Backup and recovery

Attack sophistication means health care cybersecurity requires digital resilience

NIH experts care for a patient in interventional radiology. Cybersecurity success in health care is less likely to involve buying more security tools and more about properly training staff to securely operate the systems already in place, says one expert. ("Interventional Radiology" by NIHClinicalCenter is licensed under CC BY 2.0)

Cybercriminals have not taken a vacation during the pandemic and have continued to modify their tactics to great success. Recent security incidents reflect the nature of the threat landscape and serve as a reminder that even entities with strong cybersecurity practices can be exploited.

Three reports on the health care and pharmaceutical sectors last week spotlighted the industries’ continued struggles with bolstering cybersecurity and supply chain vulnerabilities, as well as the penchant for attackers to continue preying on oft-vulnerable providers.

Reposify found most pharma companies are actively exposing data through databases and remote access points, while CynergisTek revealed just 23% of providers were found to have passing supply chain security grades, and just barely.

Following the report, two U.S. health systems fell victim to cyberattacks and were forced to revert to electronic health record (EHR) downtime procedures to maintain patient care. In total, at least 36 providers have experienced network outages directly caused by cybercriminals so far in 2021.

Much like with other sectors, ransomware threat actors and other cybercriminals are preying on the most vulnerable systems and supply chain vendors, as seen with the REvil attack against Kaseya earlier this summer.

As noted by Jeff Buss, chief information officer of Nordic Consulting, the extremely sophisticated nature of attacks like these and the SolarWinds incident makes it incredibly difficult for all entities to successfully defend their networks.

But in health care, the cybersecurity challenges are multi-faceted. Not only are attacks becoming harder to prevent, many providers have under resourced cybersecurity programs despite the need to protect highly valuable protected health information, explained Buss.

As a result, health care is facing an uphill battle in preventing successful exploits.

“Health care organizations need to fund cybersecurity programs as if it were one of the biggest risks to the organization, but unfortunately we are not seeing that,” said Buss. “The average health care entity spends roughly 6% of the IT budget on cybersecurity, while other industries are spending 15% or more.”

“Exacerbated by the fact that many health care organizations have outdated systems and struggle to maintain an accurate asset inventory with the ever-evolving medical technology landscape, it makes securing the health-care enterprise a formidable task,” he continued.

As a result, cybersecurity success in health care is less likely to involve buying more security tools and more about properly training staff to securely operate the systems already in place. For Buss, building digital resilience will be key to reducing the overall risk to the health care network, as incidents here can lead to care disruptions and an increase in risk to patient safety. 

Digital resilience refers to an entity’s ability to quickly respond to and recover from sophisticated attacks, especially those launched by advanced persistent threat group actors, he explained. This means health care administrators must implement policies, standards, and procedures able to build resilience and improve the overall cybersecurity posture across the enterprise.

Previous voluntary guidance from the Department of Health and Human Services can be useful for those entities attempting to review and improve upon existing scenarios. Once implemented, these elements must be tested in real-world scenarios.

Administrators will also need to audit asset inventories to obtain a realistic list of assets operating on the network, as well as “evolving the configuration management process to ensure the team knows and understands the architecture proves helpful in the event of an attack,” explained Buss.

It’s also imperative security leaders understand how to “fight the network” and frequently practice it with board participation down to those employees working on the frontlines, he added.

It can be a time-consuming challenge to impart necessary training, in combination with asset auditing and creating a solid configuration management process. However, the difficult task is far outweighed by the payoff that providers can see in being able to successfully respond to an attack or other major security incidents.

Those entities that fail to take the journey into digital resilience, at best, will be forced to pay ransom or spend even greater investments into high-cost incident response teams to undo the damage caused by an cyberattack, as well as the recovery costs and lost revenue spurred by weeks of network outages and downtime procedures, explained Buss.

“The state of cybersecurity in health care is serious, but not hopeless,” said Buss. “Health care organizations can take meaningful steps to decrease their vulnerabilities and increase their resilience. But for these steps to make a difference, board members and C-suite executives must commit to making cyberattack resilience a priority.”

“Building resilience starts top-down with a strategic approach to understanding the digital assets, data flows and business use of each as well as how to respond to disruptions to those assets and data flows,” he continued.

prestitial ad