Data security and HIPAA compliance at healthcare organizations around the nation have traditionally focused on one thing: protecting systems that contain and/or process patient information. Today’s headlines continually focus on security breaches that consist solely of patient information losses. Recently however, news stories concerning data security incidents at healthcare organizations involve not only patient information breaches, but also are introducing new risks related to patient health and safety.
Healthcare organizations collect and store a treasure trove of personally identifiable information (PII), including patients’ date of birth and social security numbers. Patient PII and health information/records are continuously at risk of compromise since they are considered high-value; the information is very appealing to nefarious individuals looking to either sell that information or use it for their own gains, such as using the stolen medical information for claims fraud.
Today, newer, ill-gotten financial incentives are keeping in tune with a changing threat landscape. With the increased awareness and mitigation efforts involving fraud and identity theft, thieves are naturally moving into new areas of exploits to maximize profits.
Patient Privacy, Health and Safety
We’ve seen ransomeware “in the wild” before, but it’s becoming increasingly common to see ransomware popping up in hospitals and other healthcare organizations. Ransomware is considered highly profitable to cyber-thieves because hospitals are easy targets and the stakes (patient health and safety) are too high for hospitals to not comply with high-dollar demands. In this recent CSO online article, criminals installed ransomware at the Hollywood Presbyterian Medical Center which resulted in a network shutdown for more than a week, endangering patient health and safety. More and more of these situations will present themselves and hospital IT staff must prepare themselves for ransomware incidents and incident response.
In the case of healthcare organizations, the Internet of Things includes networked medical devices such as blood pressure monitoring devices and fetal monitors. As is usually the case, great new technologies are developed and delivered with ease-of-use and productivity gains in mind, and with security built in as an afterthought or at some later date…..if at all.
Let’s take for example, a medical IV pump used to deliver medicine to a patient. While it was a great idea to some people to make the pump remotely accessible via the network, it also introduced remote attack techniques that could allow anyone with network access the ability to manipulate dosages.
Reports are also coming in concerning IoT devices increasing the threat landscape by introducing new remote attack vectors that increase the risk of internal compromise. Recently Security Expert and Blogger Brian Krebs reported that some newer IoT devices were/are establishing P2P networks to foreign sites. Not only were the P2P networks enabled by default, but they were also reported to resist efforts to disable those network services. Devices such as these not only present additional risk to the integrity of the physical internal network, but they also introduce new areas of privacy concerns, and are making it increasingly difficult to maintain control over data leaving the network.
Layered-security Still Works
It is not all doom-and-gloom however when it comes to implementing and managing technical security controls to safeguard patient data and protect data integrity and availability. Mitigating these new threats, as with previous threats, can be accomplished by using common security-in-layers or defense-in-depth techniques, such as:
- Applying business-use-only egress protocol firewall filter rules
- Implementing browsing security such as using OpenDNS for domain filtering
- Segmenting medical devices and locking down access to specific hosts/users
- Implementing a well-managed anti-virus program, on ALL hosts
- Implementing an effective software and hardware patching program
- Contracting periodic 3rd-party internal and external Vulnerability Assessments, Penetration Testing and Social Engineering engagements
- Applying frequent employee ITSEC training
- Applying “principle of least-privilege” access controls
- Implementing IDS/IPS (host and network-based)
- Implementing mobile device access-controls, policies and procedures
- Implementing port security
- Securing third-party connections
- Securing user accounts
- Using two-factor authentication for remote access to internal (or cloud-based) resources
- Code signing
- Applying web filtering and proxy servers that also decrypt and inspect encrypted traffic
- Applying system hardening techniques using best practices
- Securing WiFi access using strong authentication and encryption protocols, segmenting the network, data classification, ensuring there are DMZs in use instead of punching holes into the internal network…etc.
And, to help mitigate against ransomware attacks:
- Having a good backup process for ALL hosts/VMs!
Keeping data out of the wrong hands is becoming more of a challenge now with the advent of IoT, as these devices are primarily designed to make patient access and care easier. Removing traditional physical access restrictions to medical and other devices (i.e. – turning them into “smart” devices), and then adding them to already insecure networks, greatly reduces the security posture of those devices and the data they possess or process. Medical organizations must now also contend with malware designed to bring electronic business to a halt, endangering patient health and safety.
IT security policies and procedures must not only focus on safeguarding patient health information in an ever-increasing/changing threat landscape, but also incorporate protections designed to mitigate risks related to patient health and safety, along with risks associated with data integrity and availability.