Any healthcare security professional will tell you that security is about protecting CIA—confidentiality, integrity, and availability—of healthcare data. Most healthcare breaches involve compromised confidentiality or unauthorized access to patient data.
Ransomware in its pure form is not an attack on the confidentiality, but rather the availability of patient data. In this case, by availability I mean timely and reliable access to patient data. When healthcare does not have timely and reliable access to healthcare data, such as when it is encrypted due to ransomware and they cannot decrypt it, healthcare is severely disrupted, certainly to the point where it compromises patient safety and even to the point where healthcare organizations have to send patients elsewhere. Further, healthcare is intolerant to such disruption and therefore likely to pay the ransom.
This, exacerbated by the healthcare industry lagging other industries in security, makes healthcare a soft target for ransomware and availability attacks. As security professionals, we must look ahead to where the “puck is going” and help healthcare organizations prepare for it and ensure the necessary security is in place to enable delivery of healthcare.
Fortunately, healthcare as an industry often is not the first target for new types of attacks. Many times, financial services or defense industries are targeted first. To see where the security puck is going in healthcare, we can look at other industries. One attack that has hit the financial services industries early and hard, but is still relatively rare in healthcare, is DDoS attacks. DDoS stands for distributed denial of service and typically involves a botnet of malware-infected consumer devices that are directed by a command-and-control server operated by hackers to some central target—for example, a corporate website to firehose it with bogus network requests—essentially saturating the network and/or external web interface of the target organization, effectively denying access to legitimate users of the same external interface, often until a ransom is paid to the perpetrators.
Historically, healthcare has had most mission-critical services on the intranet, inside their secure perimeter where they are less vulnerable to external attacks such as DDoS attacks. One of the major trends is the increasing adoption of cloud computing. Whether it is EHR SaaS, office applications, backups, BC/DR (business continuity/disaster recovery), research/test/development environments, or other cloud usage models, healthcare is increasingly adopting cloud to lower costs, improve accessibility, and enable new models of collaborative care. While cloud promises many benefits to healthcare and is already in mainstream use, it also risks exposing more mission-critical healthcare services, increasingly being hosted in the cloud, to DDoS attacks.
To enable increasing use of cloud computing, while minimizing risk of future DDoS attacks, we must anticipate such threats and plan accordingly by proactively implementing key safeguards to prevent, detect, and remediate such attacks. DDoS and other attacks tend to be opportunistic, like a predator seeking easy prey. It is increasingly important for healthcare organizations, in addition to their regulatory compliance, risk assessment, and other security due diligence activities, to now also understand where they stand with security readiness compared to the broader industry. No organization wants to be lagging peers and the industry, making it easier to attack.
Historically, it has been difficult for organizations to see where they stand with security relative to peer organizations. Often one sees healthcare security executives at conferences asking each other about types of breaches and their corresponding organizational response. While a good form of networking and information sharing, this tends to focus only on the breach du jour (right now ransomware) and the security capability du jour (currently backup and restore due to crisis with ransomware).
Unfortunately, with this kind of limited focus, executives often miss other breach types or security capabilities that are required for overall effective security. What is required is a more comprehensive way for healthcare organizations to benchmark their breach security against the industry.
Intel Health & Life Sciences is leading an open industry collaboration to enable health and life sciences organizations globally to benchmark their breach security maturity, priorities, and capabilities against the healthcare industry to see where they stand. Through this engagement, they are able to see if they are leading or lagging in terms of security readiness across eight types of breaches, including ransomware. They also are able to see if their priorities across breach types are significantly different from the industry average, in which case they may be over- or under-prioritizing various breach types. Across 42 security capabilities they are able to see where they have gaps, and in particular where those gaps may not be common in the industry, in which case they may be lagging and relatively vulnerable due to a particular security gap.
To date, almost 50 large health and life sciences organizations have participated in this benchmark program. They include organizations focused on the healthcare provider, payer, revenue cycle, pharmaceutical, life sciences, and business associates segments. Any organization that works with sensitive healthcare information is eligible to participate.
The benchmark engagement involves a one-hour, complementary, confidential survey led by Intel or an industry partner and results in a comprehensive report that shows how the healthcare organization’s maturity, priorities, and capabilities compare with the industry and where there are significant differences in maturity, priorities, or capabilities. This provides additional, valuable information to healthcare security teams that they then can use to socialize internally with their stakeholders to help get the necessary budget and resources allocated that are required to address gaps in security capabilities.
The 42 capabilities assessed in this benchmark also are mapped in the report to HIPAA, NIST, PCI DSS, ISO2700x, and GDPR regulations and standards to enable the healthcare organization to see how addressing a particular gap also may help with compliance. To see a sample of this benchmark report see Intel.com/BreachSecurity.
Industry-level, aggregate, anonymous results across nearly 50 healthcare organizations across eight countries participating in the benchmark program to date show that key capabilities required to mitigate risk of DDoS attacks and other types of breaches and ransomware are significantly lacking.
For example, policy is required to communicate permitted use of cloud, yet only 64% have one, 30% are working on it, and 6% don’t have any policy for security and privacy.
User awareness training is required to control shadow IT cloud use and mitigate risk of accidents and workarounds, for example in using websites or apps with healthcare data. This can result in healthcare data landing in side clouds vulnerable to DDoS attack, and yet only 49% of organizations have security and privacy training where it needs to be, 34% are working on it, and 17% currently have no privacy and security training for their healthcare workers.
Risk assessment is required to identify and prioritize—as a function of business impact and probability of occurrence—risks to CIA of healthcare data. This includes risks in the form of availability attacks through DDoS or ransomware, yet only 43% are doing annual documented risk assessments, 36% are working on it, and 21% have never done a risk assessment.
Security incident response plans (SIRPs) are required in the event of a security incident to ensure careful coordination of activities and communication both internally and externally, including with digital forensics experts, regulators or data protection authorities, the media, and patients. Only 40% of healthcare organizations have their SIRP where it needs to be: documented, employees trained, tested, and integrated into process. Another 40% are working on it; 20% have no SIRP. Healthcare organizations can least afford to take an ad hoc, improvising approach in the high-pressure event of a security incident such as a DDoS attack. Missing key steps in response to security incidents can result in greatly increased business impact to healthcare organizations.
Threat intelligence is required to quickly detect and properly identify DDoS attacks and be able to differentiate them from legitimate network traffic that is spiking. Only 28% have their threat intelligence capability where they need it to be, 21% are working on it, and 51% have no capability for threat intelligence.
It is critical to ensure operating systems, applications, and especially security safeguards are hardened and kept up to date and patched or otherwise risk vulnerabilities being exploited for DDoS and other types of attacks. However, only 57% are managing vulnerabilities/hardening and upgrading and patching in a timely fashion; 38% are working on this; and 4% don’t do any vulnerability management or patching.
Many other safeguards can help with mitigating risk of DDoS attacks, including redundant network service providers, DDoS mitigation appliances able to detect and filter malicious traffic, and multiple servers and load balancers for high availability. Finally, cloud mitigation providers can offer healthcare organizations massive bandwidth, multiple DDoS mitigation safeguards, security expertise, and redundant sites to avoid a single point of failure and can scrub traffic to ensure healthcare organizations only see clean, legitimate traffic.
Only by looking ahead, anticipating trends such as the growth of cloud computing in healthcare and threats such as DDoS, and proactively identifying deficiencies in safeguards, can we as healthcare security professionals enable healthcare to minimize disruption and ensure reliable, high-quality, lower cost healthcare delivery.