Endpoint security: The medicine required to cure healthcare’s cybersecurity woes – MedCity News
The healthcare industry has been reported as the second most targeted industry from cyberattacks. Following the business sector, healthcare sees the largest number of threats designed to specifically target their data.
Why? The answer blends target-rich opportunities, due to the sheer number of internet-connected devices in use, and a significant number of endpoints that remain inadequately secured. This combination provides fertile grounds for bad actors to exploit vulnerabilities to cash in through ransomware attacks or by selling Patient Health Information (PHI) obtained through a data breach.
According to a Healthcare Cyber Trend Research Report, there were 521 major data breaches due to IT/hacking in 2021, an increase of over 25% since 2020.
Still not convinced that cybersecurity is an integral part of the healthcare landscape?
43,096,956. This is the number of patient records impacted from cyber threats against U.S. healthcare organizations in 2021 alone.
As a regulated industry, HIPAA ensures that patient data confidentiality and integrity are maintained and sufficiently preserve patient privacy. Severe consequences, not limited to penalties involving fines and/or criminal liability, await any organizations found violating these regulations.
Despite dire numbers and high-risk ranking, there are several resources available to help healthcare organizations:
- secure their endpoints
- safeguard patient data
- mitigate risk from threats targeting their systems
Additionally, guidance from government agencies, like the Federal Bureau of Investigation (FBI) and Cybersecurity & Infrastructure Security Agency (CISA) assist organizations address these security needs.
Risk assesment
Before we dive into how to protect endpoints, we first need some information:
- What needs protection?
- What does it need protection from?
While a complete guide to risk assessment is beyond the scope of this article, the two questions above will provide the critical information regarding the types of devices they own along with a count of how many devices are in use. They also provide insight into the types of threats that exist as they relate to each of the device types within an organization.
For example, an on-premise web server hosting a web app that gives healthcare providers access to intake patient data will typically see risk from SQL injection attacks, insider threat and unpatched vulnerabilities — to name some common forms of risk. Compared to a laptop used by a physician performing home visits, risk assessments in that instance would yield differing results, like unencrypted data on the storage drive, weak passwords, misconfigured settings and unpatched vulnerabilities.
Some risk will overlap with other endpoints, while others may be unique to a specific device type. That’s why it’s critical to perform a thorough risk assessment and identify each device type and use case. With a better understanding of which threats are more likely to affect which endpoints, organizations are positioned to develop a plan to protect against threats before they’re exposed to an attack or data breach.
Common threats affecting healthcare
After the risk assessment has been performed, IT and security teams can begin building out a cybersecurity plan for mitigating the risk posed to identified endpoints.
Again, some mitigation strategies might appear to be universal or applicable across the board to all endpoints, while others will be specific to a particular device type. Unfortunately, there are no real “silver bullet” solutions, or plans that can address all concerns with one type of solution. Organizational needs are unique and so are their risk appetites.
With that said, here are the 10 most common security threats affecting healthcare organizations:
- Malware (ransomware)
- Insider threats
- Phishing campaigns
- Device misconfigurations
- Denial of Service (DoS)/Distributed DoS (DDoS)
- Internet of Things (IoT)
- Data leaks
- Insufficient employee training
- Unsecured network connections
- Compliance monitoring
Combined with your organization-specific risk assessment, this list should serve as the foundation in the development of your mitigation plan.
Mitigating cyber threats
Armed with risk assessment data and awareness of the threats that affect your unique work environment, the next step in developing your cybersecurity plan is to implement the controls to: shore up security, protect patient data and preserve privacy while also constructing an iterative protection process that incorporates regular training and real-life learnings. Alongside these benefits, constant monitoring of endpoint health builds upon the defense in depth paradigm to mitigate existing risk while helping protect against future threats.
The word “iterative” is key here, as it ties in with the silver bullet statement made earlier. There is no one-size-fits-all solution for comprehensive security or holistic support for all your endpoint’s OS types. An iterative approach requires continuous effort, building upon what has come before and strengthening your device security posture. Organizations should reject a “set and forget” mentality, which only draws concerns if a threat is detected.
Security — much like advancements in healthcare — never stagnate. Both are dynamic and evolving. Your IT and security practices should also continuously evolve to protect yourselves from attacks without sacrificing productivity or privacy.
The threat mitigations that are based on best practices and recommended by the FBI, CISA and US Dept. of the Treasury with healthcare organizational security in mind are as follows:
- Maintain offline backups of critical/sensitive data and regularly perform tests of backup and restoration functionality to verify processes are working properly and data is recoverable.
- Follow the principle of least privilege and provision access permissions to users based solely on the minimum rights necessary to perform their job role or task — nothing more.
- Implement network threat defense solutions, such as content filtering, which blocks phishing domains and other malicious URLs, preventing users from accessing risky content.
- Harden device configurations based on established security frameworks, like those from the National Institute of Standards and Technology (NIST) or Center for Internet Security (CIS) that provide guidance and benchmarks to securely configure, or lockdown endpoints.
- Establish partnerships with upstream network providers and organizations that provide response assistance in mitigating network-based attacks, such as DoS/DDoS attacks.
- Deploy public key infrastructure (PKI) and digital certificates to authenticate connections accessing data on the network, like IoT-based medical devices.
- Utilize technologies to encrypt data at rest on storage devices that work with critical, sensitive and/or PHI data to ensure that it is not readable by unauthorized parties, even if the data itself is lost or stolen.
- Invest in stakeholder training on an ongoing basis, relating to security issues and concerns, including developments of new threats based on assessment of threat intelligence and trends.
- Institute network management principles to segment network traffic into smaller, more manageable networks based on access needs, similar to least privilege. Additionally, deploy secure remote access technology, like Zero Trust Network Access (ZTNA), which ensures data in transit is secure regardless of which network or connection is used.
- Implement monitoring of endpoints with real-time alerting and granular reporting capability to determine device health at all times while receiving alerts as to any changes, allowing IT and Security teams to remediate issues and maintain device compliance.
Don’t wait until after a data breach has occurred. There’s never a wrong time to develop or strengthen security procedures and cybersecurity practices to address your healthcare organization’s needs or protect your patient’s health data. The only mistake is waiting.
Photo: traffic_analyzer, Getty Images