Guest blog by Greg Young, VP cybersecurity Trend Micro
Technology is the beating heart of any modern hospital. Advances in cloud, IoT and digital IT systems have helped healthcare organizations (HCOs) greatly improve the quality of care offered to patients. Electronic health records are the backbone of an increasingly complex patient care network. But it has also exposed them to even greater risks of data theft and operational outages. A new report from Trend Micro and HITRUST reveals that at any one time there could be at least as many as 80,000 exposed systems in hospitals worldwide. The biggest finding is we also found a worrying disconnect or gap between current perceptions versus reality.
Hospital IT teams must better understand and mitigate these new cyber risks, especially those introduced by the supply chain. Healthcare already has all the risks associated with any other enterprise, but healthcare also has the most significant one of patient safety. And safety is increasingly being put at risk with more IoT in healthcare.
Perception vs reality
The WannaCry attack of May 2017 had a huge impact on healthcare providers around the world, leading to an estimated 19,000 cancelled appointments and operations in the UK alone. But ransomware is just one of many threats facing modern hospitals. Collectively they put hospital operations, patient privacy, and most importantly, patient health at risk. Unfortunately, the WannaCry blitz doesn’t seem to have driven a reappraisal of cybersecurity efforts among HCOs globally.
At the heart of the challenge is the issue of exposed devices and systems, including medical images, protocols, databases, industrial controllers, and healthcare systems software. We discovered that at any one point there could be between 50,000-80,000 exposed systems inside hospitals/clinics worldwide. This exposure could put hospitals at risk from DDoS attacks, malware and data theft. Using the DREAD threat assessment model, the report found DDoS attacks to be the most serious overall threat to HCOs, followed by ransomware. That’s because attacks are fairly easy to execute and require no specialized knowledge about the devices or systems being leveraged.
Interestingly, more respondents to a Twitter poll we ran believed the biggest threat facing HCOs was data manipulation (32%), followed by malware infection (27%).
Similarly, respondents believed hacktivists (29%) were the most frequent attackers of HCOs. In reality, although there are many potential sources of attack, financially motivated cybercriminals pose the biggest threat. The rewards from data theft, ransomware and more draw many in to target what they see as under-protected systems and organizations. Although just 14% of respondents on Twitter picked correctly, the truth is that PII is the most in-demand type of healthcare data on the Dark Web — highly monetizable for identity fraud, blackmail and more.
Supply chain risk
Another area of healthcare IT risk uncovered in the report relates to the supply chain. Around 30% of all breaches publicly reported to the US Department of Health and Human Services (HHS) in 2016 were due to breaches of business associates and third-party vendors. Yet this is an area still not given the attention it deserves. From cloud providers to IoT manufacturers and resellers, mobile health developers and more, the complex web of inter-connected hospital suppliers presents a growing attack surface.
Gaps inevitably appear when some third-parties fail to take cybersecurity as seriously as the HCO itself. Device firmware, mHealth mobile apps, compromised source code, phishing of partner employees, and even insider threats are all very real risks. Without adequate network segmentation and vetting of supply chain partner employees, hospital IT teams are exposing themselves to financial and reputational damage alongside compliance risk.
IT defense for hospitals
The good news is that by following best practice, tried-and-tested methodologies, hospital CIOs and CISOs can work to mitigate many of the risks highlighted in the report. Simple misconfiguration, for example, is the number one cause of exposed devices. The National Institute of Standards and Technology (NIST) offers a useful framework for supply chain risk management (SCRM).
The focus throughout should be on assuming compromise and taking swift action to respond.
According to the report, hospital IT bosses should:
• Quickly identify and respond to ongoing security breaches
• Contain the security breach and stop the loss of sensitive data
• Pre-emptively prevent attacks by securing all exploitable avenues
• Apply lessons learned to further strengthen defenses and prevent repeat incidents
In practice, this means applying technologies such as encryption, for sensitive PII; vulnerability scanning; network segmentation; patch management; IPS/IDS; breach detection; anti-malware and more.
To find out more about the cyber threats facing hospitals and how to balance efficient IT operations with network security, read our Securing Connected Hospitals report today.