Photo credit: Depositphotos
By Mark B. Cooper
As ransomware attacks against organizations, including healthcare, around the word increase in prevalence and sophistication, the question many healthcare CIOs and CISOs should be asking themselves is: “What’s next?”
While ransomware is typically indiscriminate—it spreads across the internet, connecting to whatever it can—attacks on the healthcare industry have been highly targeted, because the industry pays ransom more often than other industries. As the tactics used by ransomware attackers continue to evolve, the actions taken to protect healthcare systems and data must evolve as well.
Over the past 15 years, as the industry moved to electronic patient records, healthcare organizations made great strides toward controlling access to and storing patient data. For example, smart cards (or an NFC-enabled proximity card), which leverage public key infrastructure (PKI) to provide strong authentication and security through encryption keys, are used widely to authenticate physician and staff access to hospital systems. The surge in telemedicine and hybrid work driven by the pandemic, however, potentially introduced new vulnerabilities as staff and computer systems began connecting to systems in ways they hadn’t previously.
Just as in any other industry that provides critical infrastructure, ransomware can be used to hold data hostage, disrupting services people and communities rely on. In healthcare, however, which is an industry with an increasing reliance on the cloud for everything from payroll to data storage and the delivery of care, ransomware poses an additional threat. Not only do providers and organizations need to ensure that their systems are secure, but they also need to ensure that the vendors who supply mission-critical products and services, from hypodermic needles to telemedicine platforms like Zoom and Webex, are just as resilient as they are.
History has shown us that with any new technology, hackers will find and exploit the vulnerabilities, and there’s no reason to think that an expanded hybrid workforce and telemedicine will be any different. A few key steps can help protect your organization from the next hack:
- Determine your risk profile: Are you most concerned about protecting against a remote anonymous adversary, an internal actor such as a contractor or a rogue employee, or IT administrators within your organization? Each presents a different threat and necessitates a different set of security precautions. How you design systems depends on what you’re most worried about and the risks you are willing to accept.
- Assess your systems: With the move to telemedicine, remote work and the cloud, what new technology did you implement, and how was it secured? What was changed in your network related to access, identity and encryption? Did security protections change to facilitate a remote workforce? Are there new systems connecting that didn’t before? Were telephony solutions such as outbound VOIP (Caller ID Masking) implemented? How are systems secured and protected from abuse?
- Security benchmarks: Determine if new systems and solutions will be part of your long-term workforce. When will security standards be enforced to match pre-Covid security standards? If a system can’t be mapped to acceptable security requirements, determine the timeline for finding a replacement.
- Remediate risks: How do you want to move forward? In the assessment phase, you may have found that you need to adapt your new configurations to meet pre-pandemic security requirements, for example by putting in new controls, improving security, implementing two-factor authentication or removing technology altogether. In the absence of industry-wide regulations around security, the decision for many organizations of how to proceed hinges on their risk profile.
- Improve your defenses: While phishing tests with your employees provide a way to test employee awareness, organizations could also depend on firewalls and other controls. In a hybrid workforce, those controls may not be available. Additionally, the deployment of new communication mechanisms, such as Microsoft Teams or Slack, could present entirely new channels for an attack.
- Establish a tiered system for vendors based on risk: You can apply the same thinking to your suppliers and vendors that you did to your own systems: ranking risk, determining what the potential impact to the organization is, and then soliciting, auditing and ensuring compliance.
Consider placing vendors into three tiers:
- Tier one: Vendors whose products or services are critical to delivering care.
Cybersecurity protocol: Require that they implement security measures that are equivalent to what you have in place. Ensure that they can withstand certain attacks and remain operational in the case of an attack, and include an audit and compliance component.
- Tier two: Vendors who have products or services that are important to the delivery of care but who aren’t the sole supplier to your organization.
Cybersecurity protocol: Require protections that are commensurate with the exposure to the organization and match some or nearly all of your controls. This may mean smart cards and tokens, antivirus protection and good backup and disaster recovery plans.
- Tier three: Vendors whose products or services, if unavailable, wouldn’t disrupt the delivery of care.
Cybersecurity protocol: Encourage vendors to educate employees about strong passwords and the risks of ransomware and other cyberattacks.
We don’t know what exactly the form the next cyberattack will take, but we do know that there will be one. Protecting patient data and systems from ransomware and other, more targeted attacks requires a systematic approach to assessing and remediating security vulnerabilities. By also establishing a tiered system based on risk, you can ensure that your suppliers and vendors are working in tandem to protect against the next healthcare hack.
About Mark B. Cooper:
Mark B. Cooper, president and founder of PKI Solutions, is known as “The PKI Guy” since his early days at Microsoft. He has deep knowledge and experience in all things Public Key Infrastructure (PKI). PKI Solutions Inc. provides consulting, training — including online training — and implements software solutions for Microsoft PKI and related technologies at enterprises, many of them Fortune 500 companies. PKI Solutions has led hundreds of PKI trainings, including private trainings, across the country and around the world. Cooper is an avid proponent of the SHAKEN/STIR global standard to end robocalls, that uses authentication and PKI to verify callers’ identities. Prior to founding PKI Solutions, Cooper was a senior engineer at Microsoft, where he was a PKI and identity management subject matter expert who designed, implemented, and supported Active Directory Certificate Services (ADCS) environments for Microsoft’s largest customers.