Everything a healthcare IT professional needs to know.

A threat vector is a route through which a hacker can enter your network by exploiting a vulnerability.

The most common threat vectors are:

• Email
• Mobile devices
• Web applications
• Remote access portals

While these are the most common routes through which hackers get into your network, it isn't exhaustive, because hackers constantly find new ways and means of breaching your security perimeter.

Threat vectors can be classified as social engineering vectors and programming vectors. Common examples of social engineering vectors are malicious employees, instant messages, and phishing emails. Viruses, infected pop-ups, malware, distributed denial of service (DDoS) attacks and brute-force attacks are some common types of programming threat vectors.

Email is the most commonly used route for hackers to compromise your cybersecurity. This is because insiders can unwittingly open a malicious email or click on an infected link, and that's pretty much all it takes for the hacker to get into the network. The healthcare Industry is particularly vulnerable to these attacks, because the threat vectors include medical devices that function on the Internet of Things.

Knowing exactly where a hacker can enter your network helps you build a strong defense that's difficult to penetrate. Monitoring your threat vectors is incredibly important when fortifying your defenses against cyberattacks.

COVID-19 has been a disaster for mankind wherever it strikes. While hospitals and their staff are crumbling under the pressure to treat patients, healthcare facilities have been left vulnerable to cyberattacks. Hammerson's Medicine Research, a research facility in the UK, was on the verge of conducting coronavirus vaccine tests when it was attacked by ransomware.

Although no ransom was paid, hackers managed to access the health information of patients. The US Department of Health has also been subjected to distributed denial of service (DDOS) attacks during this trying time. A recent study by Atlas VPN shows that 83 percent of healthcare devices in the US are prone to cyberattacks during the COVID-19 outbreak.

With a sudden demand in remote consultations during this pandemic, HIPAA regulations have been temporarily loosened. This decision should help healthcare workers offer the care patients need, but it's also a major security risk. As more and more hospitals adopt remote consultations via video chat, it opens up a slew of security risks.

Under normal circumstances, healthcare providers and third-party app vendors enter a HIPAA-mandated agreement known as the Business Associate Agreement (BAA). The BAA outlines the permissions business associates are given with respect to protected health information (PHI). It also mandates that vendors implement appropriate safeguards to protect this information. Now that this regulation is loosened, hackers will be looking to take advantage of unprotected information

In a situation like this, it's obvious that you need automated tools that can evaluate risk and identify anomalous behavior in a network. Setting up real-time alerts to monitor multiple threat vectors can help you fend off cybercriminals and focus on delivering the best care possible to your patients during this crisis.

User and entity behavior analytics (UEBA) is a great solution to protect your healthcare organization from both internal and external cyberattacks. UEBA uses user profiling, behavioral analysis, and machine learning to build a baseline of user activity, so it can spot and alert on any anomalous activity. 

Here's some best practices to follow when implementing UEBA for your organization.

• Integrate UEBA with all security systems to collect logs from different devices and data sources (appointments, medication, lab results). This way you can correlate events across multiple logs to get a better understanding of user behavior.
• Configure UEBA to provide network and endpoint data so you can view activity that isn't part of your log data.
• Since manually configuring threat vectors is difficult, your UEBA solution should be able to identify genuine and fake accesses. 
• Monitor non-privileged accounts as well, because hackers lurking in your network exploit these accounts to escalate their privileges within your network.
• When implementing a UEBA solution, Gartner recommends you start with a narrow, well-defined set of use cases that you can add to later.

User and entity activities constantly change, and their behavior evolves with them. With the help of machine learning, UEBA adjusts the baseline of user behavior to accommodate these changes. However, any major changes in personnel or organizational structure can require framing a new baseline to effectively deal with all kinds of threats.

Risk assessment is a great way to identify  vulnerabilities and threats your healthcare organization faces and the security measures you need to implement.

Make an inventory and calculate damages: Make a list of the data or equipment your organization uses that could directly affect day-to-day operations if compromised. Large organizations can delegate this task across departments and appoint people who can account for valuable assets in their department. You also need to calculate how much you'll have to pay for damage control if these assets are compromised.

Analyze vulnerabilities and quantify them: Analyzing and identifying what could pose a threat or could be a possible vulnerability requires a close look at multiple aspects of your organization. A vulnerability could be a critical server located in a place prone to floods, or a major gap in your security infrastructure like the absence of a least privilege policy. When you have a list of potential weaknesses that could cripple your business, quantify them by assigning a risk value of high, medium, or low to them

Decide what kind of security your healthcare organization needs: When you've performed the previous steps, you'll have an estimate of just how much risk your organization is willing to take. Not all security threats require major financial investment from your end; in fact, some security measures may cost more than the potential damage itself and drain your budget. It's up to you to decide what threats require your attention, both ethically and financially.

HIPAA violations result in major penalties. HIPAA stipulates certain requirements to manage your audit logs in order to stay compliant. 

Log content: Your audit logs should contain at a minimum: any new users who were added, user login times, user levels of access, system and file accesses, logs from anti-malware software, and firewalls.

Log retention: HIPAA mandates that healthcare organizations store their logs for at least six years. The logs should be in a raw format for up to a year, after which they can be converted to a compressed format.

Comprehensive log maintenance: HIPAA requires all healthcare organizations to have the required hardware and software equipment and procedures to manage logs from multiple electronic devices. It also mandates that regular audits should take place, and that all network activity in your organization should be recorded.

Additionally, you should educate staff on changes in audit procedures, and follow up on any flags that pop up during in an audit.

Audit logs are a record of every activity that took place in a network. They document who did what in a network, and how the network responded to the event. To get a clear picture of events that have taken place in a network, an IT admin needs to analyze multiple logs to spot any anomalies in routine network behavior. 

Since every organization has a different security posture, audit logging strategies will differ. Organizations need to configure logs based on what they think will serve their security strategy well. As an IT admin, you'll have to decide what events could pose a threat to your healthcare organization, and correlate between multiple logs to understand the big picture fully. 

With audit logs, IT admins can sequentially retrace the trail of activities that led to a particular critical event. You can analyze who had access to sensitive information, and discover if an intruder hacked a user's account to access the information, or if a user laterally moved through a network escalating privileges.

Many healthcare providers fail to ensure that their IT security is foolproof. This is why HIPAA makes it mandatory that regular IT audits take place at healthcare organizations. 

Here's what an IT audit for a healthcare organization looks like:  

• IT auditors pay close attention to how your data is being stored. HIPAA guidelines have specific rules on data security and storage that healthcare organizations must follow. An important parameter that auditors look into with respect to data is if there are frequent data backups, and if there is a proper data recovery plan in place.
• Auditors also examine vulnerabilities in your security infrastructure that could prove to be entry points for intruders into your network. 
• HIPAA specifies that healthcare organizations should have servers that follow HIPAA-compliant standards. Your server's capabilities are also a parameter on the auditor's checklist. Auditors will look at how logs are being managed, if all data is properly encrypted, and if secure user authentication for Protected Health Information (PHI) is implemented. 

Managing logs for your healthcare organization requires some strategy and planning. Here are some best practices you should implement to manage your logs effectively. 

Set up storage: HIPAA mandates that healthcare organizations store their log data for a duration of six years. All your logs need to be stored in a secure, central database, so log analysts and other stakeholders can access this data.   

Turn on real-time monitoring and alerts: Set up your log management tool to provide you with instant alerts for any unusual activity. This will help you to deal with any malicious attacks immediately before they escalate. The best way to leverage real-time monitoring is to start by identifying what information is important to your organization specifically. organization specifically. 

Correlation is key: An efficient way to monitor logs is to get a comprehensive view of all the logs from multiple sources. Once your logs are in one central location, you can set up parameters and correlate data points from various logs to understand any anomalies in your network. 

Logs are central records of activities that have taken place on the devices in your network. Logs collect information on when a user has logged in, the number of successful and unsuccessful login attempts, any new software that was downloaded or updated, password changes, and accesses to sensitive information. IT administrators can analyze logs to understand user patterns and check if there is any unusual behavior happening in the network. 

For example, a particular employee in a hospital usually logs in at 9am and checks out at around 5pm everyday. Logs show that they usually access only certain databases and servers. But today the logs show that they attempted to access the hospital's EHRs at 6pm. While there could be a genuine reason for this event, an anomaly like this alerts the IT analyst to take a closer look. 

An average health record is a microscope into intimate details of a patient's life. It contains details about every allergy, medication, scan, and test. Once hackers have this information, they can sell it on the dark web, a shady, untraceable part of the internet. While a Social Security Number and credit card number can sell for a couple of dollars, an EHR's market value can run as high as $1,000! Your EHR can be used for identity theft and insurance fraud, or to purchase drugs or medical equipment. 

If Dwight Schrute from NBC's award winning show The Office taught us anything, it's, "Identity theft is not a joke, Jim!"

A major side effect of the prolific advancement in medical technologies is an array of security threats to healthcare IT systems. Here's a list of the top threats that healthcare organizations face. 

IoT infiltration: If your medical devices are part of an IoT ecosystem, an intruder can infiltrate your network and hijack your devices. For example, an insulin pump on an IoT network can automatically deliver insulin to a patient to maintain blood glucose levels. But if a hacker is able to infiltrate this network, he could tamper with the insulin pump and modify the insulin dosages, which can endanger the patient's life. 

Ransomware attack: There've been multiple instances where hackers have gained access to EHRs and locked them down so hospitals can no longer access them. Hackers demand huge ransoms in exchange for decryption keys to regain access to patient records.

Cryptojacking: Since hospitals have systems that run 24/7, they become a magnet for cryptojackers looking to mine cryptocurrencies. Cryptojacking requires high computational capacities to mine Bitcoin; to be able to do this, hackers may compromise your systems using malware. Once the malware is on your network, these hackers can easily use your devices' power resources to mine cryptocurrencies.

The Health Insurance Portability and Accountability Act (HIPAA) is a set of compliance  regulations that require healthcare organizations to safely handle healthcare data of patients, efficiently process the transfer of health insurance coverage for U.S. workers and their families during job losses, and prevent threats and fraud that could take place in the healthcare industry.

HIPAA's Title 2 emphasizes data security in healthcare organizations. It's mandatory to store medical histories and protected health information (PHI) securely. Since PHI is sensitive information, Title 2 rules also mandate that a healthcare organization take  all technical, administrative, and physical measures to protect patient records both in paper and electronic format.

Title 2 requires all health organizations to inform patients about who has access to their EHRs, authenticate anyone trying to access patient data, protect data from unauthorized changes, and monitor and examine any unusual activity with respect to the data. HIPAA also imposes contingency plans on organizations, in case of any data breach.

To handle any disruptions to your network systems, HIPAA requires health organizations to routinely update EHRs and create multiple copies of them, so they can be continually accessed in case primary systems are down. HIPAA also requires hospitals to have an IT plan to restore operations on a particular system or facility in case of emergencies. Further, HIPAA states that hospitals should run routine tests on their contingency plans, and check if there is any room for revision and improvement.