Is cybersecurity at healthcare companies in need of a checkup?
Healthcare providers and health systems have traditionally been reticent to adopt new technologies that fall outside of the realm of medical devices, equipment for new, more effective procedures and other tools for caring for their patients. When it came to implementing technologies that influenced how they managed their offices and practices, or how they interacted with patients, they were often well behind the curve. In fact, it was only about five to ten years ago that most physician offices installed computers into every exam room.
But that is all changing – and changing rapidly.
Now, the Patient Protection and Affordable Care Act (aka – Obamacare) is incentivizing healthcare providers to implement electronic health records (EHRs) and embrace technology that can help reduce the overall cost of care. Healthcare providers are being encouraged to connect more via today’s advanced UC solutions to help collaborate more on care and reduce redundancies. Providers are even being encouraged to utilize video collaboration for telemedicine visits, wellness checkups and recording discharge instructions.
This is all incredible if it means better care, increased access and improved outcomes for patients. But it’s also creating another issue. Today’s medical devices are Internet connected. EHR data is stored online – and those could even contain video recordings of telemedicine visits thanks to today’s VTC solutions. All of this sensitive health information is out there for hacker to access.
To better understand the threat landscape facing healthcare companies, including providers, payers and even pharmaceutical companies, we sat down with an expert – Matthew Webb, a Senior Consultant at Ingenuity Associates. In his role at Ingenuity, Matthew works with companies on strategic IT and security implementations in one of the nation’s healthcare hotbeds, Nashville, TN.
During our interview, we asked Matthew about the threats facing healthcare companies, where they’re most vulnerable and what technologies they’re most interested in for protecting themselves and their patients. Here is what he had to say:
Matthew Webb: Healthcare companies are facing an ever changing threat landscape that evolves along with the technology solutions they use within the enterprise. Services and solutions are moving cautiously to cloud-based offerings, new medical and specialty systems are being deployed to service business and care needs, and they’re embracing other new technologies to meet the demands of a growing population of increasingly technically-savvy users – from physicians and care providers, to vendors and patients.
Hospitals are more interconnected with patients, physician practices, specialty providers, vendors and state and federal systems than ever before. While patient safety is paramount, the support-base for clinical and supporting systems face daily decisions between system availability to support patient care, or maintenance/management to reduce the vulnerability footprint.
In most cases, the platform administrators only focus their efforts on ensuring the availability of the systems. This decision presents more risk, near- and long-term to the organization, as patching and updating are not always a top priority.
Access Granted: Where are healthcare organizations most vulnerable? How does this differ across the healthcare space?
Matthew Webb: Healthcare organizations, like most other business, struggle to find long-term, secure solutions for addressing security threats that impact two key areas:
1) Vendor Managed Systems, especially those with shared credentials for management and administration, and;
2) End-users, where targeted spam/phishing attempts tend to be quite successful. This exists across the healthcare space and is not limited to a particular service.
Vendor management is mostly prevalent in the provider space, where solutions have become more specialized and complex and require the services of the vendor or dedicated third-parties to manage and administer the systems. The dependency for support forces the organizations to open up conduits through VPNs and B2B connections to their vendors, which also opens up vulnerabilities to bad actors.
Access Granted: What kinds of attacks are healthcare companies facing? How are these attacks being perpetrated?
Matthew Webb: Attacks are becoming increasingly sophisticated. Gone are the days where simple port filtering firewalls would prevent most network-based attacks. The threat agents are no longer technically savvy young-adults with an internet connection and too much free time. Attacks are targeted, planned and executed very efficiently through hacktivists and state-sponsored resources.
A recent attack example began with a targeted phishing email to a very limited set of users, with the purpose of gaining access to a list of user and their job roles. Once the roles and associated users were identified, the attackers focused on system administrators of a specific software with a second round of phishing. Using this approach, the attackers were able to social engineer a shared account and password and were able to acquire full administrative access to the system.
These types of attacks are difficult, if not impossible to detect. To battle against them, organizations must rely heavily on solid security awareness training – making sure users can recognize phishing attempts, know not to divulge protected information, such as passwords, and use unique accounts with strong passwords to perform system administration
Access Granted: Are there any particular security policies or regulations that the healthcare industry needs to adhere to? What impact do these regulations have on healthcare companies?
Matthew Webb: HIPAA is the probably the most well-known regulatory requirement specifically targeting the healthcare industry. Sarbanes Oxley (SOX) is another regulatory requirement the payers or health systems must adhere to. PCI (Payment Card Industry) is most applicable for organizations that store, transmit or process credit or bank card transactions.
Given the myriad of regulations that must be adhered to, healthcare organization have been leveraging the HITRUST framework as a means of aggregating controls across a number of regulations, based on standards and industry best practices in an effort to identify the common denominator to meet the necessary requirements.
Access Granted: What security technologies are healthcare organizations looking to adopt? What technologies should they be interested in?
Matthew Webb: A number of the organizations we currently support are heavily focused on two-factor and multifactor authentication, and Privileged Account Management (PAM) solutions to address additional security for users accessing the environment from external sources, as well as users requiring elevated rights to perform duties.
Two-factor and multifactor authentication (MFA) is being leveraged in the provider and healthcare systems to ensure that external users are identified with additional factors, outside of traditional user names and passwords. While this is beneficial for the providers and health systems, it can be problematic for physicians that practice at multiple locations and therefore require multiple credentials to access the care providing systems. This is why embracing strong MFA solutions that also stress ease of use and convenience is essential.
Privileged Account Management (PAM) systems are helping wrangle administrative and shared access problems. As PAM solutions become integrated across multiple system, organization are able to gain tighter control over administrative access.
While MFA and PAM solutions do help solve validating and controlling user access to systems, healthcare organization are looking for assistance in the accurate identification of external resources (vendors, third-parties and contracted physicians). Effective management of external accounts is needed to reduce risk and exposure to data breach as well as ensuring compliance to regulatory requirements.
For additional insight into how some recent cyber breaches have been perpetrated against healthcare companies, watch the replay of our recent Webinar, “Anatomy of a Breach,” which analyzed the breach that impacted health insurance giant, Anthem – among others – by clicking HERE.