All industries need a sound cybersecurity strategy and incident response plan, but that is especially the case for health care given that instances of data breaches are on the rise. In its 2017 Internet Security Threat Report, Symantec noted that health care was listed second in the services industry in cyberbreaches, up 22% in 2016 over 2015.
Email attacks – in the form of phishing and ransomware threats - are on the rise. Cybersecurity Ventures sees ransomware attacks growing over the next three years, and they will result in organizations shelling out more than $65 billion by 2021. Verizon's 2017 Data Breach Incident Report also highlighted the escalation in health care ransomware attacks, but noted that insider misuse and mistakes were surging as companies said 68% of threats were internal versus 32% from outside sources.
A Bomgar survey also found that insiders and third-party vendors have become a top concern for two-thirds of security professionals, with 63% of respondents saying that employee mistakes and mishandling of data is their biggest challenge. Sixty-nine percent also reported that a third-party vendor, with access to the organization’s system, contributed to a security breach in the past year.
How to tackle the cybersecurity challenge
With all of these factors working against health care organizations, it is becoming extremely critical to set up procedures, security plans, implement new security technology and continually train employees on best practices.
“The cybersecurity incidents that have occurred underscore the growing volume and complexity of cyberthreats that are eroding trust in our digital age. They are an important reminder for all organizations to take a serious look at the people, process and technology aspects of securing their organization and implement a prevention-oriented, platform-based approach to stop attacks as early in the attack lifecycle as possible,” says Matt Mellen, security architect of healthcare at Palo Alto Networks.
Another issue within the industry is that technology isn’t implemented as quickly as it becomes available, with health care IT facing particular cultural challenges.
“In many hospitals, there has been a common culture in which doctors’ preferences have been heavily weighted, making it difficult for IT to implement change,” Mellen says, adding that the culture is changing. “Cybersecurity initiatives that had once been blocked due to ‘possible outages that could impact patient safety,’ are now being welcomed in order to improve patient safety.”
FireEye’s Principal Consultant Jeremy Koppen and Senior Consultant D.J. Palombo note that the method of defending an organization against cyberattacks will vary based on its industry and the kind of data it needs to protect.
“The commonalities between many of these threats are that they target the human element, which is often the softest spot in the security,” they added in a joint response. “Regardless of the threat actor, the goals are often the same once they are inside the environment: gather credentials, move laterally, and maintain persistence to allow them to conduct the main part of their mission.”
Contain the threat by building a strategy
It’s crucial to develop an incident response plan in order to deal with a breach, but much preparation should be considered before a plan is in place.
“One of the most important parts of an incident response plan is the preparation phase, where organizations take steps to better themselves and make their environment more ‘investigation friendly,’” Koppen and Palombo note.
When establishing the plan, companies need to consider many aspects across the entire spectrum – from designing better passwords for access to patient data and boosting security of medical devices to properly backing up patient data and setting up a communication process for clients and employees, especially with regard to how employees utilize systems, data and devices within the organization.
This could also mean restricting access to third-party vendors.
“Plans should identify the sensitive data in the environment, so that those systems can be prioritized as needed. Attention should be paid to understand potential attack vectors that include vendors as an intrusion method,” Koppen and Palombo say.
Does it work?
Once an all-encompassing system is in place, it becomes easier to prevent and fight potential data breaches. But it only works if it is reviewed on a regular basis.
“Start with an assessment of the current environment based on an industry standard, like NIST or HI-TRUST,” Mellen says. “The assessment should lead to tangible changes to the most critical findings identified, which need to be tracked to completion by the CISO’s office. This process should be repeated every six months.”
Other tips include keeping current with technology and educating staff to stay on top of new and more sophisticated threats.
“The most successful security strategies consisted of having a plan in place, appropriate technology and threat intelligence to investigate, and a trained team to manage specific tasks in the event of a security incident. This decreases the time required to respond,” Koppen and Palombo note.
Of course, the best way to mitigate the effects of a cyberattack is to not allow it to occur in the first place. Preventing it requires segmenting networks and adopting new technology that has higher standards of security, Mellon recommends, adding, “As threats are automated, response should be automated as well.”