Bibliography -8

27Journal of Health Care Compliance — September–October 2016 27

Health Care: Cyberattacks and How to Fight Back

Top Priorities to Keep in Mind When Dealing with Threats at an Organizational Infrastructure Level

Ed Cabrera

The number one priority for health care providers, by defi nition of the industry name, is to provide quality care to improve patient health. However, with the rise of cyberattacks and the exponential growth of technology and mobile/medical devices, health care providers also must focus on cybersecurity compliance, protection, and prevention.

The health care industry has been the most highly tar- geted industry within the past several years, with more than 110 million health data records breached in 2015 alone. One may ask, why? The simple truth is that this industry is teeming with personally identifi able infor- mation (PII) embedded in protected health information (PHI), such as personal data and health records, and is increasingly integrating new technologies that cyber- criminals can exploit with ease. The health care indus- try also has traditionally been behind the cybersecurity curve and focused on meeting compliance laws — electing to focus resources on patient care rather than taking the extra steps for implementing enterprise risk man- agement strategies focused on proactive prevention and protection measures. Although this has been the trend, we are beginning to see a shift in focus from an opera- tional standpoint as health care providers recognize the inevitability of cyber threats while adapting changes in technology and consumer expectations.

MODERN CYBERSECURITY THREATS Due to the nature of the health care industry, cyber- criminals can fi nd new personal data targets and health records on a daily basis and attack them from multiple angles. This allows cybercriminals to have a full toolkit of resources at their disposal to infi ltrate their targets. These tools include ransomware infections, business email compromise (BEC) scams, phishing and spearfi sh- ing attacks, and medical device contamination, just to name a few.

Ed Cabrera is the Chief Cybersecurity Offi cer at Trend Micro.

Journal of Health Care Compliance — September–October 2016

Health Care: Cyberattacks and How to Fight Back

28

Recent attacks on Hollywood Presbyterian Medical Center,1 Kentucky Methodist Hospital,2 and MedStar3 highlight what cybercriminals are capable of when infi ltrating the operational side of health care institutions. These attacks utilized ransomware infections to extort organiza- tions for monetary gains while others focus on gaining access to information through phishing and BEC attacks by targeting indi- vidual employees. In some extreme cases, cybercriminals also can use these threats to entirely stop operations and halt ser- vices for patients.

Not as common, but just as feasible, are secondary attacks through mobile/medical devices. Though it may sound like science fi ction, cybercriminals are capable of infi l- trating wearables like step trackers to leap- frog into organizations’ networks. Taking the concept even further, some cyber- criminals claim they can directly access pacemakers or morphine drips, which can result in dire health consequences or even fatalities.

HEALTH CARE CYBERSECURITY SHIFT Cyber threats are no longer a small issue for health care providers like they have been in the past. More recently, threats have evolved into a major problem that unfortunately is seen as a common occur- rence. Because of the growth, evolu- tion, and almost routine occurrence of cyber threats, health care executives and organizations have acknowledged there needs to be a shift in how they deal with cybersecurity.

Toward the end of 2015, we began to see this shift in cybersecurity protocols from simply meeting regulatory compliances to focusing on risk management via preven- tion and protection measures. Executives and organizations are putting more empha- sis on organizational aspects, such as improvements in risk management, threat responses, and allocating additional bud- getary funds for cybersecurity. This is not only to protect the company as a whole but

also to protect patient privacy and PHI/PII data.

This shift appears to be a holistic approach on behalf of organizations — tackling all the issues at hand during a cyberattack, from prevention and protec- tion to containment and recovery. This is essential for combating cyber threats in the health care industry due to the vast range of threats as well as the increasing attack surface due to growing technology and integrating devices.

CYBERSECURITY PRIORITIES Cybersecurity as a whole is an undertaking in and of itself, generally requiring substan- tial budgetary allocations or entire depart- ments dedicated to maintain security. To tackle the initial stages of cybersecurity, it is best to develop a strategic plan and high- light the priorities organizations should focus on to achieve security success.

According to the Healthcare Provider Breaches and Risk Management Road Maps survey conducted by the SANS Institute, the following are what health care pro- viders and executives felt were the most important priorities when dealing with threats at an organizational infrastructure level, in descending order: 1. Respond quickly and effi ciently to

new threats: Health care providers desire agility when dealing with cyber threats. On average it takes minutes for most compromises, but it takes months or years to detect them. Improved response times through breach detec- tion technology and procedures will cut down on cybercriminal dwell times and will allow security teams to man- age and contain the threats they face.

2. Protect patient data: Health care pro- viders hold patient PHI/PII data in high regard, as it is a primary target for crim- inals to steal and sell online for profi t, or use for further fi nancial exploitation. Therefore, they need to adapt security strategies from the inside that bring technical and operational security

Journal of Health Care Compliance — September–October 2016 29

Health Care: Cyberattacks and How to Fight Back

controls as close to the data as possible throughout its entire lifecycle.

3. Secure supporting infrastructure: Depending on how an organization’s system structure is set up will dictate the amount of security necessary for protection. Supporting infrastructure for information supply chains from third-party vendors provides additional avenues for cybercriminals to infi l- trate and access information or infect the network. (i.e., application vulnera- bilities, third-party network programs, customer service portals, et cetera). Establishing and adopting a cybersecu- rity framework internally that speeds up vulnerability and patch manage- ment is critical but even more so for third-party vendors.

4. Meet regulatory compliance stan- dards: Compliance regulations have always been at the forefront for health care providers. Failing to meet regula- tion standards results in governmental fi nes and consequences, not to men- tion leaving systems open to attack due to inadequate security. While compli- ance is only the starting line in the race to secure data and critical systems, uti- lizing advanced security solutions that not only protect and prevent attacks but also generate real-time audit logs will get you closer to the fi nish line.

5. Classify sensitive data and cre- ate information defense strategies: Health care providers receive vast amounts of data and information that need to be sorted and stored correctly on internal systems. Cybercriminals are incredibly effective in mapping victim data and actively seek this con- centrated information, so establishing defensive strategies to protect the data is essential for prevention and protec- tion against threats.

6. Prevent and defend against ransom- ware, denial of service, and other commoditized attacks: Instituting pre- ventative measures such as establishing

a robust backup strategy greatly reduces the risk of extortion attacks. Additionally, adopting a connected threat defense strat- egy enables organizations to automate and orchestrate their layered defenses to protect critical data and operations.

7. Manage access authorization: Con- trolling who accesses an organization’s network is key to maintaining secu- rity. Implementing a robust role-based identity access management strategy that includes password admittance pro- cedures, user access trackers, network segmentation, and encrypting network systems provides extra layers of secu- rity while also adding additional bar- riers for external malicious threats. Regulating access also helps prevent insider threats targeting intellectual property theft and/or destruction.

8. React to a data breach cycle, from initial breach to post-breach recov- ery: Health care providers need to have a full-length crisis management plan to deal with each stage of a data breach. This plan should have threat-driven playbooks that lay out the necessary steps to contain the threat, procedures for recovery, and alerting the victim- ized parties.

9. Attract, retain, and maintain skilled information security staff: Possibly the most important part of a connected threat defense strategy is having a skilled and trained informa- tion security staff. The vulnerabilities and threats that organizations face are far too dynamic and destructive not to invest heavily in recruiting, training, and maintaining top-tier cyber security professionals to secure health care pro- viders’ networks.

10. Educate end-users on cyber threat awareness and prevention: Employees, vendors, and patients can all serve as gateways for cybercrimi- nals when interacting with networks. Educating them on organizational pro- cedures and personal initiatives for

Journal of Health Care Compliance — September–October 2016

Health Care: Cyberattacks and How to Fight Back

30

security will benefi t both the individ- ual and the health care organization by limiting cybercriminal access.

11. Protect endpoints from unauthor- ized access: Endpoints on network systems are the preferred point of entry for all attackers as they are the main access point where users interact with critical data and systems. They are easily targeted through infected emails with malicious attachments or links and attacks from compromised Web servers serving up the latest exploit kit. Health care providers should install extra secu- rity measures on company endpoints and around user activity to prevent and protect against cyber threats.

12. Defend against medical device and Internet of Things risks and threats: Medical and mobile devices also can succumb to cyber threats, allowing criminals to leap frog, or island hop, into an organization’s net- work. Securing these devices is impor- tant but a much larger challenge as they often do not have security baked into their design. Instead, health care providers should strengthen their focus on network and cloud security, making it harder for cybercriminals to access systems using these indirect routes.

13. Improve application security: Pro- gram applications, third-party applica- tions, and mobile device applications can give way to vulnerabilities exploited by cyber threats. To fi ght these vulner- abilities, health care providers should consistently update these applications with the latest manufacturer updates and security patches.

While reports and news stories on data breaches continue to highlight the nega- tive sides of health care cybersecurity, we are seeing that this internal industry shift shows promise of improvement. As health care providers pivot from meet- ing compliance to making risk prevention their priority, the subsequent results will lead to improvements in threat response, integrated technologies, onsite and digital networks, as well as patient PII and overall quality health care.

Endnotes: 1. blog.trendmicro.com/ransomware-continues-to-

plague-hospitals 2. www.trendmicro.com/vinfo/us/security/news/

cyber-attacks/locky-ransomware-strain-led- kentucky-hospital-to-an-internal-state-of- emergency

3. www.trendmicro.com/vinfo/us/security/news/ cybercrime-and-digital-threats/hospital-ransomware- on-the-loose-more-healthcare-providers-affected- by-ransomware

Copyright of Journal of Health Care Compliance is the property of Aspen Publishers Inc. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.