Highly regulated industries have always led the way for best practices in accounting, information technology, and cyber security. Laws and regulations have mandated certain procedures to be followed and in order to gain a competitive advantage, shortcuts that are now regulated have been eliminated. This has leveled the playing field from money spent on data security to approved technology allowed for medical care.
While extreme differences still exist in quality and type of care, the business part of the healthcare industry has slowly seen conformity due to these regulations. This affects all types of healthcare from hospitals to family practitioners. All data must be secured, transmitted using specific protocols, and insurance forms completed in a specific manor.
However, these business practices have led to weaknesses in the process that have been exploited just like any other cyber security vulnerability. Since they are all standardized, the threats and potential monetization have become real threats for all types of healthcare services.
Emerging and Growing Threats to Healthcare Information
Now that many processes are standardized, threats against healthcare leverage weaknesses in data protocols and procedures used to store, process, and invoice for services. For example, consider the $65-million-dollar fraud allegedly committed in this article. The alleged criminals understood how the standardized billing services work for Tricare and invoiced millions of dollars using the system to commit the crime regardless of the scam itself.
While this is an extreme case, hacking a healthcare provider to steal patient information must still be monetized on the dark web. If you understand the billing practices for insurers, or can syphon off information directly from protocols like DICOM, then monetizing the attack is much easier and potentially more profitable. This does not mean threats like ransomware and phishing are going away. They are still very real and a huge problem. The evolution of hacks is shifting to the weaknesses that regulation and standardization are requiring from all providers and insurers.
Improvements to Be made to Better Protect Healthcare Information
For the healthcare industry, information technology needs to learn from the best practices in medicine and adopt preventive care. Information technology should perform regular tests, screening, assessments, and other security best practices to ensure all applications are up to date, properly patched for vulnerabilities, and not misconfigured. This is analogous to making sure your child has all of their shots, is checked regularly for hearing and vision problems, and does not have any conditions like scoliosis.
If healthcare can think along the same mindset using standards like (medical protocols) SANS 20 and FedRAMP to protect information, then sensitive client information can be protected much better because the risks can be identified early and treated; just like diagnosing a person.
Barriers to Improving Cyber Security Efforts in the Healthcare Sector
The biggest barriers in improving cyber security in healthcare are not money or established technology. Security professionals know how to fix these problems even on a shoe string budget. The problems in healthcare cyber security are technologies they use daily that have been traditionally out of scope (until now) for hackers to monetize.
Consider the revelations last month from St. Jude Medical devices and Muddy Waters. The heath care sector has embraced technology in so many ways that flaws in the devices, lack of regulations for device security, and the technology limitations to upgrade them have created a new hurdle for the industry to overcome.
The biggest barrier for the industry is not traditional IT services, but rather all the medical equipment and devices that have been out of scope, locked down by the FDA via change control, and now classified as the Internet of Things that can be exploited and potentially cause loss of life. The biggest barrier is yet to come as the healthcare sector is forced to secure, replace, and manage these devices with a completely unknown scope and cost and most importantly, lack of expertise.
Addressing and Overcoming Barriers
The barrier of medical device security can be addressed by a basic plan for IT security. First understand the problem. Understanding how wide spread is it, what devices are affected, and then managing the risk until permanent solutions can be found. This includes basic information technology procedures like:
- Discovery – identifying all of the devices and assigning risk priorities to them
- Segmentation – isolating high risk devices on separate networks and limiting access and communications to prevent a hack
- Remediation – when available, apply updates, configurations, and other changes to mitigate the risk
- Reporting – provide reports to technical teams and executives to quantify the risk and exposure
This barrier is no different than the technology hurdles we experienced with BYOD (Bring Your Own Devices) except that the outcome could be life threatening. That obviously places a different level of urgency on the issue to solve the problem.
Learn why Care New England selects PowerBroker to secure their desktop infrastructure in this customer success story.
For more on how technologies like privileged access management and vulnerability management can help protect access to healthcare data, contact us today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.