1 year ago


healthcare PROTECTING

healthcare PROTECTING DATA TO PROTECT PATIENTS CYBER CRIMINALS ARE NETTING MASSIVE FINANCIAL RETURNS FROM RANSOMWARE AND OTHER CRIPPLING CYBERATTACKS AGAINST HEALTHCARE PROVIDERS. HOW CAN THEY BE STOPPED? MARK SANGSTER, VP AND INDUSTRY SECURITY STRATEGIST WITH ESENTIRE, OFFERS HIS INSIGHTS Healthcare providers, support services and technology manufacturers have emerged as a favoured target of cyber criminals. Beyond the headlines of NHS shutdowns and delayed patient care, multiple studies, from the Information Commissioner's Office (ICO) to security research institute Ponemon, confirm healthcare as the industry's most vulnerable to cyber-attacks. Operational cyber-attack data generated from 24x7 monitoring of healthcare providers, insurers and equipment manufacturers indicate that these organisations face a significant exploit every hour of the day, which is four times more than financial services or law firms (2018 eSentire Security Operations Data). Such exploits vary in nature, but require security expert intervention, after the exploit evades standard prevention technologies, such as anti-virus, firewalls and intrusion prevention systems. "Headlines about systems hospital shutdowns only serve to paint healthcare as a lucrative target and invigorate criminal activities to develop industryspecific, contextually-accurate lures that yield higher success rates in network infiltration and malware infections," says Mark Sangster, VP and industry security strategist with eSentire. "Attacks today are more targeted and obtain payments through extortive negotiations. Ransomware attacks (malware that locks and encrypts files and then demands payment to unlock the files) have evolved to become denial-of-service attacks to threat medical service disruption and patient care interruption." CRIMINAL PROFITS Stolen medical records also yield tidy criminal profits. Whether public service or private practice, medical records are sold for 150% more than other personal data. "Healthcare organisations also face financial losses and penalties for mishandling confidential patient records. In 2016, the ICO fined Brighton & Sussex NHS Trust £325,000 for the loss of highly sensitive data including HIV positive patients. More recently in 2017, the ICO fined Lister Hospital, a facility owned by private health company HCA International, after patients' fertility records were not secured. Unencrypted audio recordings were sent to an Indian transcription company. The files, which had been stored on unsecured servers, were exposed to unrestricted internet searches." The worrying factor is that these sorts of fines and events will only increase with the implementation of 8 computing security March/April 2018 @CSMagAndAwards

healthcare more stringent privacy laws, such as the European Union General Data Protection Regulation (GDPR) that comes into effect in May this year (see page 24). In the US, nearly £17 million was levied against healthcare providers who failed to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) that provides data privacy and security provisions for safeguarding medical information, Sangster reveals. "Most notably, 21st Century Oncology, which operates nearly 200 treatment centres across 17 US states, was fined £1.6 million for exposing 2.2 million records and further incurred an additional £850,000 in Corrective Action Plan (CAP) expenses. Recently, a Washington area provider, MedStart, suffered a massive cyber-attack that crippled operations across 10 hospitals, 250 outpatient clinics, and affected 30,000 employees and hundreds of thousands of patients." The costs associated with cyber breaches go well beyond the immediate service disruption and clean-up costs. Victimised or negligent healthcare providers lose estimated millions to resulting employee training, enhanced security services, patient notifications, public relations fees, solicitor fees and potential legal actions. Fines and cleanup represent the proverbial tip of the fiscal iceberg. PREVENTING DATA BREACHES The collaborative nature of medical care leaves the industry vulnerable to elegant cyber attacks and data loss at the hands of employees, adds Sangster. "Much of this risk can be mitigated using standardised technologies and practices. The National Cyber Security Centre (a part of GCHQ) recently introduced Network and Information Systems (NIS) guidelines and objectives and frameworks for essential services." Most notable in the NCSC frameworks is distinction between security monitoring (section C1) and proactive event discovery (section C2). "Security monitoring pertains to known threats and compliance management through web and traffic monitoring, and IP connection reputation. Section C2 addresses the need to detect unknown attacks through proactive event discovery. Rightly so, the NCSC breaks a common misconception that compliance mechanism will detect all security threats. Security operations data commonly reveals billions of events that are detected inside perimeter defences. Cyber criminals employ techniques to evade standard security monitoring tools, such as anti-virus software or signature-based intrusion detection systems, which gives a direct indication of compromise." PROACTIVE DISCOVERY Section C2 is critical to healthcare providers who must defend against determined and well equipped cyber attackers. "Proactive discovery methods scour indirect, non-signature based indicators of compromise, including unusual traffic patterns and deviations from normal user activity," he further comments. Other, less direct, security event indicators may provide additional opportunities for detecting attacks that could result in disruption to essential services. The HIPAA standard also provides administrative, physical and technical guidelines around the protection of protect healthcare information (PHI). Sangster offers the following tips: Assign a designated qualified security practitioner to build a comprehensive security programme Conduct an annual risk assess to identify vulnerabilities and attack scenarios Conduct regular security awareness training for all employees and Mark Sangster, VP and industry security strategist with eSentire conduct friendly phishing attacks to test your defences Encrypt mobile devices and workstations to reduce the risk of unauthorised access to data Design and test an incident response and service restoration plans. Cyber criminals are netting massive financial returns from ransomware and other crippling cyberattacks against healthcare providers. "This trend will only escalate as criminal organisations focus well-tested attacks on healthcare organisations and their vendors, and resulting breaches lead to punitive fines, lost revenue, and crippled patient care," he warns. "Healthcare organisations must recognise this trend and self-identify as a cyber target. As the adage goes, an ounce of prevention is worth a pound of cure. It's time for the healthcare industry to invest in prevention through cybersecurity employee training, programme development and defences to extend beyond the identification of last year's attacks." @CSMagAndAwards March/April 2018 computing security 9