[BreachExchange] How do your cybersecurity efforts stack up?

[Audrey McNeil]

https://www.healthmgttech.com/cybersecurity-efforts-stack

Any healthcare security professional will tell you that security is about
protecting CIA—confidentiality, integrity, and availability—of healthcare
data. Most healthcare breaches involve compromised confidentiality or
unauthorized access to patient data.

Ransomware in its pure form is not an attack on the confidentiality, but
rather the availability of patient data. In this case, by availability I
mean timely and reliable access to patient data. When healthcare does not
have timely and reliable access to healthcare data, such as when it is
encrypted due to ransomware and they cannot decrypt it, healthcare is
severely disrupted, certainly to the point where it compromises patient
safety and even to the point where healthcare organizations have to send
patients elsewhere. Further, healthcare is intolerant to such disruption
and therefore likely to pay the ransom.

This, exacerbated by the healthcare industry lagging other industries in
security, makes healthcare a soft target for ransomware and availability
attacks. As security professionals, we must look ahead to where the “puck
is going” and help healthcare organizations prepare for it and ensure the
necessary security is in place to enable delivery of healthcare.

Fortunately, healthcare as an industry often is not the first target for
new types of attacks. Many times, financial services or defense industries
are targeted first. To see where the security puck is going in healthcare,
we can look at other industries. One attack that has hit the financial
services industries early and hard, but is still relatively rare in
healthcare, is DDoS attacks. DDoS stands for distributed denial of service
and typically involves a botnet of malware-infected consumer devices that
are directed by a command-and-control server operated by hackers to some
central target—for example, a corporate website to firehose it with bogus
network requests—essentially saturating the network and/or external web
interface of the target organization, effectively denying access to
legitimate users of the same external interface, often until a ransom is
paid to the perpetrators.

Historically, healthcare has had most mission-critical services on the
intranet, inside their secure perimeter where they are less vulnerable to
external attacks such as DDoS attacks. One of the major trends is the
increasing adoption of cloud computing. Whether it is EHR SaaS, office
applications, backups, BC/DR (business continuity/disaster recovery),
research/test/development environments, or other cloud usage models,
healthcare is increasingly adopting cloud to lower costs, improve
accessibility, and enable new models of collaborative care. While cloud
promises many benefits to healthcare and is already in mainstream use, it
also risks exposing more mission-critical healthcare services, increasingly
being hosted in the cloud, to DDoS attacks.

To enable increasing use of cloud computing, while minimizing risk of
future DDoS attacks, we must anticipate such threats and plan accordingly
by proactively implementing key safeguards to prevent, detect, and
remediate such attacks. DDoS and other attacks tend to be opportunistic,
like a predator seeking easy prey. It is increasingly important for
healthcare organizations, in addition to their regulatory compliance, risk
assessment, and other security due diligence activities, to now also
understand where they stand with security readiness compared to the broader
industry. No organization wants to be lagging peers and the industry,
making it easier to attack.

Historically, it has been difficult for organizations to see where they
stand with security relative to peer organizations. Often one sees
healthcare security executives at conferences asking each other about types
of breaches and their corresponding organizational response. While a good
form of networking and information sharing, this tends to focus only on the
breach du jour (right now ransomware) and the security capability du jour
(currently backup and restore due to crisis with ransomware).

Unfortunately, with this kind of limited focus, executives often miss other
breach types or security capabilities that are required for overall
effective security. What is required is a more comprehensive way for
healthcare organizations to benchmark their breach security against the
industry.

Intel Health & Life Sciences is leading an open industry collaboration to
enable health and life sciences organizations globally to benchmark their
breach security maturity, priorities, and capabilities against the
healthcare industry to see where they stand. Through this engagement, they
are able to see if they are leading or lagging in terms of security
readiness across eight types of breaches, including ransomware. They also
are able to see if their priorities across breach types are significantly
different from the industry average, in which case they may be over- or
under-prioritizing various breach types. Across 42 security capabilities
they are able to see where they have gaps, and in particular where those
gaps may not be common in the industry, in which case they may be lagging
and relatively vulnerable due to a particular security gap.

To date, almost 50 large health and life sciences organizations have
participated in this benchmark program. They include organizations focused
on the healthcare provider, payer, revenue cycle, pharmaceutical, life
sciences, and business associates segments. Any organization that works
with sensitive healthcare information is eligible to participate.

The benchmark engagement involves a one-hour, complementary, confidential
survey led by Intel or an industry partner and results in a comprehensive
report that shows how the healthcare organization’s maturity, priorities,
and capabilities compare with the industry and where there are significant
differences in maturity, priorities, or capabilities. This provides
additional, valuable information to healthcare security teams that they
then can use to socialize internally with their stakeholders to help get
the necessary budget and resources allocated that are required to address
gaps in security capabilities.

The 42 capabilities assessed in this benchmark also are mapped in the
report to HIPAA, NIST, PCI DSS, ISO2700x, and GDPR regulations and
standards to enable the healthcare organization to see how addressing a
particular gap also may help with compliance. To see a sample of this
benchmark report see Intel.com/BreachSecurity.

Industry-level, aggregate, anonymous results across nearly 50 healthcare
organizations across eight countries participating in the benchmark program
to date show that key capabilities required to mitigate risk of DDoS
attacks and other types of breaches and ransomware are significantly
lacking.

For example, policy is required to communicate permitted use of cloud, yet
only 64% have one, 30% are working on it, and 6% don’t have any policy for
security and privacy.

User awareness training is required to control shadow IT cloud use and
mitigate risk of accidents and workarounds, for example in using websites
or apps with healthcare data. This can result in healthcare data landing in
side clouds vulnerable to DDoS attack, and yet only 49% of organizations
have security and privacy training where it needs to be, 34% are working on
it, and 17% currently have no privacy and security training for their
healthcare workers.

Risk assessment is required to identify and prioritize—as a function of
business impact and probability of occurrence—risks to CIA of healthcare
data. This includes risks in the form of availability attacks through DDoS
or ransomware, yet only 43% are doing annual documented risk assessments,
36% are working on it, and 21% have never done a risk assessment.

Security incident response plans (SIRPs) are required in the event of a
security incident to ensure careful coordination of activities and
communication both internally and externally, including with digital
forensics experts, regulators or data protection authorities, the media,
and patients. Only 40% of healthcare organizations have their SIRP where it
needs to be: documented, employees trained, tested, and integrated into
process. Another 40% are working on it; 20% have no SIRP. Healthcare
organizations can least afford to take an ad hoc, improvising approach in
the high-pressure event of a security incident such as a DDoS attack.
Missing key steps in response to security incidents can result in greatly
increased business impact to healthcare organizations.

Threat intelligence is required to quickly detect and properly identify
DDoS attacks and be able to differentiate them from legitimate network
traffic that is spiking. Only 28% have their threat intelligence capability
where they need it to be, 21% are working on it, and 51% have no capability
for threat intelligence.

It is critical to ensure operating systems, applications, and especially
security safeguards are hardened and kept up to date and patched or
otherwise risk vulnerabilities being exploited for DDoS and other types of
attacks. However, only 57% are managing vulnerabilities/hardening and
upgrading and patching in a timely fashion; 38% are working on this; and 4%
don’t do any vulnerability management or patching.

Many other safeguards can help with mitigating risk of DDoS attacks,
including redundant network service providers, DDoS mitigation appliances
able to detect and filter malicious traffic, and multiple servers and load
balancers for high availability. Finally, cloud mitigation providers can
offer healthcare organizations massive bandwidth, multiple DDoS mitigation
safeguards, security expertise, and redundant sites to avoid a single point
of failure and can scrub traffic to ensure healthcare organizations only
see clean, legitimate traffic.

Only by looking ahead, anticipating trends such as the growth of cloud
computing in healthcare and threats such as DDoS, and proactively
identifying deficiencies in safeguards, can we as healthcare security
professionals enable healthcare to minimize disruption and ensure reliable,
high-quality, lower cost healthcare delivery.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170201/2ea9ced7/attachment.html>