To successfully combat the flood of breaches in their business, healthcare companies must go beyond the cloud and adopt zero-trust security.
Attackers frequently prey on network server gaps, improperly configured cloud settings, exposed endpoints, and ineffective to non-existent identity management and privileged access protection. Healthcare cyberattackers prioritise stealing medical records, identities, and privileged access credentials. It costs a healthcare provider $10.1 million on average to recover from an attack. A quarter of healthcare providers report that a ransomware assault has prompted them to shut down altogether.
Healthcare must base its cloud security on absolute confidence.
Forrester’s recent report, The State of Cloud in Healthcare, 2023, offers an informative look at how healthcare companies are accelerating cloud adoption in the hopes of improving cybersecurity. Eighty-eight percent of global healthcare decision-makers use public cloud platforms, and 59% use Kubernetes to improve the availability of their critical corporate systems. Healthcare providers spend an average of $9.5 million per year across all public cloud platforms they’ve incorporated into their tech stacks. To some extent, it’s working.
What is required is for healthcare providers to go all-in on identity access management (IAM) and endpoint security before doubling down on zero trust. The proof provided by the Forrester analysis that ongoing developments from Amazon Web Services, Google Cloud Platform, Microsoft Azure, and IBM Cloud are hitting the target with healthcare providers is the most insightful element of the report. Their collaborative efforts to demonstrate that cloud platforms are more secure than older network servers are bearing fruit.
That’s great news for the sector, since the newest statistics from the U.S. Department of Health and Human Services (HHS) Breach Portal shows that 458 healthcare providers had been breached through network servers in the last 18 months alone, exposing over 69 million patient identities.
According to the HHS portal, this digital pandemic compromised 39.9 million patient IDs in the first six months of 2023, as a result of 298 breaches. 229 were the result of successful hacking, 61 were the consequence of unauthorised access/disclosure, and the remaining were the result of medical record theft. Since January, 54 breaches have occurred due to business email compromise (BEC) and pretexting, compromising the identity of 838,241 patients.
Patient medical records, which are popular on the Dark Web, include a plethora of information for attackers. Cybercrime gangs and globally organised advanced persistent threat (APT) groups steal, sell, and utilise patient identities to construct bogus identities. Attackers can earn up to $1,000 per record, depending on the level of information in the identity and medical data.
With little trust, turning faults into strengths
According to Forrester, healthcare providers are excellent targets for attackers because they rely on out-of-date legacy technologies, particularly when storing sensitive patient data. The urgency of providing crucial care to patients exacerbates this deficit.
“Threat actors are increasingly targeting flaws in cyber-hygiene, including legacy vulnerability management processes,” Ivanti’s chief product officer Srinivas Mukkamala told VentureBeat.
In fact, according to Ivanti’s Press Reset: A 2023 Cybersecurity Status Report, all organisations are falling behind in terms of safeguarding themselves against ransomware, software vulnerabilities, API-related attacks, and software supply chain threats. Ivanti’s findings highlight why zero trust should be a top objective for all healthcare organisations, given that many trail below peers in other industries on these critical aspects.
“CISOs may be hesitant to trust the public cloud,” Forrester found, “but outsourcing to a multitenant platform can benefit healthcare providers with military-grade AES 256 data encryption that helps prevent data exposure and theft.” Global hyperscalers provide compliant instances as well as advisory services to assist with regulatory compliance. EHR platforms such as Oracle Cerner and Epic platforms, for example, are now delivering cloud-based offerings/partnerships.”
Every healthcare provider need a zero-trust strategy customised to its top threats.
The idea is to grow more resilient over time without breaking the bank or asking the board for large investments. A zero-trust roadmap is a great place to start. CISOs and CIOs in charge of healthcare IT and cybersecurity could use a few standard papers to adjust zero-trust security to their specific business concerns.
The first comes from NIST’s National Cybersecurity Centre of Excellence (NCCoE). Planning for a Zero Trust Architecture: A Guide for Federal Administrators, a NIST Cybersecurity White Paper (CSWP), discusses steps for migrating to a zero-trust architecture utilising the NIST Risk Management Framework (RMF).
Second, Dr. Chase Cunningham and John Kindervag, who created zero trust while at Forrester and now serves as senior vice president, cybersecurity strategy, and ON2IT group fellow at ON2IT Cybersecurity, were among several industry leaders who wrote the useful President’s National Security Telecommunications Advisory Committee (NSTAC) Draught on Zero Trust and Trusted Identity Management. Zero-trust architecture is defined as “an architecture that treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorised.”
The Cybersecurity and Infrastructure Security Agency (CISA) maintains a repository of the President’s NSTAC Publications, which serves as a useful index of the committee’s activity.
The spread of ransomware attacks emphasises the importance of enforcing least privileged access across all danger surfaces.
“We know that once bad guys get into the network and compromise it, the first [breached] machine can move laterally to the next machine, and then the next machine, and so on.” “Once they figure that out, your chances of having a ransomware breach and data exfiltrated from your environment increase,” Drex DeFord, executive strategist and healthcare CIO at CrowdStrike, told VentureBeat in an interview.
The Health Sector Cybersecurity Coordination Centre (HC3) of the U.S. Department of Health and Human Services (HHS) publishes a series of Threat Briefs that healthcare CISOs and CIOs should consider subscribing to and remaining current with. The degree of analysis and insight provided by the HCS in these briefs is outstanding.
Another brief demonstrates how nation-state attacks are among the most sophisticated and difficult to counter: the November 3, 2022 Threat Brief titled “Iranian Threat Actors and Healthcare.”
According to CISOs, two high priorities are a compromise assessment and a subscription to an incident response retainer service.
To ensure that their existing IT environments and tech stacks are clean, healthcare providers and supporting organisations require a clear baseline across all systems. “When you have a compromise assessment done, [getting] a comprehensive look at the entire environment and [making] sure that you’re not owned, and you just don’t know it yet, is incredibly important,” DeFord told VentureBeat in an interview.
If a hospital CISO does not already have an incident response retainer service, DeFord and other CISOs interviewed for this piece recommend that they do so. “That ensures that if something happens and there is a security incident, you can call someone and they will come right away,” DeFord recommends.
Endpoint security is an ongoing challenge due to IoT, edge computing, and connected medical equipment.
Most traditional IoT sensors, equipment connected to them, and medical devices were not designed with security in mind. That is why attackers enjoy using these gadgets. According to Dr. Srinivas Mukkamala, chief product officer of cybersecurity firm Ivanti, corporate executives must recognise the expense of maintaining endpoints, IoT, and medical devices by constantly upgrading security. “Organisations must continue to move towards a zero-trust endpoint management model in order to see around corners and strengthen their security posture,” Mukkamala told VentureBeat.
According to Absolute Software’s 2023 Resilience Index, the average endpoint has 11 distinct security agents installed, each of which degrades at a different rate and causes memory conflicts. As a result, the endpoint is left unsecured and vulnerable to a breach. Overloading endpoints with too many agents is just as bad as not installing any at all. Healthcare CISOs and CIOs must evaluate every endpoint agent installed to determine whether and how they contradict with one another.
Knowing whose identities have access privileges to each endpoint, including third-party contractors and suppliers, is a critical component of the audit. Captured audit data is essential in establishing least privileged access restrictions that reinforce zero trust on all endpoints.