Attivo Networks' Ms Carolyn Crandall shares significant steps for the healthcare industry to implement in its cybersecurity solutions to reduce risks to patient lives
In a field where lives are at stake and every second matters, building more accurate models for a wider range of conditions and diagnoses is key, but it also comes with cybersecurity risks that put the privacy and integrity of patient data at risk.
The continuous technological development using AI within the healthcare industry has led to many positive outcomes for patients, saving lives and improving quality of life through new processes and practices for healthcare professionals.
However, Carolyn Crandall, chief deception officer at Attivo Networks, a company that provides detection, analysis and automated responses to in-network threats in real-time, believes there is still some way to go in improving security standards, despite the guidelines set by the Health Insurance Portability and Accountability Act (HIPAA).
She says: “Healthcare environments are incredibly complicated based on the devices they have to secure, the environments they must protect, the lack of vendor support related to security and limited government standards.
“Regulators have put in place guidelines for protecting personal healthcare information but haven’t been as prescriptive in setting minimum standards for medical devices and protection of their networks.”
“This leaves a high degree of latitude in the baseline security that vendors must offer, variable policies on supplier management, and in security operations.”
What is lacking the most in current cybersecurity systems and how do the risks endanger patient lives?
Patients are increasingly connected to the internet during treatment – from the moment of a medical incident to discharge and aftercare.
This era of electronic medical records and the reliance on computerised lab reports has not only revolutionised clinical operations and patient care, but also exposed healthcare to new vulnerabilities.
Ms Crandall says: “Medical records and devices are being pervasively connected to the internet so that patient care can be improved.
“Security has traditionally been based on a perimeter defence where you create barriers so an intruder cannot get access to these networks or their data.
“However, unlike an office, these systems are often out in the open so that they can be used to treat patients or be accessed by care professionals.”
She explains that this creates elevated risk related to protecting these assets. In this environment, threat actors now have the ability to attack on premises, in addition to applying remote attacks.
With patient lives at stake, there is pressure on operators to ensure these data exchanges are not disrupted by criminals in cyber-attacks.
However, within healthcare’s highly mobile environment, it is often near-impossible to find all interconnected devices, let alone patch and secure them.
Proactive measures are necessary to mitigate security risks, such as a threat detection approach, patching and stronger login settings.
Patches are a set of changes to a computer programme or its supporting data designed to update, fix or improve it, although Ms Crandall explains this is not always possible as many devices are not able to run anti-virus or other security tools in the same way a typical computer could.
The 51-year-old adds: “Device vendors don’t help the situation when they set default passwords and login settings to ‘admin, admin’, which makes attacker access even easier.
“Liability contracts also prevent any provider changes to these devices in the field, which also negates a defender’s ability to secure them.
“Put simply, attackers are readily able to get into these networks, and without proper in-network detection, can find themselves at risk to data theft, device tampering, ransomware, or interruption of services.”
Based on all of this, providers are being driven to change their security postures from prevention to detection where they assume that the attacker is already inside the network.
This then allows the priority to centre on detecting the threat before any harm can be done or “backdoors get established to facilitate an adversary’s return”.
What protocols are often ignored when setting up cybersecurity today?
It’s often only after an attack that staff wonder how they got there, so it’s imperative for businesses to focus on being proactive from the start to minimise the potentially devastating effect of a patient data breach or a compromise where a malware infection could mean life or death.
And at a time where medical devices and technology are becoming more sophisticated and “smart”, it is all the more demanding as new sets of vulnerabilities are put its digital systems at risk.
Traditional defences are often based on deflecting an attack, and Ms Crandall says not understanding where and how an attacker got in, how they are attacking, and what they are after leaves the gate open for another opportunity to gather intelligence and attack again.
“For defenders to outmanoeuvre their adversary they need to understand them,” she says.
“It is critical to shut down an attack, and there are tools like deception technology that are available today that are designed to gather threat, adversary, and counter intelligence so that organisations can be better armed to stop, eradicate, and prevent an attacker’s return.”
A recent report by information security insurance provider Beazley Breach Response revealed that healthcare organisations suffered 41% of all data breaches in the US during 2018 – the highest number of any sector in the economy.
The report also stated that direct hacking, the presence of malware, and human error were the main causes of data breaches in healthcare organisations.
How can healthcare organisations follow the best practices in data and network security?
Anaesthetic machines used in NHS hospitals that can be hacked and controlled from afar if left accessible on a hospital computer network hit the headlines last week, after the vulnerability was confirmed by cybersecurity company CyberMDX.
Despite GE Healthcare, which makes the machines, saying there was no “direct patient risk”, CyberMDX’s research suggested that the Aespire and Aestiva 7100 and 7900 devices are at risk of being targeted by hackers.
Analysis by BBC News found multiple references online to the Aespire and Aestiva machines being used in NHS Hospitals.
“New attack surfaces like IoT, cloud shared security models, and DevOps environments will also introduce new opportunities for attackers to exploit,” adds Ms Crandall.
“Attackers can be extremely well-funded, they can buy the resources they need, and transact on the dark web, which will allow them to build new attacks quickly and stay ahead of traditional security infrastructure.
“The concept of a perimeter where we can stop any attack trying to get in is in the past. Institutions must not rely on passive defenses to defend themselves.
She suggests protocols companies should consider and incorporate into their own systems, which include starting to deploy more “military tactics” to protect environments that will enable them to detect threats that have bypassed prevention controls.
This will also allow them to collect adversary intelligence, and build pre-emptive defenses designed to manipulate attackers into making mistakes and revealing their presence earlier in the attack cycle.
The 51-year-old explains organisations that want the ability to have ongoing detection should adopt technologies like deception, which are designed to set landmines and quickly alert on attackers that are in the networks and looking to escalate their attacks.
These solutions are designed to work across typical user networks and data centers as well as medical device networks.
She says: “Having cybersecurity ‘hygiene’ like education, patching, multi-factor authentication, and segmentation is foundational, as is having preventative devices like firewalls, intrusion prevention, and endpoint protection solutions.
“Regular penetration testing will also tell whether these controls are working as they should across all attack surfaces and threat vectors.
“Information sharing through organisations like H-ISAC will be imperative to beating cybercriminals. Many times, attackers will use the same tools and techniques and apply them across a vertical.
“The better that public and private sectors communicate information on attacks and adversary intelligence, the more equipped the defenders will be to negate their success.”