Treating the underlying causes of healthcare’s cyber security symptoms

By Chris Morales, head of security analytics at Vectra.

Over the years, a few things have become clear about cyber attacks in the healthcare industry.

Through our own research as well as in the wider industry context, we know the real threat is already in healthcare networks in the form of privileged access misuse; the growth in healthcare IoT devices is overwhelming and dangerous; and a majority of attacks occur due to negligence and a lack of security awareness by insiders.

Within the healthcare industry many people have access to many patient medical records, making it very easy, and perhaps a bit enticing, for some to take advantage of that privilege.

Internal actors – meaning employees who access patient data out of curiosity or to commit identity fraud – are largely responsible for healthcare data loss, and healthcare is the only industry where this occurs at such an alarming rate.

Indeed, our own research demonstrated that human error and misuse occurred more frequently in the healthcare industry than external threats such as hacking or ransomware.

While the majority of the world concern themselves with cyber attacks from someone they’ve never met, security professionals in healthcare mostly worry about the people they talk to in the break room.

Even worse, motives seem to be a mix between financial gain – patient records are the most valuable form of digital personal data – and simple curiosity.

Those who are curious simply want to know what’s going on with others and the information is there for the taking.

A love affair with IoT devices The ongoing proliferation of the internet of things (IoT) in the medical industry doesn’t help either.

These medical devices improve clinical care and outcomes but produce massive volumes of data about every patient who comes through the door, and most healthcare organisations don’t have a way to track what or where those devices are, or where they’re connecting to.

IoT devices might be the easiest target for attackers.

There are lots of them, a hospital or other healthcare organisation rarely knows how many exist on their site at any one time, and security is often not seen as a priority, especially over clinical imperatives. However, the risk is one that needs to be taken seriously.

We’ve seen cyber attacks evolve from authenticating through default admin passwords and using IoT for botnets, to the outright destruction of IoT devices by wiping their drives.

Granted, wiped devices can be restored, but the impact is far greater if those devices are needed to deliver critical care.

Take connected insulin pumps for example.

Just last year, US medical device company, Medtronic, recalled a number of insulin pumps after discovering they had potential cyber security risks and were vulnerable to hacks.

Furthermore, in October 2019, the US Food and Drug Administration (FDA) warned patients, medical providers and hospitals, that software in some medical devices could allow hackers to take control of items that connect to wireless networks or find a back door into entire hospital networks.

Recurring challenges When it comes to cyber security, there is a recurring set of challenges the healthcare industry is facing on a daily basis.

The first issue is that there is simply a lack of security professionals.

One person can only do so much in a day, yet healthcare security professionals are often tasked to do more than is humanly possible, meaning tasks are either rushed or missed altogether, putting that particular organisation at risk. The second challenge is a lack of money.

Hiring more people is tough because healthcare organisations have lean budgets. Due to this, they are tasked with finding operational efficiencies and doing more using what little they have.

And finally, there is a real lack of visibility across the industry.

A huge number of deployed IoT devices, coupled with the free flow of patient data in the network, creates internal blind spots about what’s happening.

The biggest threat is inside the network, where perimeter security is blind.

Curing the problem

When you factor in how long it takes to discover a data breach, it suggests that healthcare is losing the battle against cyber adversaries.

It’s not acceptable to find out weeks, months or years after a breach occurs, but unfortunately that is what’s happening.

So, what can be done? The answer lies in 360-degree visibility inside the network.

This includes the need to monitor across the cloud, data centre, IoT devices, and enterprise networks, as well as having the ability to carry out real-time attacker detection while prioritising all the detected threats so you know where to start.

However, that answer must address the challenges mentioned above, and there are four key parts to it.

Firstly, it’s important to eliminate the manual, time-consuming work of security analysts through implementing the capability to automate and prioritise detected threats.

Secondly, look at lowering the skills barrier needed to hunt down cyber threats.

Thirdly, consider that everything is connected, which makes for an easy target and a huge attack surface.

And finally, and perhaps the most vital aspect, provide visibility inside the network to see attackers – where they are, what they’re doing, and the compromised hosts and workloads they’ve exploited, or could potentially exploit.

This fundamental approach is advocated by a growing number of healthcare security professionals.

Many of whom are augmenting their security teams with AI-derived machine learning models to automate the early detection of cyber attackers, speed up incident response, investigate conclusively, and hunt for threats more efficiently.

It’s a battle that has been won by many healthcare organisations, but the industry still has work to do to ensure the protection of all of its patients, as well as their data.