This week, a Ponemon Institute report reaffirmed what industry stakeholders have warned for several years: ransomware and other cyberattacks can lead to an increase in mortality rates. The driving factors for patient safety risks were directly tied to third-party vendor management and weaknesses brought on by the COVID-19 pandemic.
While the report was not surprising to those leading health care cybersecurity, it’s a strong reflection of health care’s greatest challenges and the need for providers to take a more proactive approach to close some of these major vulnerabilities.
The pandemic required health care delivery organizations to quickly pivot, bringing on a host of new technologies and platforms that enabled strong remote processes to support the workforce and telehealth usage. The Department of Health and Human Services also issued several enforcement discretions that expanded the types of platforms and data sharing previously not allowed under the Health Insurance Portability and Accountability Act.
The rapid adoption of these technologies strengthened hospitals’ response to COVID-19, including much-needed telehealth services, but in doing so, providers may have also introduced greater vulnerabilities, explained Joel Burleson-Davis, chief technology officer of SecureLink.
By swiftly bringing on new medical equipment, laptops and virtual private networks to support vendor and employee access, providers expanded the threat landscape “that malicious actors can exploit to breach highly valuable medical systems and records.” The risk is further heightened as most hospitals manually calculate “device inventory and don’t have reliable ways to identify which devices are active or inactive on the network at any given time.”
For Burleson-Davis, the combination of IoT medical devices and unsecured third-party connections are creating unnecessary vulnerabilities that make them particularly vulnerable to cyber threats. The health care sector continues to fall victim to sophisticated supply-chain attacks, including the recent Eskenazi Health and Memorial Health System attacks.
The incidents are prime examples of how attackers can use third-party vendors to target multiple hospitals at once. This year alone has seen 38 cyberattacks lead to network outages and service disruptions to 963 health care providers.
Overcoming challenges of scaling security infrastructure
One challenge with scaling cybersecurity infrastructure in health care is the tension between utility and security “because minutes and seconds so often mean the difference between life and death, health-care systems are often deployed with broader access rights, so physicians can access the data they need,” Burleson-Davis explained. “Unfortunately, attackers can leverage these broad access rights to gain access to a large amount of confidential data or applications, or even to take control.”
As such, providers need to prioritize identity and access management, which will include gaining insight into the extent of widespread privileges across the enterprise and using two-factor or multi-factor authentication on critical endpoints, said Gary Brickhouse, health care cybersecurity advisor and chief information security officer of GuidePoint Security.
Best practices for privilege management will include an assessment of user rights to limit their overall footprint, leveraging MFA for remote access, and limiting privileges to only what the user needs to perform their work duties, he added.
A recent Defcon Biohacking Village Talk revealed that medical device vendors, in particular, have access to devices and can sometimes access the tech without notifying the provider.
In one concerning narrative, Erik Decker, Intermountain Healthcare assistant vice president and chief information security officer, explained that sometimes the vendor will access their platform without notifying the entity, at times during the middle of care.
“How much stuff is happening in my environment that I don't even have visibility into, or control over?” Decker mused, at the time. “And what happens when it’s in the middle of an operating room and a surgery is going on and we’re not controlling for that? That’s my sort of challenging statement of reality.”
The scenario affirms that part of the access management process must include gaining visibility into just what vendors have access to their systems. Providers need to take steps to limit “network and user access across applications, including implementing zero trust network access, monitoring application access, and regularly reviewing access rights among users and vendors,” said Burleson-Davis.
To start, organizations will need to develop a user access review policy, if they don’t yet have one in place. The policies will need to address just what users or outside parties have access to, the most important information in need of greatest protection, the users and tech most vulnerable to risk, and the types of software that could mitigate those risks, he explained.
These questions will inform the access review policy “by establishing a consistent review schedule, an ongoing record of all changes made within the organization, a regular check on access permissions, and a system that ensures the right managers are handling these reviews.”
Burleson-Davis also recommended the use of zero-trust principles or least privilege, which restricts access rights and program privileges to what’s needed for the required job. It should also ensure that “access should also be granted temporarily, ceasing after a given time has expired or after an individual has gathered the information they need to complete a given task.”
“When building these initial access review policies, cross-organization communication and centralizing responsibility are key,” he added. “It may take some time upfront, but the reduction in cyber threats is well worth the effort.”