[BreachExchange] Minimising security risks when handling sensitive patient data with cloud services

Destry Winant destry at riskbasedsecurity.com
Fri Oct 16 10:32:36 EDT 2020


https://www.itproportal.com/features/minimising-security-risks-when-handling-sensitive-patient-data-with-cloud-services/

According to a recent piece of market research by Meticulous Research
the Healthcare cybersecurity market is estimated to be worth $26.1
billion by 2027. The demand for advanced cybersecurity is mainly being
driven by the large-scale cloud adoption paired with the emergence of
increasingly complex cyber threats.

Due to the pressure of handling highly sensitive patient data,
healthcare organizations must balance the business benefits of
embracing cloud adoption to transform the delivery and accessibility
of healthcare services against the organizational, reputational and
legal headaches caused by a hack or data leak.

Perhaps the highest profile of all, in the UK healthcare sector, was
the famous WannaCry ransomware outbreak in 2017 that ravaged the
National Health Service. While not specifically targeted against the
NHS, WannaCry exposed the lack of investment of many NHS trusts in
their IT infrastructure.

This attack did not simply highlight a case of a lack of the right
cybersecurity tools or controls but exposed the fact that a large
number of NHS entities were running outdated or completely unsupported
operating systems – Windows XP being a prime example. For those
operating systems that were in support, many of them were not being
patched in a timely manner, if at all.

The key thing after any major breach is to understand what happened
and make the appropriate changes and improvements to minimize the risk
of the same or similar happening again. In this instance, we can use
the learnings from the NHS’ failures to help secure and improve our
own cloud and IT infrastructure.

Patch – and check compliance

The leading cause of worm-like cyber threats spreading around all IT
systems is due to them exploiting a vulnerability in either the
operating system or third-party software that has been installed on
the network.

If you outsource the management of patching to an external Managed
Service Provider (MSP) then ensure your IT Director, CISO or similar
responsible person understands how these patches are applied, what is
being patched – whether just the operating systems, or third-party
software as well (and which products), and at what frequency.

Utilize a third party to test for patch compliance. If you outsource
to an MSP then use your internal team or an external IT security
consultancy to run a vulnerability scan to ensure you do not fall
victim to a team that claims to be patching, but is not actually
delivering.

You can utilize a number of software/SaaS tools to automate the
vulnerability scanning – such as Nessus or OpenVAS. While it is
advisable to work with security experts to interpret and close down
discovered issues, the tools above will highlight patch issues and
scan using known common vulnerabilities.

Ensure your patching and management extends to all areas of the
network and cloud services. Do not forget Azure/AWS or similar
platforms that you are expected to secure.

Patching and closing security vulnerabilities is harder with full SaaS
offerings, as you do not typically have any access or control of the
software or underlying infrastructure. However, you can still check
for vulnerabilities or run scheduled penetration testing on these
services and I’d recommend you work with your SaaS vendor to
facilitate the required access – but ensure you use your own security
consultants to run the penetration testing. Do not let the vendors
“mark their own homework”.

Seal your leaky buckets

Over the past decade huge amounts of personal data have been leaked to
the internet via misconfigured data stores – known as buckets in the
Amazon Web Services’ (AWS) world.

Security mistakes have allowed hackers to stumble across databases of
private data which should not be accessible to anyone outside of the
organization.

If your IT team are working with AWS, Microsoft Azure, Google Cloud or
other public cloud providers then ensure that you have the skills
in-house to secure and test the security of these cloud instances.

If you do not, or are not confident, then outsource a security audit
to a professional security firm who specialize in the cloud platform
you have chosen to work with.

Restrict your cloud and SaaS access

While cloud-based systems can be accessed from anywhere, that does not
mean that they should be.

In a healthcare environment there are clearly defined data access
requirements and controls which should be replicated in the cloud
systems you are using. This should filter down to physical access to
the systems, as well as to individual patient records.

For example, the access to write medical imaging data into a PACS
(Picture archiving and communication system) should be locked down to
the specific devices and locations that need this functionality, and
not left open to the entire network.

Auditing all your key systems is a good place to start. Look at what
data is stored, how classified it is, who needs access, and where they
need access from. Then work with your IT team and SaaS vendors to
mirror your requirements on the firewalls, access control lists and
user permissions.

Once the audit is completed, and the controls are in place, ensure you
have proper information management controls in place to handle
requests for new users, permission uplifts, changes and alterations,
and other odd cases that may require a temporary or permanent change
to your permission structure.

Schedule a regular audit process to pick up outliers or non-compliant
users or devices and investigate why they have been given incorrect
permissions.

Use the security provided

Many SaaS vendors offer a range of security tools and settings within
their products, many of which are not enabled out of the box.

Make sure you are using features such as multi-factor authentication
(MFA or 2FA), password strength requirements, and conditional access
based on location or device profiles to provide a solid security
baseline.

Gather the logs at minimum, actively monitor at best

All SaaS applications and physical systems produce logs, and most
major SaaS applications allow the exporting of these logs to a
security information and event management (SIEM) platform, which is a
centralized log and event storage tool.

Depending on the size of your organization, you may have a security
operations center (SOC) either in-house or outsourced. If you do, then
they will have a SIEM platform that they will want you to feed into,
so ensure you keep them involved and informed of new SaaS systems you
are planning to implement. If you do not currently work with a SOC,
you should consider doing so. Having security logs in place and not
monitoring them means you are always reactive to security threats, if
you are even aware of them at all.

If your size or budget does not warrant a SOC, then ensure you are
gathering and keeping the logs at minimum, to allow you to bring in
forensic data breach investigators in the event of the worst
happening.


More information about the BreachExchange mailing list