09 Sep 2022 State of Security: Healthcare Edition

In today’s digital world, cybersecurity in the healthcare space and protecting information is vital for the normal functioning and efficiency of organizations. Many healthcare organizations have various types of specialized healthcare information systems such as EHR systems, e-prescribing systems, practice management and clinical decision support systems, radiology information systems, claims and payor systems, and computerized physician order entry systems – all relying on vendors in the space to deliver these systems securely. This wide array of assets presents a challenge for security professionals in this sector, as each system could open the door for vulnerabilities. If you are on the security team for any healthcare organization, below are threat vectors where your focused attention should be given.

Email

Email is a primary means for communication within the healthcare industry vertical. Information of all kinds is transacted, created, received, sent, and maintained within email systems. Mailbox storage capacities tend to grow with individuals storing all kinds of valuable information such as intellectual property, financial information, and at times, patient information. With such high-risk information being stored and transferred, email security is a very important part of cybersecurity in the healthcare sector.

Phishing in the single largest threat vector for almost any industry, and the healthcare space is frequently targeted. Most significant security incidents are caused by phishing. Users may unknowingly click on a malicious link or open a malicious attachment within a phishing email and infect their computer systems with malware. In certain instances, that malware may spread via the computer network to other computers. The phishing email may also elicit sensitive or proprietary information from the recipient. Phishing emails are highly effective, as they typically fool the recipient into taking a desired action such as disclosing sensitive or proprietary information, clicking on a malicious link, or opening a malicious attachment.

Accordingly, regular security awareness training is key to thwart phishing attempts. This was and continues to be a primary area of focus at HealthTrio, with investments made in technologies that will help deliver timely security awareness training, exercises, and rewards for participation in the form of gamification. We also proactively train employees to recognize phishing emails by putting together monthly phish campaigns, which help keep our culture security centric. Doing so also gives our security team insight to understand what is and is not working, in an effort to secure the information technology infrastructure and data assets.

DevSecOps

The challenge of security vs efficacy. Most of the platforms the healthcare industry relies on begins with software development. Typically, teams of developers are building or improving applications for the industry at large depending on specific market needs. Often, these teams work in cloud or hybrid environments due to scalability and the ability to run proof of concepts quickly. Security is continuously challenged to provide the flexibility they need to get the work done, while ensuring the security posture of the organization maintains high standards. The earlier security is inserted in the SDLC process, the better. Close collaboration between security and development teams should be cultivated with attention to training and tooling around this endeavor.

Legacy Systems

Legacy systems are those systems that are no longer supported by the manufacturer or vendor. These may include applications, operating systems, hardware or otherwise. One challenge for cybersecurity in healthcare is that many organizations have a significant legacy system footprint. The disadvantage of legacy systems is that they are typically not supported anymore by the manufacturer and, as such, there is generally a lack of security patches and other updates available.

Legacy systems may exist within organizations because they are too expensive to upgrade or because an upgrade may not be available. Operating system manufacturers may sunset systems, and healthcare organizations may not have enough of a cybersecurity budget to be able to upgrade systems to presently supported versions.

With these types of threats not going away and seemingly only going to get more prevalent, risk assessment becomes paramount for security programs in healthcare. Risk needs to be assessed, measured, and prioritized. This is the key to getting the business to understand the risks. Organizations that function in this space should align with industry accepted security frameworks, such as HITRUST, to not only provide a level of assurance to other partners in the space, but also to identify areas where their own security posture may need improvement.

The core components organizations in the healthcare market should focus on are:

• Create a culture of cybersecurity
• Strong cybersecurity policies and procedures
• Focus on identity and access management – Zero Trust, MFA and strong process
• If you can’t see it, you can’t protect it. – SIEM technologies, vulnerability management, compliance, threat intelligence

Lastly, as a community we must acknowledge that healthcare data is a very lucrative temptation for bad actors looking for a payday. Some research indicates that stolen healthcare records can be worth 10 times more than a credit card on the black market. Our challenge in cybersecurity is that we are the most attacked business sector, and we influence every aspect of the healthcare industry. We have to pay close attention not only to how these breaches occur and what methods criminals use to achieve their goals, but as defenders, find ways to collaborate and ensure that we work together with our partners, clients, and 3^rd party vendors towards the same goal. With all of the concerning issues facing healthcare, perhaps one of the wildest articles I’ve read recently is with the evolution of malware. Researchers from Israel for example, announced last year that they have created malware capable of adding tumors into CT and MRI scan records, potentially fooling doctors into misdiagnosing patients. This highlights the importance of cybersecurity, as it isn’t just financial loss and reputation at stake. There are human lives at stake too.

Amid rising cyber-attacks and increased cybersecurity risks, HealthTrio stays committed to keeping up with the ever-emerging security threats and speeding up our response time, while providing confidence in our customers that we will strive to develop effective and efficient execution of information security best practices.

Kurt Myers, Chief Information Security Officer

HealthTrio