Each ransomware report or network outage in the health care sector reaffirms the unifying consensus: providers will remain a leading target of cybercriminals given the troves of personal data stored on their systems and the difficulty most entities face in securing the vast network of devices and endpoints.
Back when the first wave of attacks landed on the sector in 2016, awareness on the need to better secure the health care sector was low. In fact, the Office for Civil Rights had to upgrade its enforcement guidance in August 2016 to include that providers bore the onus for ensuring protected health information wasn’t compromised during a ransomware incident.
By 2017, industry stakeholders consistently warned against buying tools as silver-bullet solutions to a problem that truly stemmed from providers’ policies, procedures, and people.
These calls in the early days helped to drive awareness around the need for better cybersecurity in the sector, as it was abundantly clear attackers would never cease the relentless onslaught of attacks. The point remains true under the current threat landscape, where data exfiltration and extortion attempts occur in the majority of attacks, and where successful ransomware incidents can lead to weeks, if not months, of network downtime.
“To an outsider, the typical health care network would look like the Tower of Babel,” said Motti Sorani, chief technology officer of CyberMDX. “An ultra-heterogeneous system composed of corporate devices and servers, communicating with a spectrum of unique medical devices and systems, aside third parties that are connecting to the network and acting in it.”
“All together a plethora of diverse devices, communication protocols, operating systems, and personas working together to provide care and protect human lives,” he added.
Security researchers have long-stressed that the unique, expansive nature of the health care infrastructure, combined with limited resources and staffing shortages make securing provider networks much more challenging than those in other sectors.
From tens of thousands of connected devices to hundreds of vendors, securing health care appears to be a mammoth challenge for the vast majority. So what then can vendors do to better support providers in reducing some of these challenges?
Vendors: Focus on the basics
The best way vendors can support health care organizations is to understand the specific nature of the market, said Saif Abed, M.D., founding partner and director of cybersecurity advisory services for the AbedGraham Group.
“Just because health care is under attack does not mean the solutions you offer the finance industry will translate well to a clinical context. Engaging with health care CISOs and clinical leaders will validate product development,” he added. “An openness to collaboration is essential.”
For cybersecurity vendors, this will mean understanding the language, workflows, device context, unique threat landscape, and the mindset all within a clinical context, said Sorani. This includes the need to understand health care’s vulnerability posture, including actionable data on the clinical context of vulnerable devices and an understanding of the risk exposure posed by device interactions via clinical workflows.
Vendors must be able to combine these elements together to assess the true impact of vulnerabilities on the overall business objectives: care delivery, patient safety, and data confidentiality. Sorani stressed that “the clinical context is imperative in achieving this.”
As a result, vendors attempting to pitch generic solutions to the health care sector often miss this critical point: without an understanding of the communication language, device function or type, and the threat landscape, a standard security solution won’t cover these unique devices.
Vendors should develop partnerships with companies that already have security capabilities specific to the health care environment, including working with managed security services providers (MSSPs) and embedding third-party products specific to the sector, said Abed.
As Jerome Becquart, Axiad’s chief operating officer, sees it, vendors must strike a balance between health care regulations and the high-level of security required for the sector, combined with providers’ need for user-centricity.
For example, a provider enabling multi-factor authentication must then issue multiple credentials to its workforce, which can be difficult to track when there are a vast number of user types and systems. As such, vendors need to develop systems that are simple to use and “cohesive with the provider’s infrastructure, so employees can get back to their essential work,” said Becquart.
“With the growing focus of attackers on health care organizations, and as they become more and more sophisticated, they will tend to exploit unique vulnerabilities/weaknesses — that generic security solutions simply do not identify,” said Sorani.
“To succeed in health care environments, you need to cope with the inherent limitations that exist in this environment due to its diversity and limited manageability, yet leverage its advantages — as the medical OT environment resides within a contemporary IT environment equipped with a security stack that can not understand the medical devices, yet still can be leveraged smartly to protect them,” he concluded.
Addressing health care’s unique challenges
Health care is required to meet strict regulatory compliance measures outlined in The Health Insurance Portability and Accountability Act, explained Becquart. The sector also relies on enabling a wide range of users to access its network, including doctors, clinicians, nurses, third-party vendors, business associates, patients, administrators, and a host of others.
Between the need for constant access to health care applications and devices, an extensive list of access points, and an overreliance on legacy platforms, it’s clear that most providers are facing an uphill battle when it comes to securing and understanding the vast infrastructure.
To reduce the nature of the problem, providers must gain essential visibility into the inventory of devices and the overall cyber risk picture, explained Sorani. An inventory of all connected assets is the crux of any cybersecurity program. However, traditional security tools aren’t capable of understanding the complexity and diversity of medical devices, and are thus unable to create a complete inventory.
“The inability to identify and understand medical protocols also prevents these traditional solutions from understanding ‘normal’ behavior in the network, and so distinguishing between benign behavior and potential danger becomes an issue,” said Sorani.
Security researchers have continuously stressed that the use of automation tools can effectively find all connected devices in real-time and are key to moving the needle on better understanding the device ecosystem.
For Abed, one of the major challenges facing the health care network is a lack of transparency of all endpoints and how they operate or communicate with one another. In short, “you can’t protect what you can’t see.”
But the larger issue is many provider organizations can’t make sense of the network, including the endpoint and security data collected by its systems. What’s worse, Abed explained there are nearly no solutions on the market that can translate what this data means in terms of tangible risks to patient safety or clinical service.
And it’s those key metrics that are necessary for security leaders to engage health care leaders and the board for obtaining investments in security and for planning mitigation strategies, he added.
These insights would be crucial for understanding the risk posed by legacy or unsecured devices. Becquart explained that the sector also widely adopted very custom-made tools and applications designed to support their specific environment.
But modifying these platforms to gain necessary security layers is not always a straight-forward process, which Becquart stressed has often left providers without the required modern capabilities.
“On top of the inventory, the next challenge is to gain a comprehensive and actionable risk posture,” said Sorani. “As not all devices are created equal, an effective solution must be able to take the clinical context of the devices into account. Some are more critical to the health care delivery organization objectives — care delivery, patient safety, and data confidentiality.”
“When it comes to taking remediation and mitigation actions — as many of the medical devices were not built with cybersecurity in mind and lack the required security controls,” he added. “It’s essential to smartly leverage network security and other solutions from the corporate security stack to mitigate the risks.”
Generic security solutions won’t cut it
Health care’s unique challenges beg for customized solutions. Sorani recommended the use of a “health care-aware orchestrator” tasked with smartly leveraging capabilities to protect clinical assets, such as a vulnerability scanner.
For example, the software of some medical devices tends to crash when scanned and require a specially crafted scanning task to safely accomplish the task. A generic vulnerability scanner is incapable of distinguishing between a CT scanner and a workstation operating on Microsoft Windows 7.
To be effective in a health care environment, the tool will need a smart orchestrator to inform it of the type and function of the device. This data will enable it to select the right scanning template.
“A similar example would be the firewall, which is not aware of the device identity. If you want to block the internet access of sensitive devices, you need first to teach the firewall which devices are sensitive,” Sorani said. “Threat detection becomes much more vivid and effective given the clinical context of devices.”
“Health care-focused solutions, unlike generic ones, can pretty much tell if a clinical device is deviating from its baseline,” he continued. “As threat actors tend to laterally move within the network from their entry points to the places whether their impact is maximized (whether it is ransomware or data exfiltration) — the ability to detect anomalies is paramount.”
The use of these solutions will create a number of challenges for even the most sophisticated attacker, who will typically mimic the natural behavior of the device to avoid violating the devices’ typical baseline.
Sorani added that providers can also reduce some of these misalignments by leveraging solutions able to tackle diverse environments.
Cutting through the vendor noise
Health care providers have often lamented the constant barrage of sales pitches from vendors attempting to sell them the next best security tool to address their challenges. But many of these attempts miss the point, and the budgetary constraints, of the sector.
With about 15,000 security vendors on the market, it’s critical for providers to do their homework before being tempted to buy the latest shiny object. Sorani recommended to providers to research the vendor thoroughly before making contact to ensure the service understands the organization’s challenges.
To Abed, providers must take time to review the background of the vendors’ leadership team, particularly focusing on whether they have a track record in health care and the language used in their resources. The vendor should be keen to discuss “patient safety and clinical service disruption in a meaningful way,” rather than just throwing “around words like ‘clinical’ with reckless abandon, if at all.”
Customer testimonials can attest to the effectiveness of the tool, as well as industry analyst reports, explained Sorani. There should also be evidence that the tool could work for their specific environment.
“Are they speaking to why they exist and how they solve your business problems — and not just talking tech? That alone helps you separate the ones to put in the 'yes' and 'no' piles,” he added.
Providers should also review their solutions or tech through events or webinars, before reaching out to the ones that appear in alignment with the health care sector. Another test will be how quickly the vendor responds to the inquiry, as well as the content of their message, explained Sorani.
Further, organizations should focus on vendors that help quantify the need and risk, which “is integral to a successful solution,” said Sorani. “If the provider is delivering all along the way, you’ve clearly done a proper job of screening and are making good use of your time.”
At the end of the day, the health care organization (the buyer) is in control. However, Abed stressed that there’s also just so much a vendor can do. A health care entity using a security product must also invest in its people and processes, which can ensure they’re enabling their workforce to service full value from these solutions.
By addressing people, processes, and policies before discussing how to hold a supplier to account, health care entities will best understand the source of a problem when it occurs, Abed concluded.
