap and decode the entire session in
real-time, particularly when HIPPA-protected information is on the
network.
Efforts to find the most affordable options also can lead to purchases
of software without proper training or support baked-in. Security
analysts in healthcare systems are mostly likely already overwhelmed
with the everyday tasks at hand. Too many solutions means analysts go
wide versus deep, leaving powerful capabilities untapped. They do not
have time to learn every product in their stack to the point they
would get the maximum ROI. For example, most users have SIEM solutions
to collect log data emitted from every product in the security stack,
but important SIEM correlation capabilities go largely unused.
Additionally, while large stacks align to a defense-in-depth strategy
in theory, they can slow down holistic analysis. Attacks can take
advantage of the fact that security is managed by people or teams who
are only experts in a specific solution or category, versus security
orchestrated across the entire system.
Lastly, security contract requirements themselves are often written by
these category-specialists, leading to RFPs that are hyper-focused on
specific categories to the detriment of end-to-end protection. This is
exacerbated as healthcare systems and facilities issue new RFPs using
their old template. As cybersecurity categories are beginning to
converge, now is the time to refresh how they are purchased. It would
be equivalent to an ENT doctor being expected to care for someone’s
holistic medical needs. Cybersecurity, like healthcare, requires
generalists and specialists working in tandem.
Culling The Stack
What healthcare systems need in cybersecurity is contextual visibility
across the entire cyber infrastructure – cloud to network to endpoint.
This is only going to be more crucial as IoHT devices dramatically
increase the attack surface at healthcare facilities, and limitations
on end-point security embedded in medical devices remains. To truly
improve security, purchases of new solutions must be made more
holistically.
To get there, we need to understand requirements for the system via a
full requirement analysis, moving away from the category framework.
Next, look at your tech stack and identify overlap and integration
needs with a gap and overlap analysis.
Continuous, real-time asset classification also needs to be part of an
integrated cybersecurity stack. While IoHT is creating tremendous
value for patients and providers, it also means a lot more network
traffic is HIPPA-protected information and there are a greater number
of entry points for potential threats.
Next, don’t underestimate the importance of training, both on the
solutions in your stack and on general cybersecurity tactics and
techniques. Hackers are doing it, so your cyber analysts must too.
Product technology training should be included with every acquisition
of new technology, in addition to funds and time set aside for ongoing
cyber education training and certifications.
A Better Stack
Most healthcare systems have too many tools and platforms in their
stack for a typical security team to efficiently know, integrate,
maintain or leverage.
If you cull your stack and provide contextual visibility across all
layers of your environment –network, endpoint, lateral movement, cloud
and IoHT – your security team will be more effective and efficient.
You will get better intelligence and gain a holistic view of network
threats. The patients in your care will have better protection for
their private information. Plus, you reduce the cost and frustration
burdens being felt in too many healthcare technology environments.
This might take some time and new thinking in terms how cybersecurity
solutions are bought for health systems – but it’s imperative to start
thinking bigger. Security is at stake.
More information about the BreachExchange
mailing list