Security Incidents in Healthcare And What You Can Do About Them

Doesn’t it seem that in the last few months there has been a flood of security incidents and breaches hitting the global healthcare industry? What was a weekly security incident news drip has turned into an almost daily one. It is a cruel irony that during the worst global pandemic in our lifetimes the healthcare industry must also deal with a digital pandemic. But this is the hand we have been dealt, so we must play it.

Ransomware in particular seems to be hitting the industry hard. Recently, a direct link was established between a ransomware incident at a hospital in Germany and a resulting death. Because the hospital’s services weren’t available due to the ransomware attack, the patient, who was in critical condition, had to be diverted to another facility, and the time lost proved deadly.

Unfortunately, this is not a new phenomenon. Remember the ransomware attack against the UK’s National Health Service in May 2017 that reportedly cost 92 million pounds to rectify? Such incidents don’t even demonstrate the vulnerabilities inherent in smart systems on the clinical side of the health providers, the scanners, drug management systems and surgical tools. What happens if and when they get hit?

In the U.S., you can keep close tabs on many security related healthcare incidents by checking the Department of Health and Human Services’ breach report web page — note how often email is a key factor in many of the reported breaches. The industry must deal with the reality that its heavy IT dependence and general fragility of the systems, combined with the value of the data and processes that the systems enable, has created a ripe target for cybercriminals. Do the cybercriminals care that they might be putting people’s lives at stake? Generally, no. From the hackers’ perspective: the higher the stakes, the greater the likelihood of payment. Holding your data and IT systems, and thus your critical business operations, for ransom has consistently proven to provide a strong return-on-investment for attackers.

According to the 2020 State of Email Security Report, 57% of healthcare organizations believed it was inevitable or likely they would suffer negative impacts from an email-borne attack in the upcoming 12 months. And in April of 2020, Interpol reported detecting a significant “increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response.” What this spate of serious security incidents and breaches has laid bare is that the IT security and resilience of too many healthcare systems are not up to the threat.

What can healthcare providers do to improve their security and resilience against ransomware and other common security incidents? The best practices are widely known in IT security circles and have been successfully applied by many organizations around the world, across many industries, including healthcare. The key is to find the will, focus and budget to make them happen.

Key strategies to reduce security incidents and improve IT resilience include:

• Apply a layered security strategy with a particular focus on protecting the email and web channels that most externally generated security incidents depend on. Ransomware, for example, usually depends heavily on one or both of those vectors to land and operate. Thus, strong controls in email and the web can pay large dividends.
• Better security awareness training. Don’t forget your people are often active, though unknowing, enablers for security incidents. Focus on improving their security awareness and understanding to help them be an important last line of defense rather than a key vulnerability. Most attacks depend on social engineering to get established, and most social engineering is delivered via a combination of email and the web.
• Examine and improve your vulnerability scanning and patching processes. Unpatched, vulnerable systems are an accelerant to the security incident fire.
• Deploy multi-factor authentication and single sign-on to all IT systems and applications. Giving cybercriminals single-factor authentication-based remote access to your systems is a major weakness.
• Deploy and test your backup and recovery systems and processes for all mission critical operations. The success of ransomware is exposing gaping holes in these systems and processes.
• Pre-plan your IT continuity. Critical systems need an alternative, even if degraded, way to function if the primary system becomes unavailable. Don’t ignore basic communication systems such as email and web access.
• Shift as many of your security and resilience controls to cloud providers as possible to reduce the cost and complexity of operation. Most organizations will not be able to hire their way out of these security challenges. Use security clouds as a way to “hire” security technology and expertise by the slice.

The security times in healthcare are challenging and the stakes are extremely high. But with a concerted, organization-wide effort, the risk of significant operation impacting security incidents can be notably reduced.