Amidst the pandemic overwhelming the capacity of many hospital systems, malicious hackers have been quick to target healthcare providers and medical agencies. These cyber-attacks have hit both the United States and Europe in recent months, serving as a reminder for organizations to closely review their information security posture during these times of uncertainty.
Despite certain attacker groups stating their intent to refrain from targeting healthcare organizations for the duration of the COVID-19 crisis, publicly reported cyber-attacks included a ransomware attack on the Champaign-Urbana Public Health District in the United States and the downing of critical systems at Brno University Hospital in the Czech Republic. In addition, attacks against the World Health Organization have more than doubled, while the U.S. Department of Health and Human Services was hit by an attempted DDoS attack.
Attack surface is expanding
Hospitals and healthcare organizations were an attractive target even before the coronavirus pandemic. Patient records have almost everything an attacker needs in a single record to carry out sophisticated insurance fraud schemes, purchase medical supplies or drugs and/or commit other types of fraud including outright identity theft. Medical records are lucrative targets and are expensive assets in the dark market.
The deployment of new devices—especially those categorized as IoT that use wireless networks and sensors to collect and exchange information—is a double-edged sword. While these devices offer medical environments tremendous capabilities to care for patients and increase efficiencies, each device increases an organization’s attack surface.
Adding to the complexity of these security challenges are compliance and regulatory frameworks such as GDPR and NIS Directive,that are typically enacted to protect systems and sensitive data. However, since they frequently evolve to keep pace with information technology, industry influences and new threats to systems and data, healthcare organizations face multiple moving targets for managing controls and meeting requirements.
For example, in the UK, hospitals and other healthcare entities of the National Health System (NHS) that are using digital services are responsible for ensuring they meet the minimum standards in the areas of network security and data protection.
Requirements for network protection are described in the NCSC Cloud Security Principles and in the 10 steps to cybersecurity guidance. Healthcare organizations can demonstrate compliance with these requirements by taking a self-assessment like the Cyber Essentials.
In the field of data protection, healthcare organizations need to comply with the requirements of Data Protection Act of 2018, which transposed GDPR into the UK legislation. To demonstrate compliance, hospitals and other NHS entities need to consider the 12 steps detailed by the Information Commissioner’s Office (ICO).
All this said, securing patient, customer and organizational data must be a top priority. The high price for patient records, combined with new and growing vulnerabilities, provide a great impetus for cybercriminals to attack.
How to Keep Your Healthcare Organization Safe
There are several key measures to follow that help lower the risks of breaches and keep your company’s and customers’ data safe.
- Build a risk-aware culture. This means:
- Thoroughly examine and determine where security risks lie in your organization.
- Educate and communicate with employees to help them understand how they can help close the gaps.
- Implement the right tools that continuously monitor and identify vulnerabilities as well as alert employees so that your organization can act quickly to reduce the risks.
- Implement foundational controls and basic security hygiene.
- According to SANS, implementing the first six CIS Controls provide a highly effective and efficient level of defense against the majority of real-world attacks. They also help to create the necessary foundation for dealing with more advanced attacks.
- Automate all security and compliance efforts. This helps to:
- Discover and profile all business-critical assets such as patient care systems, medical devices and payment systems.
- Quickly repair configurations errors.
- Adjust security controls based on system changes and business impact.
- Monitor, measure and report compliance with security and privacy requirements.
- Manage incidents with intelligence to help your organization to respond more quickly. To do this:
- Implement intelligent analytics to help monitor operations.
- Implement automated response capabilities.
- Integrate next generation threat intelligence solutions with change detection for advanced threat detection and response.
Good Security Delivers Effective Compliance
The solution to the unprecedented cyber threat problem that healthcare organizations face is to implement foundational controls that integrate into other solutions to proactively respond to threats. If an organization has implemented good security processes and controls, they could be well on their way to meeting multiple compliance and/or security standards.
Tripwire supports many compliance mandates (including HIPAA and FDA) as well as guidelines from NIST. That support, combined with Tripwire’s advanced cybersecurity and compliance solutions, gives you proven, industry-recognized security and the ability to meet almost any compliance mandate. All while helping you detect and respond to any threat to your organization’s—and customers’—data.
To learn more about how Tripwire can help healthcare organization maintain compliance by strengthening its cybersecurity posture, click here: https://www.tripwire.com/solutions/solutions-by-industry/healthcare.
Editor's Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.