The Unique Challenges of Healthcare Cybersecurity & How to Reduce Your Organization's Risks
The cybersecurity landscape is constantly changing, and while every industry faces challenges, healthcare cybersecurity is uniquely complex. Why? Cybersecurity often reduces the efficiency of existing processes by affecting processing time and resources or requiring additional administrative overhead. These inefficiencies can manifest in unforeseen ways, like the couple seconds it takes to re-authenticate every 8 hours or to enter a Multi-Factor Authentication (MFA) PIN, or even the fraction of a second it takes to encrypt/decrypt data.
Healthcare Cybersecurity Challenges & Solutions
Below are some of the unique challenges facing the healthcare industry, as well as some recommendations for addressing them:
- Challenge #1: Adding Multi Factor Authentication (MFA) into your healthcare cybersecurity solutions. There is no question that adding an additional authentication requirement increases account and system security. However, this additional factor will add a small amount of time to the authentication process, which in aggregate, could add up to more time than you’d expect. Further, there are additional challenges with MFA in healthcare, including enforcing MFA with legacy systems that may not support it, or even the use of biometrics for authentication with Personal Protective Equipment (PPE) is in use.
- Solutions: To mitigate biometrics authentication issues, there are a few good healthcare cybersecurity options options to consider. Try unlocking using an Apple watch for iOS and using Smart Lock for Android. Unfortunately, there are few courses of action for legacy systems that do not support MFA. However, you can reduce your risks through network segmentation. You can isolate the affected hosts and reduce the attack surface using Virtual Local Area Networks (VLANs) and Access Control Lists (ACLs). In addition, you should also pressure the manufacturers of any systems without MFA to update their software and operating system versions and place these systems on your upgrade planning list (even though upgrade may take a very time – at least it helps inform your management of the risks).
- Challenge #2: To patch or not to patch? Regular patching is cybersecurity 101. However, healthcare cybersecurity is not as simple. Healthcare organizations use very specialized equipment, often costing hundreds of thousands, or even millions of dollars. This equipment is designed and tested to be run on, or administered by, specific operating systems. Unfortunately, the lifecycle of the equipment rarely follows the operating system lifecycle, which means the obsolete operating systems must continue to be supported on the organization’s network. Applying a critical Operating System (OS) patch could void the equipment’s warranty or result in the manufacturer refusing to support the equipment. This can result in problems that might have huge impacts on patient care. When conducting penetration tests of healthcare networks, it’s not uncommon to still see Windows 7 or even XP still in use because of these manufacturer requirements to maintain outdated software version.
- Solutions: This is one of the more frustrating aspects of healthcare cybersecurity. Outside of pressuring manufacturers to update their supported software and operating system versions and isolating systems through network segmentation, these gaps will remain. With few viable solutions, consider monthly proactive threat hunting so you can try to catch any hackers that breach your defenses before they reach critical PII or do significant damage.
- Challenge #3: Host hardening. According to the National Institute of Standards and Technology (NIST) Special Publication 800-123: Guide to General Server Security, host hardening should include disabling unnecessary services, applications, and network protocols, as well as configuring strong authentication and appropriate resource controls. Hardening of healthcare cybersecurity systems or devices is seldom supported by equipment manufacturers. Basically, any configuration changes that deviate from the vendor’s “recommended” (read: required) configuration could result in a loss of vendor support. Simple things like disabling unnecessary services, enabling Windows firewall, or removing local administrator privileges could result in the vendor refusing to provide support for that multi-million-dollar radiology device your organization purchased a few years ago. To this day, one of my most memorable pentests was of a medical device that was not adequately hardened and lead to me obtaining root access because of an exposed web console running with easily guessable administrator credentials.
- Solutions: Again, the recommendation here is to pressure the vendor to update their supported software and operating systems, as well as limiting the affected devices’ attack surfaces through network segmentation and ACLs. Monthly proactive threat hunting is also a good idea.
- Challenge #4: How to implement segmentation. Network segmentation is the practice of compartmentalizing a network and can be a very effective compensating control for other risks. However, segmentation presents its own challenges in the forms of additional administrative overhead for IT and networking staff, as well as complicating troubleshooting efforts. Because of these challenges, we often see healthcare networks that are much “flatter” than they should be, meaning that devices can talk to other devices for which no business case exists that would require that communication. A lack of segmentation makes lateral movement through a network much easier, which means malware, including ransomware, can spread much easier.
- Solution: Network segmentation should be discussed with senior leadership and a unified vision should be established. Segmentation should absolutely be enforced, but finding the right balance can be challenging.
- Challenge #5: Staffing shortages. You might be thinking “doesn’t every industry that utilizes technology heavily have IT staffing issues?” And you’d be right! However, healthcare cybersecurity is especially impacted by this issue for a few reasons. The first is that healthcare is a truly “mission critical” industry in which downtime is unacceptable, and as mentioned previously, downtime could result in lives lost. The second reason is that healthcare organizations need to have larger technical teams than most industries, and those teams must be highly skilled and capable. Healthcare has to maintain more devices per user than other industries, in addition to maintaining endpoint support, networking, and security teams. On top of all of this, healthcare has HIPAA compliance requirements, and that means additional overhead.
- Solutions: Consider supplemental resources from service companies when possible, and continue to look for candidates that prioritize confidentiality, integrity, and availability (a.k.a. the “CIA triad”). Ensuring these three objectives are maintained at the highest levels is especially important for healthcare cybersecurity – this requires qualified professionals and healthy budgets.
- Challenge #6: Remote access security. Few industries were changed as quickly by the COVID-19 pandemic as healthcare. Although telemedicine existed in “the before times,” it quickly became common place. Additionally, collaborative platforms (like Teams, Zoom, Slack, etc.) were quickly implemented. These tools are fantastic when properly implemented, but unfortunately the pandemic forced faster than normal implementations and, in some cases, risks that had previously been unacceptable were accepted. LMG’s Incident Response team has been called in to help address numerous ransomware outbreaks and Business Email Compromise (BEC) incidents due to exposed Remote Desktop Protocol (RDP) or a lack of Multi-Factor Authentication (MFA).
- Solution: Ensure remote access technologies utilize strong, modern, encryption protocols and cipher suites, as well as certificates from trusted Certificate Authorities (Cas). Accounts should utilize strong passwords (preferably 16 characters or more) and EVERY account should be configured with MFA. Remote access technologies should be monitored for unauthorized or suspicious use and logs should be maintained in accordance with the organization’s record retention policy. If you’re concerned your solutions have security gaps, consider a remote work risk assessment.
Healthcare cybersecurity and compliance can be difficult. The experts at LMG Security are here to help! Whether you are looking for supplemental resources, outsourced testing or HIPAA compliance advice, we’ve worked with numerous healthcare organizations, big and small, and understand the challenges you face. Contact us if we can help.