MEDICAL NETWORK SECURITY
The healthcare sector is one of the most vulnerable entities for cyberattacks. According to the HIPAA Journal, 1,531,855 records were breached across 39 healthcare data breaches in February 2020 alone. The threat isn’t just against large scale university hospitals but also small and mid-sized hospitals as well as medical clinics and long term care facilities. It seems that nowhere in the healthcare sector is safe from cyberattacks. Some of the reasons hospitals make such an attractive target to hackers include:
IS THE NAME OF THE GAME
Medical network hardening refers to the securing of the basic communication infrastructure of multiple servers and computer systems operating within a given network. Simply put, it involves beefing up security to mitigate cybercrime risk. It requires a multifaceted approach and touches every level of an organization’s IT infrastructure. It is a necessary action item in this modern age where cyberattacks are growing exponentially and hospitals are among the hottest targets.
The question then becomes: how do we balance tightening security controls with keeping sensitive medical data accessible? After all, data in a hospital environment, by its very nature, needs to be openly accessed, retrieved, and shared by many people across various avenues at any given time.
Below, we will look at why healthcare is so susceptible to cybercrime and how medical network hardening can help balance existing security controls and data accessibility.
Protected health information and personal patient information is a hot commodity on the black market. Because hospitals and medical facilities keep extensive electronic records that are rich in personal information, they become a hot zone for hackers. There has been a surge in ransomware attacks on hospitals in recent years because hackers are able to find success in using this approach to steal patient information and hold it until the hospital relinquishes payment for the information. They are essentially selling the stolen information back to the hospital.
The increased use of medical devices across the healthcare sector has been great for the innovation and advancement in patient treatment options but a nightmare for cybersecurity. The reason for this is the widespread use of medical devices creates broad access points for cyber criminals to attack. Devices such as x-beams, insulin pumps for diabetes, and implantable defibrillators all operate via a network. If hackers can gain access to the server through a connected device, they can gather valuable information to sell or prevent the patient from getting the proper care they need through the device.
We’ve said it time and time again: one of the first (and often underutilized and undervalued) lines of defense in cybersecurity is end-user preventative measures. Simply, this is a security training program for employees, one that creates awareness about cyberattacks and then educates and empowers employees to employ best practices to ward off cyber attacks. A focus on the most commonly used threats of phishing and malware help employees recognize suspicious activity so potential threats can be detected, investigated, and contained.
For a hospital to function there needs to be a certain degree of fairly broad access and sharing of sensitive data and protected health information across various entities, and this sharing is done daily. There is constant sharing of data across payment platforms and between insurance companies, sub-specialties, outside hospitals, clinics, and facilities, to name a few. This type of information sharing is necessary to provide quality care to patients, but it is also a weak spot for cyberattacks to occur.
Tightening up cybersecurity is most commonly done by hiring a Managed Security Service Provider (MSSP), and is especially important in this climate. An MSSP has expertise in cyber security and can offer the best level of protection from cybercrime. One of the first things an MSSP will do in their security analysis is medical network hardening. A few of the core areas where security measures need to be focused are outlined below.
Email is the most common channel used in cyber attacks. Oftentimes these attacks are successful in part because of the lack of formal cyber security training for front-end employees. Email attacks can be mitigated through a few simple implementations. They include:
- Web filtering software to block malicious website access
- External tags on all emails from organizations outside of the hospital
- Utilize multi-factor authentication to access email
- Unique accounts with connected emails using password updates every 6 months at a minimum
Access management is crucial to cybersecurity. Security assessment logs need to be in place to manage and monitor access to all systems across the board. Employees need to be educated on the various levels of access privileges used and how that translates to their abilities to access certain information within the system. Some common mitigation tactics that can be employed in this area include:
- Automatic sign out of all programs after each use with no sharing of user information
- Exercise the Principle of Least Privileges, where employees are only given clearance to access the minimal amount of data they need to perform their individual core job function.
- Utilize multi-factor authentication for access to cloud-based systems
As mentioned above, the innovation and progressive use of medical devices are cutting edge in patient care. However, they pose various security risks and medical network hardening needs to be implemented in the device field. Recommendations to tighten the security of medical devices include:
- Ensure an accurate inventory of networked medical devices
- Understand operating systems, configurations, and protected data processing of medical devices
- Monitor and apply zero-day attack research, MDS2, and FDA guidance to ensure real-time protection
- Use of anti-virus software.
- Activate the device’s local firewall
- Always change passwords to complex and unique ones that utilize letters, numbers, and special characters with no personally identifying information present
- If remote access to the device is necessary, use multi-factor authentication to grant access.