Cybersecurity in healthcare: Part 2

If you're excited about exploring how healthcare organizations can fortify their cyberdefenses to protect against attacks, then you've come to the right place. If you missed the first part of this blog series, or want a refresher on the importance of cybersecurity in healthcare organizations, you can find it here.

In this second and final part, you'll learn about the measures that healthcare organizations can take to protect sensitive patient health information from attackers and thus save patients' lives. For example, ransomware attacks can bring a hospital to a standstill because all the infected devices, including the surgical display monitors that inform the surgeons about the patients' vitals, will display only the ransom message. This could even cost a patient's life!

According to Gartner, "by 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties." From locking hospital staff members out of critical facilities to stopping them from accepting new patients to preventing them from accessing patient records, a ransomware attack targeting a hospital's operational technology (OT) systems will have catastrophic consequences. If Gartner's prediction comes true, it's not only patient data that healthcare organizations will need to worry about but also the patients themselves. Besides IT security, organizations should also start focusing on ensuring OT security. From asset inventory to network segmentation to patch management, healthcare organizations should stay up to date to prevent cyberattacks.

Healthcare is a part of critical infrastructure and thus should be protected from attacks at all costs. Yet, as discussed in the previous blog, its criticality is one of the main reasons it is such an attractive target for an attacker. So, it becomes especially crucial for healthcare and healthcare-related organizations to scale up their cybersecurity postures to avoid falling victim to ghastly cyberattacks.

The first step towards solving any problem is to identify the problem, because only when you know what the problem is can you find a suitable solution to it. In the case of healthcare organizations, the main problems from a security standpoint are:

• A lack of strong IT security policies.
• Insufficient cybersecurity awareness and training for staff.
• A shortage of qualified cybersecurity personnel and solutions.
• A lack of or inadequate network segmentation.

Having identified the problems, let's now take a look at how we can tackle them effectively.

To start off, healthcare organizations should reassess their priorities when it comes to cybersecurity. They should understand how vital it is to be secured against cyberattacks and to allocate a dedicated budget to cybersecurity, including personnel, security analytics solutions, frequent security training for staff, and third-party risk assessments for ensuring supply chain security. However, these measures aren't enough. Healthcare organizations should start adopting the data-centric Zero Trust (ZT) approach that involves verifying and validating the trustworthiness of devices trying to connect to organizational networks.

• Insider threats are increasing yearly (44% from 2020 to 2022) due to both employee negligence and malicious insiders.
• The hybrid work environment and cloud-based applications have rendered the idea of perimeter-based security defunct.

So, be it inside the network or outside, every user and entity accessing data should be authenticated and authorized at every stage. The principle of implicit trust should be replaced with ZT until verified. This is a reversal of the concept of innocent until proven guilty.

For example, instead of blindly trusting that a request to access the patient database coming from a doctor's device is actually from that doctor, you should take the ZT approach, which dictates that the credentials of the doctor be checked to ensure that they are who they say they are. If they're unable to verify, then they won't be able to access the database.

In other words, you should not grant automatic access to resources just because the device requesting it is connected to the hospital network. You should also ensure that the verification is done as close to the resource as possible. Verification done at the periphery of the network or at the initial login level for a group of applications is not a good ZT practice. In this case, the verification should be done just before the patient database and for the patient database only.

To define the Zero Trust architecture (ZTA) for your organization, you need to know about your assets, especially the medical IoT devices connected to your network, because visibility is the foundation for achieving security. A good way of gaining visibility is to deploy a security analytics solution such as a SIEM tool that provides real-time security monitoring; user and entity behavior analytics; and security orchestration, automation, and response capabilities.

Here are some things to consider for effective planning and implementation of ZTA in your healthcare organization:

• You need to know about all the managed and unmanaged devices connected or attempting to connect to your organization's network. Simply put, device discovery (including categorization as a badge scanner, X-ray machine, IP camera, electronic door lock, or other device) and asset inventory should be your first considerations in defining your ZT policy.
• You should also know details such as the physical and logical addresses of your assets, if they're compliant, who's logged in to them, and if they're encrypted.
• You need to perform risk assessments to identify if an asset is critical or vulnerable and if there's any deviation from its expected behavior.
• You should know whether an asset communicates with any server and if so, which ports and protocols it uses. You should be able to determine if the asset is communicating with something it should not be because any unwarranted communication could be a sign of the device being hacked or controlled by an attacker.
• Your next consideration should be network access control. Determine whether an asset is authenticated and if its communication should be limited or blocked based on a predetermined baseline of accepted communication.
• Microsegmentation is an essential consideration when planning your ZTA. The organization's network should be segmented separately based on categories, such as guest, admin, staff, patient, and finance, for enhanced security. Segmentation ensures that even in the event of a breach of one segmented network, an attacker cannot access devices connected to the other segmented networks. Segmentation is especially crucial when it comes to critical resources.
• Privileged access management is yet another important aspect of ZT. Healthcare organizations should implement the concept of a least privilege environment. This involves giving just-in-time access and just enough access for the staff members to perform their jobs properly. Users with special privileges should be monitored around the clock to ensure that there are no incidents of privilege abuse.
• Real-time security monitoring, threat intelligence, advanced threat detection using artificial intelligence and machine learning algorithms, and response workflow automation are musts. So, deploy a security analytics solution that can provide these and alert you to both potential and actual attacks.
• There is no one-size-fits-all solution when it comes to ZT, and multiple solutions offer different variations of functionalities that can help you implement a ZT policy. Choose your policy enforcement points wisely based on your organization's security needs, such as agent-centric (endpoint management and security tools), perimeter-centric (a next-generation firewall or virtual firewall), network-access-centric (wired and wireless), and application-centric (the cloud and data centers). Simulate and refine your ZT policy before implementing it.

ZTA cannot be planned and implemented overnight. It has to be developed in a phased manner. Though time-consuming, the ZT approach is a must for keeping cyberattacks in check. However, attackers will not wait for you while you're implementing your ZT policy. So, assume that a cyberattack is always imminent and stay vigilant. Back up your data frequently and adequately so that even if an attack occurs, the damage can be limited, and recovery can be faster. Most importantly, deploy a unified SIEM solution such as ManageEngine Log360 that can help you improve your cybersecurity posture and thwart various cyberattacks.

To learn how to build a healthcare IT security strategy from scratch, check out our e-book, IT security hardening at healthcare organizations. To personally evaluate how Log360 can help your organization enforce a ZT policy, sign up for a personalized demo and talk to our solution experts. Thanks for reading, folks!