About

TechNation is the primary monthly magazine and ultimate resource guide for over 12,000 medical equipment service professionals. Its diverse editorial and information helps biomedical, HTM, imaging and I.T. professionals keep their finger on the pulse of the healthcare technology community, helping advance their careers and further their profession.

Register Now: Roundtable on Equipment Disposition & Recycling | April 15
TechNation.TV | HTM Jobs | Right to Repair | Advertise
Subscribe

Cybersecurity: Getting the Basics Right

5 Mins Read

Cybersecurity: Getting the Basics Right

By Samantha Jacques, Ph.D., FACHE, AAMIF
Samantha Jacques, Ph.D., FACHE, AAMIF, is a vice president of clinical engineering with McLaren Health

With the rise in cybersecurity events, U.S. hospitals and health systems have been faced with an increasing incidence of extended disruptions including outages that strain care capacity and affect the ability of providers to care for members of their communities. These financially motivated attacks have degraded the resiliency of hospitals leading to regional public health challenges and, more importantly, patient safety issues.

So, what can hospitals and health systems do to fight these bad actors and improve the resiliency of their systems?

First, hospitals and health systems need to understand the top attack vectors used by bad actors. Currently there are three primary attack paths for most breaches in the health care sector:

  1. social engineering and credential harvesting,
  2. exposed vulnerabilities directly connected to the Internet, and
  3. third-party connectivity to the health and public health organization networks

Social engineering/credential harvesting cyberattacks are used to gain personal data such as usernames and passwords. These attacks include methods such as phishing emails, malicious websites, email scams and malware. Currently, this is the single greatest threat to organizations.

All known and exploited vulnerabilities for systems or programs that can be accessed over the Internet, including those that use web technology browser to perform tasks, pose a risk to hospitals. Outdated or unpatched software and hardware that has Internet access may provide an avenue for cybercriminals to gain access to hospital networks. Other issues such as misconfigurations or transfer of unencrypted data may also provide opportunities for bad actors to gain access or information.

When discussing third-party connectivity attacks, hospitals and hospital systems should be concerned about third parties that have HIPAA and other private data, however, this type of relationship isn’t the one most often used by bad actors. Of more concern are those third parties that have direct access to the hospital network. In this case, when these third parties are targets of attacks, the bad actor also has access to the hospital network. These third-party attacks are the most difficult to identify and stop quickly unless there is real time communication between the third party and the hospital.

Once the attack vectors are understood, hospitals and public health entities next need to implement basic practices to mitigate these three attack vectors. Here are steps hospitals and other entities should be taking to mitigate each type of attack.

Social engineering and credential harvesting:

  • Implement basic email security tools reducing risk for phishing, spoofing and interception of email.
  • Implement phishing resistant multi-factor authorization (MFA). Add a critical and additional layer of security to protect assets and accounts, including those accounts that are routinely compromised, Internet facing, or have administrator or privileged access.
  • Implement unique credentials (username/passwords) so that attackers are unable to reuse compromised credentials to move laterally across the organization, especially between networks.
  • Separate User and Administrative/Privileged accounts. Using different accounts with unique credentials makes it harder for threat actors to gain access to administrator/privileged accounts even if user accounts are compromised.
  • Train all staff in basic cybersecurity. Require organizational users to learn and perform more secure behaviors including being able to identify phishing emails and email scams. Also, teaching users why strong and unique passwords are needed and how to report suspected attachments that may be malware is minimally necessary.

Exposed vulnerabilities directly connected to the Internet:

  • Complete an inventory of all Internet-facing systems and technology. Understand and document network topology for these systems as well as who has access to these systems as users and administrators.
  • Implement a vulnerability management program to reduce exploitations of known vulnerabilities on these Internet-facing systems. This includes regular patching of systems as well as upgrading software and hardware versions regularly to ensure all known and exploited vulnerabilities are mitigated.
  • If possible, implement an endpoint threat detection and response system (EDR or ETDR). These systems combine real-time monitoring and collection of end point data with automated analysis and responses that can be rules-based.
  • Stay connected to vendors and information sharing organizations (such as Health-ISAC) that share and report vulnerabilities. Implement a process to review these sources of information routinely and react to information about possible vulnerabilities in near-real time.

Third-party connectivity

  • Reduce risk of third-party suppliers/vendors by minimizing the products and services that require connectivity with the hospital network. Implement connectivity that is only minimally required and if possible, implement two factor authentication for external entities entering the hospital network.
  • Add clauses in the contract with third parties to detail required communications between organizations when breaches occur. Ensure that each third-party vendor is required to disclose events to the hospital in near real-time. Include procedures to disconnect from vendors and when/how to re-connect after an incident.
  • Detect issues that occur using monitoring tools and through review or reports provided by information sharing organizations such as Health-ISAC. Respond to relevant threats quickly and sever access quickly to minimize impact to the hospital.

This current environment where threat actors are actively targeting the health care sector also requires hospitals and health systems to have robust incident response and preparedness teams. Incident plans should be tested using tabletop exercises by teams across the organization. Clinicians and hospital staff should be trained in downtime procedures and be able to implement them quickly and efficiently. Having well developed and tested incident plans will allow hospitals to ensure patient safety while recovering from cyber events.

Unfortunately, it’s not advanced tactics and artificial intelligence that attackers are using to breach hospitals and health systems. Its basic tactics, techniques and procedures (TTPs) cyber actors are using to breach and navigate hospital networks. It’s now up to hospitals to implement controls to mitigate these risks and help keep patients safe. Let’s get the basics right.

Samantha Jacques, Ph.D., FACHE, AAMIF, is a vice president of clinical engineering with McLaren Health

Share.

Related Posts

Add A Comment

Leave A Reply

X