Outdated Healthcare IT Infrastructure is Attracting Cybercriminals to Hospitals Part II

By Jim Holt, EVP

In the spring, I wrote about how outdated healthcare IT infrastructure is attracting cybercriminals to hospitals. Healthcare systems of all sizes are the most cyber-attacked industry over the last five years and an outdated IT and network infrastructure is the most likely penetration path according to Cisco Cybersecurity Ventures.

In 2019, the Cybersecurity Almanac outlined the factors that attract healthcare attacks. Cybercriminals are drawn to healthcare systems and hospitals for three main reasons. 1. They lag behind other industries in attracting and retaining experienced cyber and infrastructure personnel. 2. They have highly valuable data; estimates suggest 50 times more valuable than financial information. And 3. They have more vulnerability in their overall wired and wireless infrastructure than many other industries.

Experts predict that cyber attacks on healthcare organizations will quadruple in the coming 24 months The report suggests that the Healthcare industry will spend more than $65 billion on consulting, cybersecurity products and especially infrastructure upgrades over the next three years.

Over the last three months, discussions and projects around infrastructure security in hospitals has driven some additional areas of vulnerability to add to the last outline, thus Part II. We’ve added some recommended steps to remedy the at-risk infrastructure.

There are many probable and even more possible attacks that will impact your favorite healthcare systems over the coming years. Most attacks can be avoided and attacks that cannot be avoided can be managed to minimize the damage – by planning and eliminating inadequate security practices.

2019 Top Ten Inadequate Infrastructure Security Practices:

  1. Weak and Shared Passwords (even to guest WiFi)
  2. Lack of Adequate Patching Processes to all components
  3. Stolen Devices have become the #1 approach for credential theft and later for access, so prevention, physical security, and MDM is critical.
  4. Readiness and Response plans for distributed denial of service (DDoS), which are growing in sophistication and size, increasing 40% annually.
  5. Security for rapidly growing “connected devices”; (medical devices, alarms, Machine to Machine, Smartphones, “Wearables”, IoT).
  6. User Awareness because they are the common interaction with the attack assets –emails, links, attachments, webpages, and more. Users become part of the attacks in the role of negligent users, victims, users sharing credentials and sadly, however rare, as malicious insiders.
  7. Infrastructure Resources are a major source of inadequacy affecting for infrastructure and affecting overall IT problems. Resource inadequacy starts with a lack of resources, then moves to a lack of qualified and experienced resources, and usually ends in an inability to retain your best talent.
  8. Planning for Data breach, incident response, business disruption and continuity – this includes downtime procedures, backup network planning, etc. Are these practices sound?
  9. Layered Security Strategy, Practices and Solutions for monitoring, prevention, detection, response, recovery, and improvement – align to your security layers.
  10. Security Visualization and Network Visualization through monitoring and including “unified” full packet capture with analysis.

Now let’s look at high-level steps to remedy the at-risk infrastructure inadequacies.

  • Infrastructure teams need a seat at the table. Become part of the Enterprise Security Strategy – an average of 46% of you are “working” on security initiatives, but don’t have a clear plan. Infrastructure should offer a subset layered security strategy, in other words, your approach to prevention, attack, detection, response, recovery, and improvement.
  • Get Executive Buy-In – 60% of you don’t have enough support. Educate your executive suite on the security challenges you’re facing, but align them to business goals. Discuss the plan you wish to put in place and how it helps uphold the executive and user concerns. Lastly, cover the potential business repercussions to the organization should the infrastructure security plan not be made a priority. Remember studies show deficient executive support and lack of specialist engineering staffing as the number one problem.
  • Obtain Necessary Budget – A massive 80% of you don’t have the budget necessary. Using requirements gathering, a networks assessment, your plan, and priorities to execute the strategy, and leverage the executive buy-in you have will earn you the money. You provide access to acute and ambulatory EMR, compare the budgets.
  • Assist your Enterprise Security Culture – one of the largest concerns is that of negligent users falling prey to phishing scams, clicking on links, opening documents, and providing credentials to fake websites or other users. Your executives need and are likely establishing a security culture. The network touches everyone daily, even when they are not on-premise and especially when they are. Many infrastructures are beginning to be a part of daily security awareness training.
  • Report on infrastructure aligned with Executive stated goals. One goal in every healthcare organization is compliance. And most if not all have some security standard included like NIST or ISO 27001. Report on HIPAA, SOX, GDPR, PCI and your security standards.
  • Invest in Leading Infrastructure Technology, but only after a thorough lifecycle planning and enterprise requirements gathering. Ideally assisted by an unbiased, qualified and experienced third party. Avoid any chance of bias in your discovery, outcomes, and plans. It’s important for many reasons, not the least of which are life safety and HIPAA compliance to take advantage of advancements in technology, but do it at a pace that you can absorb. Remember that the criminal organizations now leverage leading technologies to improve the art of their attack. 2018 was a year of some sensational attacks like 75,000 records compromised at the US Centers for Medicare and Medicaid Services (CMS). Advancing your infrastructure will reduce risk, gain resilience, gain performance improvement and capacity, and increase user satisfaction and lastly, drive a culture of security awareness.

 

You’ll be surprised at the rapid results and the money you’ll save by having us perform a wireless, network and security assessment. We’ll be thorough, but in and out quickly. You’ll then have a report on all of your infrastructure vulnerabilities and as a bonus your wireless capacity, coverage and network issues. If your infrastructure is in the “outdated” category, it won’t be for long. Let’s talk. We’ll help you find your answers.