The cybersecurity professionals at Fortinet, sat down with National Healthcare Practice Director at Fortinet, Sonia Arista to get her professional perspective on the key cybersecurity trends impacting the healthcare space today.
Undoubtedly, it is the high black-market value of patient records and the ability to manipulate and take apart the data elements within those patient records for individual sale. In a typical patient record, you have PII (personally identifiable information ), such as a social security number, address, demographics, and potentially billing information. However, you also have a provider/insurance number. These can be sold by malicious actors to submit false Medicare claims, falsify identity for prescription drugs, or to sell as a patient profile on the dark web in order to get medical services.
From a value standpoint, pediatric records typically have a higher value because malicious actors and black market buyers know they can use this information longer without being discovered, as this type of fraud is not usually identified until the child is 18 and is beginning to apply for credit. This shows forethought on the part of cybercriminals selling this information in knowing that there will be more value in records that can be maintained longer without discovery.
This trend is likely to continue throughout 2018 and into 2019. I believe we have not yet seen the full results of how malicious actors are using this information.
Shadow IT has grown exponentially, particularly in a provider environment where you have un-vetted IT solutions that are adopted directly into clinical spaces. Many of these solutions, do improve patient care and clinical workflow, but have not gone through the same security controls and review from an IT standpoint that your typical enterprise, IT-sanctioned solution or medical device would be subject to.
CIOs and CISO’s at healthcare organizations that provide patient care are struggling with visibility into all of these different shadow IT solutions, unapproved vendors, and devices that are being tested and adopted in the clinical and research setting. It is also important to note that readily adopted consumer IT used in the healthcare setting currently has no governing organization to enforce validity of the applications, or ensure data integrity – for the most part these are free-market apps that can have poor development and coding vulnerabilities.
Clinical risk management teams are also very concerned about shadow IT as the use of these “unsanctioned” tools are not documented as part of the formal medical record. This can lead to problems when trying to audit information about what systems and processes supported patient care.
Finally, from a privacy standpoint, there is loss of visibility of access and potential diluting of security of patient data shared with third parties as part of a software as a service (SaaS) or outsourced platform. This sharing of data, although it may be “contractually authorized” is often not readily understood by the common layperson or patient; much like the public confusion that ensued with the discovery of broad – based social media information sharing.
Beyond email security challenges, application level security is challenging providers the most. When you have upwards of 200 applications in your portfolio that you are trying to manage in a health system, it’s very hard to keep up with regular patching and consistent communication with your vendors regarding security concerns. The large number of solutions also makes it hard to budget for deep-dive analyses of code for all of those applications, so many healthcare providers are heavily reliant on vendors to ensure secure coding, high availability, and secure data storage and transfer practices.
Coupled with the fact that the majority of those solutions are now in the cloud, or are in hybrid environments, CISOs continue to be concerned about the management of security of the public or private cloud repositories that store these applications in addition to the SaaS applications themselves. Poor management of authentication certificates or poor application of encryption can also lead to significant security vulnerabilities.
In my experience, during a security event, the ability to remediate effectively is severely impacted by the distribution and differentiating logs of having multiple security tools, or “point products” In the throes of an active security event, the proposition is either to pay a substantial amount for many consultants to help with forensics, or scramble to extract logs from all of these various tools and attempt to perform a manual correlation of events – reconciling time stamps, gather endpoint data, inspect authentication activity and attempt to follow the incident through their environment. It is critical as part of the remediation and incident response planning process to account for how many data points you will need to readily understand the damage, if those are coming from a broad number of tools, and you are reliant on various system engineers and analysts that only know that specific system, you are leaving yourself vulnerable to latency in remediation, and potentially a larger data breach.
As automation and AI become more readily available, there will be a tremendous value in the ability for healthcare entities to have visibility into the full environment that they hadn’t prior. Machine learning based technologies are of tremendous value in readily identifying “outliers” or “atypical” user and system behavior that indicates a security event.
The regulatory constraints and windows for notifications to regulating bodies such as the HHS and OCR, as well as consumer state notification standards, are getting shorter. Assuming organizations have made the investment in AI and automation technologies, they will be able to get that level of detail faster, in terms of how many patient records, or PII instances were potentially exposed and to what breadth of patient-base will need to be notified in the case of an event.
I am still seeing a lot of exploitation of vulnerabilities that map back to CVEs that were published seven or eight years ago, so patching is still a problem. I don’t believe it’s only the fault of an IT team not patching, but because you have so many pieces of software running on different operating systems, versions, and hardware in hospitals, it is very challenging to push patches without validating that they will not have an effect on clinical services. In my prior experience as a CISO, it was astonishing to see the broad number of vendor requested anti-virus or patch exclusions requested, as many claimed they would degrade performance. This is a classic example of not holding software vendors accountable to a high standard of security, and of organizations having to potentially inherit significant risk.
From an exploit point of view, phishing and ransomware are still prevalent, and I have also seen a few instances of discovering cryptomining, or botnet exploits in the environment. For the most part, the patching against the known CVEs still needs to be a priority.
To protect your organization from attacks like WannaCry, or just to secure your organization and improve your security posture make sure to reach out and contact us.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.