[BreachExchange] Has healthcare misdiagnosed the cybersecurity problem?

[Audrey McNeil]

https://www.helpnetsecurity.com/2017/08/07/healthcare-cybersecurity-problem/

Take a cursory look at the U.S. Department of Health and Human Services’
(HHS) wall of data breach shame and you might be scratching your head: Why
does the healthcare sector seem so disproportionately victimized by hackers
and cybercriminals? Why do its defenses seem so much weaker than those of
other industries?

For the most part, the healthcare industry has misdiagnosed the
cybersecurity problem.

Most senior leadership in healthcare is medically trained with a clinical
background in an industry built on such noble concepts as “do no harm” and
forward-thinking practices like evidence-based medicine. Through this lens,
healthcare organizations regularly misinterpret the nature of the
cybersecurity problem and consequently, how to treat it.

This misdiagnosis has led to countless breaches over the past several years
at healthcare organizations around the world as well as significant, often
paralyzing ransomware attacks, including the WannaCry outbreak that
crippled dozens of hospitals in the U.K., effectively disabling the most
basic of patient care.

Not only is IT subordinate to patient care in terms of attention, budgets
and priorities, but cybersecurity is perceived as a problem that can be
“fixed” rather than one best managed by means of a regular and ongoing
health regime.

Acute care vs. sound overall health

When a patient arrives at the emergency room with a broken arm, there is a
clear process: triage, treatment, discharge. This acute care model focuses
on fixing problems as they occur. Preventing the broken arm, for example,
is not a factor in the process, decision-making or treatment planning. In
acute care, it’s all about dealing efficiently and correctly with whatever
problems walk through the ER door. However, unlike a broken arm, which can
quickly heal with few lasting side effects, a ransomware attack like
WannaCry can be interminable and even fatal to a healthcare organization.

Applying acute care to cyberattacks and security breaches doesn’t work
because it’s entirely reactive in nature. No matter how well you define and
refine the treatment process or in this case, mitigation and remediation,
the outcome will never change. Simply put, more and more arms will continue
to get broken regardless of how well the organization fixes them.

However, with cyberattacks and breaches, healthcare organizations do have
the opportunity to change the outcome – if only they start to think
differently about the problem.

Rx: A new security model that mimics the human immune system

To turn the corner and improve defenses, senior healthcare leadership must
not think about cybersecurity in terms of patching problems and reacting to
emergencies. By contrast, they need to look at the overall health of their
networks and defenses, find ways to improve basic resiliency and apply a
new security model – one that is based on pervasive visibility and mimics
the human immune system, which:

1. Works proactively from within to prevent health problems from occurring
or worsening.

2. Covers the entire body, not simply reactively focusing on problem areas.

3. Learns, adapts and remembers so it can fight off future infections more
efficiently.

4. Responds immediately, independently and automatically.

In addition to pervasive visibility into all data flows – the lifeblood of
all healthcare organizations – a new security model would include good
hygiene (prevention), detection, prediction and action (containment).

Good hygiene

The benefits of good hygiene practices are clear in a healthcare setting.
Simple measures, such as vigilance in adhering to handwashing, can
drastically decrease the chances of contamination, spread of disease and
hospital-acquired infection rates. A similar approach to cybersecurity can
yield comparable results.

Examples of good security hygiene include patching, privileged credential
protection, network segmentation, asset isolation and perimeter protection.
These all help ensure that attackers cannot break in and infect
organizations – or at least, limit an attacker’s success. With good
hygiene, organizations can protect themselves from being a target of
opportunity by forcing attackers to take additional or unnatural steps to
gain access and spread the threat.

Detection

Good security hygiene can help eliminate basic threats and prevent
untargeted attacks, such as WannaCry, but it is unlikely enough to stop a
focused attack by an experienced and determined adversary. In this case,
forcing the attacker to take unnatural steps provides the organization an
opportunity to detect anomalies – which are relative to normal behavior and
consequently, their detection requires a baseline of what “good health”
looks like.

This is the basis of many machine learning solutions in development today.
With a baseline established, organizations can compare all activity and
quickly detect anomalies. Machine learning technologies resemble the human
immune system’s ability to learn, remember and combat viruses and bacteria
based on adaptation.

Prediction and action

Once anomalies are detected, the next step in a security immune system is
to understand intent. For example, is what we’re seeing normal or
intentionally bad behavior? With intent uncovered, organizations can act to
contain, remediate or even, allow contained detonation of the threat to
better learn and understand the intent. While much of this now happens
manually and straddles organizational boundaries, there are many solutions,
including artificial intelligence (AI) and security workflow orchestration,
that can help automate the process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170807/0fb8d46a/attachment.html>