Challenges in Healthcare Cybersecurity
By Tripwire Staff
Have you ever wondered how much your patient health record could garner on the black market? Whereas a cybercriminal only needs to shell out a mere dollar for your social security number, your electronic health record (EHR) is likely to sell for something closer to the tune of $50.
This is according to research firm Cybersecurity Ventures, who also projects healthcare cybersecurity spending to reach a cumulative $65 billion globally between the years 2017 and 2021. The healthcare industry has to shell out so much of their budget toward cybersecurity because of a few areas in which its systems are severely lacking.
Challenges in Healthcare Cybersecurity
This year’s Verizon Data Breach Investigations Report found that healthcare is the only vertical suffering from more insider breaches than external breaches. It’s not that doctors and nurses are spending their days slinging EHR files on the dark web: Much of the insider threat in healthcare is about a lack of basic cyber hygiene.
When foundational cyber hygiene practices like privilege escalation monitoring and security configuration management aren’t in place, human error takes the reins.
Doctors put years of their life toward becoming medical experts, but the digitized nature of the systems they interact with daily demands that their training include a basic understanding of cybersecurity, as well — and they’re by and large not getting that training. And security teams at healthcare organizations are often lacking the tools and solutions they need to maintain HIPAA compliance, reduce the overall attack surface of their systems, and continuously monitor for vulnerabilities.
Let’s take a look at three use cases for dealing with some of the most pressing cybersecurity issues faced by the healthcare industry today.
1. Achieving System Hardening and Standards Alignment
Problem: You don’t use an internal hardened build standard to verify against your current state.
Solution: Align with and implement a known and trusted standard as soon as possible.
To continuously monitor your systems for vulnerabilities, you need to first establish a secure baseline. You can then compare changes to that baseline and investigate any relevant vulnerabilities. Ideally, baseline evaluation begins at the same time that assets are created. But it’s often the case that you need to define your baseline once your systems are already experiencing traffic.
In either case, you’ll need to map to an established external framework — or several frameworks at once. These frameworks include HITRUST, NIST, DISA, CIS and HIPAA. Some, like the CIS controls (that’s Center for Internet Security) aren’t legally mandated frameworks. They serve instead as invaluable step-by-step guides to help you secure your systems.
Compliance with other frameworks, like HIPAA, are enforced by rigorous audits. Once you’ve targeted the standards you need to align with, find a solution that gives you:
- An immediate view of your current system state in real time
- Visibility into users, groups, shares, installed software, ports and services
- Reports of the impacts changes have on your compliance posture
- Integration with existing build and hardening processes
- Vulnerability assessment for risk scoring of changes
2. Automating the Review of EHR Change Data
Problem: No automation in the review of changes to patient data and electronic records.
Solution: Use a solution that reports on key EHR record changes – patient, financial and insurance.
EHRs contain your medical information and history, but also your financial and insurance details — one of the reasons patient data is in such high demand amongst cybercriminals. Implement health record monitoring solutions for MSSQL, Oracle and DB2 to help you capture changes in scope, processes and jobs. Leverage your existing processes and implement robust change and security configuration management solutions.
Make sure you have identified exactly what records are in scope and how detailed your visibility is when it comes to liability for patient data.
3. Visibility into Access Privileges
Problem: It’s unclear who has access to the systems in scope for EHR and the changes they make.
Solution: Develop processes and training around building system-wide situational awareness.
Between the hundreds or thousands of employees, contractors and vendors who touch your systems, any lack in visibility creates a higher risk for unchecked privilege escalation (remember those disproportionate insider threats?), which can become very problematic very quickly when individuals become curious about health records they shouldn’t be privy to.
Make sure you’re using a solution that helps you adhere to the following steps to keep EHR data in the right hands only:
- Match expected approved changes with actual changes
- Verify change deployment completeness
- Validate vendor updates and separate them from out of band changes
- Highlight unexpected changes
- Separate approved changes that impact security control posture
- Maintain OS vendor updates
- Discover assets in the environment
Patient data may be a hot ticket item on the black market, but you can keep threat actors from pilfering your EHRs by practicing basic cyber hygiene.
More AEHIS News
- Erik Decker on New “Health Industry Cybersecurity Practices” – Erik Decker, Chief Information Security and Privacy Officer, University of Chicago Health
- 2019 Board Leadership – Sean Murphy, CISO, Premera Blue Cross
- Craft Our Community, Join a Committee – Will Long, VP & CISO, Children’s Health
- AEHIS 2018, A Year In Review – Zach Donisch, Director, AEHIS, AEHIT, AEHIA Membership