Challenges in Healthcare CybersecurityThis year’s Verizon Data Breach Investigations Report found that healthcare is the only vertical suffering from more insider breaches than external breaches. It’s not that doctors and nurses are spending their days slinging EHR files on the dark web: Much of the insider threat in healthcare is about a lack of basic cyber hygiene. When foundational cyber hygiene practices like privilege escalation monitoring and security configuration management aren’t in place, human error takes the reigns. Doctors put years of their life toward becoming medical experts, but the digitized nature of the systems they interact with daily demands that their training include a basic understanding of cybersecurity, as well — and they’re by and large not getting that training. And security teams at healthcare organizations are often lacking the tools and solutions they need to maintain HIPAA compliance, reduce the overall attack surface of their systems, and continuously monitor for vulnerabilities. Let’s take a look at three use cases for dealing with some of the most pressing cybersecurity issues faced by the healthcare industry today.
1. Achieving System Hardening and Standards AlignmentProblem: You don’t use an internal hardened build standard to verify against your current state. Solution: Align with and implement a known and trusted standard as soon as possible. To continuously monitor your systems for vulnerabilities, you need to first establish a secure baseline. You can then compare changes to that baseline and investigate any relevant vulnerabilities. Ideally, baseline evaluation begins at the same time that assets are created. But it’s often the case that you need to define your baseline once your systems are already experiencing traffic. In either case, you’ll need to map to an established external framework — or several frameworks at once. These frameworks include HITRUST, NIST, DISA, CIS and HIPAA. Some, like the CIS controls (that’s Center for Internet Security) aren’t legally-mandated frameworks. They serve instead as invaluable step-by-step guides to help you secure your systems. Compliance with other frameworks, like HIPAA, are enforced by rigorous audits. Once you’ve targeted the standards you need to align with, find a solution like Tripwire Enterprise that gives you:
- An immediate view of your current system state in real time
- Visibility into users, groups, shares, installed software, ports and services
- Reports of the impacts changes have on your compliance posture
- Integration with existing build and hardening processes
- Vulnerability assessment for risk scoring of changes
2. Automating the Review of EHR Change DataProblem: No automation in the review of changes to patient data and electronic records. Solution: Use a solution that reports on key EHR record changes – patient, financial and insurance. EHRs contain your medical information and history, but also your financial and insurance details — one of the reasons patient data is in such high demand amongst cybercriminals. Implement health record monitoring solutions for MSSQL, Oracle and DB2 to help you capture changes in scope, processes and jobs. Leverage your existing processes and implement robust change and security configuration management solutions. Make sure you have identified exactly what records are in scope and how detailed your visibility is when it comes to liability for patient data.
3. Visibility into Access PrivilegesProblem: It’s unclear who has access to the systems in scope for EHR and the changes they make. Solution: Develop processes and training around building system-wide situational awareness. Between the hundreds or thousands of employees, contractors and vendors who touch your systems, any lack in visibility creates a higher risk for unchecked privilege escalation (remember those disproportionate insider threats?), which can become very problematic very quickly when individuals become curious about health records they shouldn’t be privy to. Make sure you’re using a solution that helps you adhere to the following steps to keep EHR data in the right hands only:
- Match expected approved changes with actual changes
- Verify change deployment completeness
- Validate vendor updates and separate them from out of band changes
- Highlight unexpected changes
- Separate approved changes that impact security control posture
- Maintain OS vendor updates
- Discover assets in the environment