Risky Business: Healthcare Security in a COVID-19 World

By Samantha Madrid

Think about your priorities right now. Your business priorities, personal priorities, civic priorities – I am willing to wager that security is at the top of all those lists. From financial security to the safety and well-being of yourself and your loved ones, security is certainly top of mind these days. Unfortunately, cybercriminals are all too familiar with our priorities and jump at any opportunity to exploit them. 

It is no surprise that with so much on our collective minds, we have seen a major uptick in cyberattacks. Social engineering has always been an effective means of compromising and infiltrating a network. During times of crisis, people are rightfully distracted, focusing on what is important – the health, safety and welfare of their loved ones and their communities. 

While nearly every organization has had to reevaluate their security strategies and assess risk, there is one group that is getting hit hard with vulnerabilities and attempted attacks – the healthcare industry. But what makes these organizations so prone to attacks and what can they do to protect themselves? 

They’ve Got the Goods

Healthcare organizations are at an increased risk for cyberattacks because they have valuable, confidential information that cybercriminals can sell or use as leverage for ransom. Additionally, with so many connected devices, it is nearly impossible to individually protect them all – especially since individual device-level protection just does not cut it. 

Medical devices are especially vulnerable because security is more challenging when the devices are designed and maintained by the manufacturer. There also is not a lot of guidance around medical device security, so it is left to the healthcare providers to solve the problem.

More specifically, there are two types of security challenges in healthcare environments:

• Access: Who has access to what device? There are many instances where a single device is being shared by many (i.e. a computer at a nurse’s station), leaving it open to increased vulnerabilities. 
• Coverage: The need to secure those devices (everything that is IP specific that is on the network). For example, ventilation systems and heart monitoring systems cannot have end-point security software deployed on them – in fact, because they are highly regulated, they cannot update those operating systems or patch vulnerabilities – this means they are highly exposed and targeted. Since you cannot put traditional security software on those devices, the network must be able to monitor and track threats.

This balancing act of ensuring approved access and handling patient and employee PHI from various devices and locations, along with complying with state and federal regulations (e.g. HIPAA, GDPR, PCI, etc.) all while preventing the intentional or unintentional compromise of systems, devices and data – it is not easy!

Compliance and Privacy

Healthcare poses a unique challenge because of the need to balance legacy systems with compliance and privacy, which is notoriously difficult. Many security technologies would, to some degree, violate patient confidentiality to secure them.

Legacy systems do not offer the right level of roles-based access or segmentation that is needed to ensure compliance and privacy standards are met. They also do not offer the security controls required to accurately identify potential threats. For example, ransomware hides in encrypted traffic without breaking encryption compromising privacy. Additionally, there is a problem of decreasing visibility with encrypted traffic, really tipping the scales between privacy and security.

From access and coverage, to compliance and privacy – the healthcare industry has already been facing an uphill battle for complete security. Throw in the current state of the world and some opportunistic bad actors and you have the potential for a major breach.

“And” Not “Or”

Recognizing immediate challenges is the first step in overcoming them – both from an operator and a technology perspective. That is why it is necessary for healthcare IT teams to consider a strategy that will secure all devices on the network, end-to-end. Security cannot be a “this or that” narrative – it must be thought of as “this and that.” Securing a single device, no matter how big or important, does not solve the problem, it just moves it from one place to another. 

This is where the threat aware network comes in to play. If your network is already threat aware, you do not need to think about securing all the individual pieces you have in place. It becomes entirely resilient in a way you may not have previously thought of. 

With so many hospitals isolating their networks, building standalone triage facilities where they can do large-scale testing and posture assessment for their community, etc., it is crucial that the network be more threat aware. Security must be at every point of connection and able to detect threats given where it sits in the stack.

Same holds true with integrating threat intelligence (TI) into the network. If a user is somehow duped into an attack and TI is already built in, the network will automatically recognize the infection and isolate it, reducing the risk of more widespread exposure. 

While the healthcare industry certainly has plenty of obstacles to overcome, there are ways to defend against malicious attacks. By keeping our eyes on the prize and adopting a security-first mindset, we can stop cybercriminals in their tracks and focus on what is most important during this time; keeping our communities safe and healthy.

Samantha Madrid is VP of Security Business & Strategy of Juniper Networks.