[BreachExchange] How to Mitigate Data Breaches In Health IT

Audrey McNeil audrey at riskbasedsecurity.com
Tue Oct 11 19:38:26 EDT 2016


http://www.information-management.com/news/security/
how-to-mitigate-data-breaches-in-health-it-10029944-1.html

What once was only science fiction is now our reality, anything and
everything can be hacked.

For healthcare providers, ‘anything’ includes not only patient records and
claims information, but sentient things like drug pumps and pacemakers. In
addition, healthcare has operational functionality that make this space
particularly challenging.

The mobility challenge is particularly unusual because the workforce is
constantly moving in and out of foundations, universities and hospitals.
When they do this, they often need to retain the same access to do their
jobs or gain completely different access at the same time because they are
fulfilling different roles throughout the day. This is an access management
nightmare.

In addition, the Internet of Things (IoT) challenge is unusual because
providers already have lots of IoT devices embedded in their daily
business. These devices are coming and going from your network and being
associated with different patients at different times.

These ‘things’ carry important Personal Health Information (PHI) which is
valuable and constantly attacked by bad actors. However, they also control
processes throughout the organization that effect lifesaving measures.

Yes, healthcare organizations must remain compliant, but responsible
organizations go beyond compliance to make sure a patient’s information and
life support systems are respected and secured. The secret is to manage
down the threat surface across both the infrastructure and access, to
detect when something has been compromised with both speed and efficacy and
to give your security practitioners what they need to resolve issues before
there is real loss.

Mobile is Mayhem

Devices (your phone, laptop, even the crash carts) can be compromised
anywhere, whether at the hospital or in the home, and many of these devices
simply don’t have the memory, CPU or OS to impose a monitoring agent on
them. In addition to this endpoint device protection, organizations need to
be monitoring networks to detect anomalies.

Machine learning algorithms can infer a lot from traffic patterns alone.
For example, your medical ventilator probably doesn’t have a history of
reading CNN.com. If that device starts hitting CNN, perhaps you want to
mark it as suspect and spin up other machine learning models determine if
it is truly compromised. If that’s so, what TTPs (tools, techniques and
practices) is it using that might point you to the threat actor or threat
actor group – this will help you understand motive so that you can sharpen
your defenses appropriately. And Stop Acting So Vulnerable – it’s not a
good look

Your adversaries are always scanning your systems, probably more intently
than you are, so you have to be smart about staying in front of them.

You need to stay on top of known vulnerabilities, but you will never patch
them all because perhaps there is no patch or perhaps you just don’t have
the resources to get it done in time. Securing your network is all about
prioritization. By using an analytics tool to engage in evidence-based
prioritization, you are able to patch the vulnerabilities that it deems
most at risk.

Staying on top of access is crucial because everything in the cyber
community comes down to access to information and processes. You need to
understand the access level each person has, whether it’s more than they
need, and what needs to happen if they change job functions or move to
another hospital. Then, compare the identity to the infrastructure. If an
employee has a lot of access and is running on a vulnerable infrastructure,
it’s a recipe for disaster.

You need to fix the vulnerability infrastructure and/or reassess the
access. These two views are usually separated by your security teams, but
combining them provides a much better view into what vulnerabilities exist
and what data is truly at risk if the vulnerabilities are exploited.

The winning formula? Right people. Right access to infrastructure and
entitlements. Right time. And then re-check to make sure you have it right.

As Ronald Reagan said to our friends in the old Soviet Union, “Доверяй, но
проверяй”. This old Russian proverb is amusingly pronounced Doveryai, no
proveryai. This proverb still rings true of our security teams today -
Trust, but verify.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161011/2e8f686b/attachment.html>


More information about the BreachExchange mailing list