Healthcare IT News
By Nathan Eddy | February 08, 2019
Mobile device exploits, cloud-based data breaches, ransomware — these are just three of the major information security threats healthcare organizations will have to watch out for in 2019 and the years that follow.
It will be critical to ensure that information communication technology (ICT) infrastructure is secure, a task that has become exponentially more complicated due to the proliferation of mobile devices like smartphones and tablets, which are used by healthcare professionals in the field and in hospitals.
In addition to securing mobile devices, the proliferation of connected devices like medical equipment and other Web connected elements—the Internet of Things (IoT)— can be particularly weak security endpoints, and need to be properly secured and updated at all times.
Healthcare IT News spoke with Fidelis Cybersecurity Chief Scientist Abdul Rahman and Marlon Harvey, Cisco healthcare solutions architect, to define five of the top information security threats facing healthcare organizations this year.
Security and compliance risks are major considerations as healthcare organizations move large pools of confidential data, and the burden placed on the IT staff is a major challenge of operating healthcare IT workloads in the cloud.
“The main risk is a breach, and part of the beauty of the cloud from an adversary perspective is that they don’t need to spend reconnaissance time looking at on-premises components,” Rahman said. “We now get into a situation of how to monitor traffic and data to and from the cloud.”
He explained the security model, and the organization’s data at rest problem becomes much larger.
“It takes a lot more effort to defend that terrain than it does for them to attack it — the advantage is tipped in their favor, and I don’t think that’s going away.”
Unsecured mobile devices
A “tsunami of connectedness” will continue to be a major challenge to healthcare security, Harvey said. “As soon as an employee goes mobile, you have automatically changed your landscape in terms of the threats. That becomes a major concern.”
When it comes to BYOD policies for healthcare, enabling access to different systems, and considering the security that needs to go into how that device is profiled, all need to be paramount.
“If it’s an Apple device, say — something that is already pretty locked down — it may still need some security augmentation, especially if used in a healthcare environment,” Harvey said. “I will always have my mobile phone with me, and I’m trying to log into other devices. I should be able to leverage an additional authentication capability.”
Ransomware is expected to be a major information security threat to healthcare in 2019 noting the majority of ransomware was propagated through phishing, a user-based mechanism that tricks people into facilitating malicious network connections.
“Organizations need to determine where their weaknesses are, and the most optimal paths where an outside adversary could bring in malware,” he warned. “Healthcare information is extremely valuable on the black market, because of the desire of bad actors to have the ability to identify other individuals. I don’t see that going away.”
Rahman said healthcare organizations need to step up their efforts to improve visibility into how traffic is moving in the organization in order to identify patterns of ransomware.
“There is an attack surface that has to be protected — external and internal,” Rahman explained. “This protection can’t be solved through technology alone — it has to be user driven.”
IoT and connected healthcare bring some huge opportunities for healthcare organizations, but they also raise some major new challenges, with security and data privacy at the top of the list.
Wearable and implantable IoT healthcare devices, from insulin pumps to monitors to pacemakers, can be vulnerable to attack.
Rahman said the proliferation of IoT devices and security risks are tightly bound together, with a major issue being the security of the data to collect, store, and transmit.
“What we’ve seen is a lot of IoT devices are not capable of supporting an endpoint security agent, which means they don’t have the ability to block a signature of malicious behaviors or an attack,” Rahman said.
Because of the sheer volume and diversity of platforms running on IoT devices, developing endpoint security agents is going to be a huge logistical and technical challenge.
“There’s absolutely going to be a proliferation of IoT devices in the healthcare industry,” he said. “How do you protect the attack surface of such a diverse range of unmanaged components?”
Lack of employee awareness and education still present a grave security threat in the healthcare industry, with multiple surveys indicating lack of preparedness and understanding of security policies leads to the improper exposure of sensitive patient data.
“Security policies will fail without the proper training of people,” Harvey said. “It comes down to what you define your security policies and what they are based on.”
This could include daily reminders, gameafication, different ways of how to ensure employees are employing to security policies — and keeping in mind that despite rampant digitization, people are still involved.
“How do you ensure that you have a standardized level of knowledge and behavior when it comes to people and security?” Harvey said.