Despite vague promises from ransomware gangs to avoid targeting healthcare organizations, headlines are typically filled with news of cyberattacks on hospitals that often result in thousands of records being leaked and temporarily pausing operations – including critical surgeries and other medical procedures.
It’s no surprise that hospitals have been a prime target because of the considerable amounts of data that hackers can encrypt and the ability of large hospitals to pay the ransom. However, hospitals and healthcare organizations face additional pressure from legal regulations, including GDPR and HIPAA, which require them to pay fines if they experience a data breach with subpar defenses in place.
More healthcare organizations have been moving to the cloud for greater flexibility, accessibility, and security. While the cloud can offer great benefits, it also expands the attack surface and creates a new layer of security complexity. Changing connections, permissions and other built-in security functions potentially creates new vulnerabilities for adversaries to take advantage of during this transition. Additionally, with the many disparate and legacy systems healthcare organizations so often use, the data transfer takes some heavy lifting.
As hospitals and healthcare organizations migrate to the cloud, they should follow these four tips for maintaining and advancing security practices to combat today’s ever-growing cyber threats:
- Consider risks inside and outside the organization.
Many organizations have a false sense of security about their secure perimeter around the cloud. Adversaries are continually becoming more sophisticated and advancing attack methods with phishing emails and other threat vectors that can grant them access to the network. More advanced hackers can also bypass state-of-the-art email security systems and combine ransomware attack methods with malware tools to exfiltrate data.
It’s also important to remember that insider threats can come from disgruntled employees, who can cause significant damage by leaking private credentials or other confidential information.
Healthcare institutions should also stay aware of third-party risks. Has the supply chain been locked down? Organizations should ensure they have secure and trusted partners – otherwise, the impact could be devastating. Earlier this year, San Diego Family Care experienced a data breach in which the sensitive data of 125,000 patients were compromised through their cloud provider. More recently, Humana has revealed that information on more than 4,000 patients was exposed following a ransomware attack on its billing and IT solutions vendor. Regardless of the party accountable, hospitals and healthcare organizations are still held responsible to pay out insurance to cover all individuals who had data compromised.
- Implement layered security with MFA.
With more data in the cloud and mobile access on smartphones, tablets and other devices, medical institutions need to add an extra layer of protection around their electronic protected health information (ePHI) through multi-factor authentication (MFA). By using MFA, healthcare organization can help secure access to networks and applications, protect users, and address compliance requirements like HIPAA for the protection of regulated data. Whether it’s the VPN, email accounts, or web applications, MFA can help defend against the onslaught of attacks.
- Address gaps and vulnerabilities.
Healthcare institutions should run regular vulnerability scans to understand critical points in their system that are at most risk across all databases, clouds, networks, and applications. Security practitioners need to understand where the IT network is susceptible to vulnerabilities, such as software flaws and configuration issues to identify, classify, remediate or mitigate vulnerabilities that attackers could successfully exploit to access valuable data.
Taking this a step further, healthcare organizations should perform penetration testing to better understand the cyber risks across not just the technology, but also with their people and processes. Employees attempting to hack into the system can reveal how far they are able to infiltrate the network, so organizations can tighten defenses for the future.
These proactive security testing procedures better prepare the healthcare industry for attacks by understanding how threat actors are gaining entry, ultimately reducing risk and strengthening the overall security posture in the cloud and across their network.
- Partner with trusted third-party security providers.
Many healthcare organizations often do not have a designated IT security team to maintain 24x7 coverage. In the cloud, organizations are potentially handing over the keys to their data and networks to third parties – creating a big security risk no matter who’s on the other end. Healthcare institutions have to remember that they are responsible for the security of thousands of confidential data files.
As healthcare institutions continue to move to the cloud, they should consult trusted third-party suppliers to ensure that all entry points to the network, including those from the supply chain, are covered so they can prepare to meet threat actors head-on. While we cannot perfectly predict how a threat actor will penetrate the system, organizations can ensure they have the appropriate level of security to secure their most vulnerable assets.
Don White, senior security consultant, Trustwave