[BreachExchange] How healthcare CIOs can keep their organisations secure
Destry Winant
destry at riskbasedsecurity.com
Mon Feb 24 10:13:50 EST 2020
https://www.information-age.com/healthcare-cios-keep-organisations-secure-123487822/
For healthcare organisations, the risks and responsibilities
associated with cyber security are greater than ever, as patient
health data is some of the most valuable on the black market. For
CIOs, losing this information to thieves, carelessness or natural
disasters is unthinkable in healthcare — and in many cases punishable
by a fine.
The following is a look at five of the most important responsibilities
for CIOs when it comes to keeping modern healthcare organisations, and
their customers, secure.
1. Have a Plan in Place
The June 2017 cyberattack known as NotPetya was one of the largest
attacks of its kind ever conducted. It brought digital systems to a
standstill throughout the world, including those used by healthcare
organizations and medical transcription services.
Some of these organisations, like Sutter Health, found themselves at a
caregiving standstill after their transcription company, Nuance, fell
victim to NotPetya.
NotPetya crippled entire companies, ports and government agencies. But
Sutter Health learned two things from the experience. The first is
that having a plan paid off — they were able to migrate their systems
and data off the affected services in very short order. They were
still left with a transcription backlog, but they survived — and so
did their data.
Having a plan in place to answer and recover from healthcare security
issues, including attacks, looks different to different organisations.
Many of the fundamentals are the same, however. We’ll mention other
points as we go, including having encrypted, up-to-date backups
available in case of data loss or theft.
The comprehensive IT security guide for CIOs and CTOs
Information Age’s IT security guide for CIOs, covering everything from
how to implement an effective cyber security strategy to how to
respond to the security skills crisis. Read here
2. See Artificial Intelligence as a Credible Ally
The second thing Sutter Health learned was that good technology is the
only thing that can fight malign technology. For Sutter Health, that
meant using artificial intelligence.
AI provided a warning just in time to conduct damage control during
the NotPetya incident. The company faced some 87 billion cyberattacks
in 2018, meaning no human could detect and prioritise them all. AI is
a real ally here, with a company that serves three million patients,
as well as any of the other smaller healthcare organisations
throughout the world.
After artificial intelligence has identified a potential issue, it
flags engineers and coders so they can implement patches, update
blocklists and perform other preventive or ameliorative actions.
There’s still a huge human element involved, but AI automates the most
difficult parts of the defensive process.
3. Know the Risks of Ransomware and Defend Against It
For healthcare environments, ransomware poses one of the scariest
types of threats in the entire cyber security arena.
Physicians-in-training get a taste of the potential reality during
routine training exercises at Maricopa Medical Center.
As trainees attempt to use diagnostic equipment, like CT scanners, in
resuscitating “patient” dummies, they’re greeted with ransomware
lockout messages onscreen demanding Bitcoin payments before the
equipment can be used again. They must use their intuition to treat
the patient instead of the correct equipment. The price for this can
be (again, this is a dummy patient) serious brain damage.
The Internet of Things (IoT) unlocks huge potential for organisations,
including healthcare entities. But this dependence on
internet-connected infrastructure also poses a risk. Avoiding
ransomware attacks in healthcare requires a multifaceted approach,
including:
• Sending test emails regularly to see if employees are likely to
respond to typical phishing attempts that arrive by email.
• Backing up and securing all data regularly so that you can restore
access even if a third party attempts to lock you out and extort
payment.
How businesses can shield their IoT infrastructure from botnets and ransomware
With the recent robust growth of internet of things (IoT), one of the
key challenges businesses are grappling with is managing the many
devices in their networks. Read here
The Department of Health and Human Services recommends that healthcare
organisations refuse to pay the ransom, as this only encourages
similar attacks in the future.
4. Use Compliant and Secure Communication Methods
The Health Insurance Portability and Accountability Act (HIPAA) was an
important step forward for healthcare security and organisations as
well as patients. It laid the groundwork for secure, digital, mobile
and persistent digital patient records. These records improve
coordination between physicians and facilities and “follow” patients
no matter their provider or employer.
HIPAA and its five “Titles” help ensure this functionality doesn’t
come at the expense of patient security and safety. Title II describes
the security measures that healthcare organisations must implement
prior to transmitting healthcare data or messages electronically.
Healthcare technology providers typically find that Title II is the
most frequently violated of the five Titles.
It can be difficult to adapt some legacy equipment, including fax
machines, to fit HIPAA’s requirements for handling secure
communications and the transmission of PHI (protected health
information). It’s more likely that healthcare organisations will have
to invest in an e-fax system if they can’t pivot entirely to digital
communications.
5. Don’t Forget About Insider Data Breaches
Recent research from Verizon found that the healthcare industry ranked
last when it came to stopping insider data breaches. Unfortunately,
this is one source of cyber security risk that a lot of CIOs and
companies don’t prioritise. There are several types of insider data
breaches to know about and plan for:
• Malicious insiders
• Accidental insiders
• Third-parties
A malicious insider is someone like an employee who uses their
legitimate credentials and access to privileged information to steal
it.
An accidental insider could be someone like the Heathrow Airport
employee who caused a data breach by leaving behind a USB stick with
sensitive information on it. It could also be an employee who hasn’t
received coaching about avoiding phishing campaigns in emails.
Third-parties are individuals like contractors or others who exploit
their access to premises or infrastructure for personal gain.
The most important preventive measures are to focus on training and
culture and to implement strong access control protocols. All
sensitive information should be identified as such and siloed
accordingly, with access granted only to trusted individuals with a
need to access it. High-tech solutions include data loss prevention
(DLP) software, which automatically monitors networks for unusual and
unauthorised activity, including data exfiltration.
As for training and culture, amazingly, nearly one-third of healthcare
workers have received no cybersecurity training whatsoever.
New Responsibilities for Healthcare CIOs
Given the responsibilities and the risks, healthcare security has
nearly become a full-time job for CIOs. With the right mixture of
planning and prevention, and building a culture with security as a top
priority, healthcare organisations can prevent themselves from
becoming a statistic.
More information about the BreachExchange
mailing list