A wave of transparency washed over healthcare sector headlines this year, reviving awareness and a concentrated effort on exposing the biggest weaknesses, challenges, and pain points.
A June Congressional meeting saw frontline security leaders admitting the sector just isn’t prepared to face the current scope and sophistication of attacks. At DefCon, chief information security officers from two of the largest health systems shared that there’s simply no way to secure everything in the healthcare network.
From an outside perspective, these acknowledgements would appear revelatory. But healthcare leaders have long understood their assignment: securing the healthcare infrastructure is a mountainous challenge that takes passion to make the right technology moves, while working steadily to gain Congressional support to enact real, impactful change.
These ongoing conversations have finally pushed patient safety into the foreground, more than five years since University of California San Diego Health physicians and cybersecurity research leaders Christian Dameff, MD, and Jeff Tully, MD, began sounding the alarm on the direct risks cyberattacks pose to patients and care quality.
Although there have been serious outliers in 2021-- including poor breach responses, ongoing hospital outages from ransomware, and some of the biggest breach tallies in healthcare history -- one could argue that awareness has never been higher.
The industry can only hope that the momentum it has seen on tackling these important areas will drive lasting change in the year ahead.
SC Media spoke with several healthcare security leaders to get a sense of what we can expect next year, not in terms of who will attack the sector, but what provider organizations should do now to prepare for changing regulations and continued threats to the enterprise.
Mac McMillan, president and CEO at CynergisTek, thinks the sector may have run out of luck, pointing out that any organization that went through the pandemic and did not have a major security breach or outage was extremely lucky.
"A complete systems failure at the height of the pandemic could have had devastating impacts for a lot of health organizations," McMillan said. "Luck and hope, although nice to have, are not strategies for success or continuity. We need to invest, be more vigilant, become more proactive and rehearse, exercise and validate our defenses. The threat is relentless: the threat is evolving and it's becoming more destructive.”
Lasting pandemic impacts
For the last two years, healthcare delivery organizations have been pushed to their limits from all angles. While the initial expansion of remote care and devices has slowed, the risks posed by these devices may have a lasting impact, especially in terms of connectivity and resources.
For McMillan, the biggest pandemic impact on healthcare has been the diversion of resources and time. While the quick pivoting has waned with sustained operational changes, the challenges tied to recovery have not gone away, including new operating models, remote workforces, threats, and expanded attack surface posed by the reliance on a long list of vendors.
“Couple this with rapid innovation, which always moves faster than security, and you have a real formula for more or greater risk from cybercriminals,” McMillan added. “Those risks or impacts are not just financial or data losses as seen in the past, but more damaging impacts like longer down times meaning higher financial losses and of greater concern harmful impacts for patient care.”
One positive impact has been the pandemic’s spotlight on cybersecurity as a patient safety risk. The ongoing COVID-19 challenges have created a real-world use case on how easy attackers can impact care operations with a cyber event, particularly during care diversion or when staff aren’t adequately trained or comfortable with paper processes.
Amir Magner, founder and president of CyberMDX, said the rapid adoption of new technologies may have added security concerns that would have been addressed with more gradual deployments. He noted the adoption of telehealth services that rely on third-party remote connections as one example. If not properly secured, these systems are “simultaneously more attractive and susceptible to attacks," said Magner.
This issue also applies to the newly adopted remote and teleworking infrastructure that were put in place for hospital staff who were forced to work from home during the pandemic.
“These hurdles will grow more challenging as connectivity continues to grow, but there is hope," Magner said. “As awareness builds in the coming years, healthcare will gain control of the issue. Currently, healthcare delivery organizations are working from behind, attempting to deal with all of these issues simultaneously, but once a baseline of security is established, hospitals will not present as easy a target and successful attacks will subside.”
With the raised awareness, in the longer term, industry pros hope the new devices will be better designed with security in mind. When that happens, healthcare entities can integrate medical devices with fewer concerns than with the existing state of older, unsecured devices.
However, the uphill battle of phasing out older devices will take time.
Continued third-party vendor risk
Third-party vendors accounted for four of the 10 largest healthcare data breaches this year. But the largest, the hack on the Accellion File Transfer Application, demonstrated the vast rippling impact of a singular vulnerability hack and ongoing challenges to secure the complex vendor and device infrastructure.
Third parties are an obvious risk to all industries, but in healthcare the potential impact becomes much more severe, reflecting the ever-expanding attack surface. McMillan stressed that all organizations need to address and more proactively secure these connections in the coming year.
“We can’t just sit back and wait for the threat to come anymore and hope we stop it all," McMillan said. "First, it is impossible, and second hope is not a strategy. We need to take the battle to the enemy, hunt the threat, close the gaps as we find them and be more prepared when something adverse happens. Your IT attack surface is much broader than what is within your four walls or data center.”
Moving forward, it’s the investments in security spending and the diligence in managing IT environments, while effectively anticipating, reacting to, and withstanding cyberattacks that will make the biggest difference moving forward.
McMillan noted that every organization will have or has had an incident, and it’s time to stop using incidents as the “sole measure” of an entity’s security posture. Instead, the measure should reflect how an entity responds to an event, including the overall operational impacts and how the business is effectively protected during and after an incident.
It also means that organizations need to make the right investments in security, while holding everyone -- including vendors -- accountable to a designated standard.
McMillan said organizations must recognize cyber incidents for the real threat that they are and commit to becoming more ready through better IR readiness, and making sure the organization is resilient by knowing how to continue operations while attacked.
“We need to build real resilience in our computing environment, but how do we do that?" asked McMillan. "Baselining through risk assessments, increasing testing activities, incorporating compromise assessments, validating controls technically, and running multiple IR exercises and tabletops to evaluate and train on how to respond more effectively."
McMillan said it means the industry has to finally invest in the technology it needs to fight back more effectively, tools like MFA internally, PAM, EDR, and real-time monitoring. “The simple truth is everyone is under attack today, not just you, but everyone you do business with or that supports you," McMillan said.
HHS regulatory changes beg for zero-trust approach
The last three years of enforcement actions from the Department of Health and Human Services (HHS) have supported the agency’s interoperability push and the drive to eradicate information blocking.
The info blocking rule went live in April 2021, and in less than a year, all electronic health information will be in scope for the HHS interoperability regulation.
Despite the ongoing pandemic response, healthcare organizations must prioritize the elements of these rules in the coming year. In particular, organizations need to better understand the relationships with business partners and their provided solutions, software, and endpoints, explained McMillan.
Especially as these rules rely heavily upon APIs, increased endpoints, and additional devices, hospitals need to better adapt to “new sprawling networks,” said CyberMDX's Magner. As security leaders have continued to stress in recent years, the shift must include the adoption of a zero-trust mindset.
“Applying the zero-trust model requires identifying each device, user or resource, authenticating them to the corporate network, and granting them the minimal access they need to function, based on a trust policy defined especially for them,” Magner said. “More simply it segments the network so that users only have access to what they need to do their jobs.”
“Why should the accounting department have network access to the devices radiology suite? Or why would the security cameras ever be connected to patient monitoring devices in the nurses’ station,” he added. “Zero-trust ensures that if a hack breaches one system, they won’t have network access to move laterally to other systems, ultimately helping contain breaches.”
Organizations should eliminate as many opportunities and avenues for hackers to exploit as possible, by requiring multi-factor authentication on all email accounts and eliminating privileged accounts, explained McMillan.
The zero-trust model can readily adapt to the need for increased access into networks, which stakeholders have continued to worry will only further longstanding vulnerabilities.
For McMillan, the regulatory shift poses a strong reminder for organizations to focus on elements critical to operations and care delivery. Proactive measures that reorient their security posture can stymie the impact, including the implementation “of active or offensive security tools and techniques into their defensive measures.”
Organizations should ensure they’ve rehearsed and trained for the “big event”, rather than just small incidents that lead to short durations of network outages. McMillan explained, “stop feeling safe inside your perimeter, you’re not. Secure internally as seriously as you do externally.”
McMillan worries that the industry still treats security as an afterthought, and not a hard requirement in new systems or product development. He said for four decades, he's heard it said that "security is always best when engineered up front," yet the industry still produces devices and solutions for healthcare that are insecure and have not gone through any level of security review prior to being put on the market.
“We have APIs being developed and deployed for critical systems that are not built securely,” McMillan said. “This will not change until the federal government makes security a mandatory requirement for approval or the market refuses to accept insecure products.”
Errol Weiss, chief security officer of the H-ISAC, views the current situation in healthcare from two extremes. The very large organizations, like those in the pharma and insurance sectors, have sophisticated cybersecurity teams and do a phenomenal job tackling some of the most crucial elements, on par with the financial sector.
But on the other end of the spectrum, provider organizations are struggling with their security investments and overall progress. Weiss said, "it’s a constant game of catchup, despite the continued progress on awareness and building resources or investments."
The reality: healthcare is simply underfunded and under-resourced. The industry has been leveraging a significant number of unpatched systems, many of which are enormously important to patient care and safety. Cybersecurity has become a serious problem that healthcare pros say must remain a top focus in the coming year -- even as the pandemic rages once again and healthcare organizations may face challenges in 2022 from any future variants.