Healthcare facilities and medical data are an increasingly popular target for ransomware. As the FBI has warned, we should be concerned as these attacks escalate. Research from PricewaterhouseCoopers of large healthcare organizations revealed that 85 percent of IT administrators experienced a data breach in the prior 12 months. For an enterprise or financial company, attacks like this are crippling; but for a hospital, the implications of a breach and even worse – ransomware – are literally life and death.
Consider the case that was a hot topic at this year’s RSA Conference: Hollywood Presbyterian Medical Center in Hollywood, California. One evening last month, the hospital’s staff was suddenly unable to access the network. The facility’s IT department began an investigation and determined that they were the victims of an aggressive malware attack that essentially locked them out of their own computer systems.
The attack prevented hospital staff from sharing communications electronically; and after several days, it affected patient care. Several patients had to be transferred to neighboring hospitals, and staff had to use paper records and fax machines to communicate. The hospital brought in federal law enforcement to help but ultimately agreed to pay the hacker’s ransom demand of $17,000 in Bitcoin.
The consensus among security experts and healthcare professionals is that, although it could have been worse in terms of outcomes, it was a watershed event.
Cybersecurity experts are conflicted about whether the hospital should have paid the ransom. On the one hand, giving cybercriminals what they want only encourages more attacks. But on the other hand, a hospital is committed to saving lives and delivering quality care – which wasn’t possible as long as they were locked out of their systems. In the end, Hollywood Presbyterian did get its data back, but we all may pay the price for this incident in the form of escalated attacks against other healthcare facilities.
While this wasn’t the first hospital ransomware attack, its implications are serious and far-reaching. Clearly, the course of action for ransomware is highly problematic when patient lives are at stake.
Why hackers love healthcare
Since the Hollywood Hospital hack, there have been other serious incidents such as the hack of Florida-based chain of cancer treatment centers, which affected 2.2 million former and current patients.
Why are cybercriminals specifically going after hospitals and other healthcare facilities? The answer is twofold:
- Healthcare facilities are prime targets because of the type of data they store. Personally identifiable information (PII) such as patient names, dates of birth, Social Security numbers, financial records and health insurance information are all routinely stored. Selling PII on the Darknet is a lucrative business for hackers.
- Many healthcare facilities lack the cybersecurity skills, properly maintained security policies and dedicated IT staff to continuously secure and manage all of this valuable information.
The never-ending barrage of cyberattacks shows that the default strategy for preventing breaches isn’t working. In most cases, that default strategy consists of purchasing a wide array of security tools such as firewalls, anti-virus and Advanced Threat Defense (ATD) prevention platforms. But if security solutions aren’t deployed, configured and maintained properly, and if network security policies governing all of these tools are poorly managed and enforced, healthcare facilities will still be vulnerable.
Prescription for secure healthcare networks
Here are five key strategies healthcare IT and security professionals can implement to avoid becoming the next hacker horror story:
- Reduce the network attack surface. With more healthcare organizations sharing data across departments, facilities and partner networks, along with the rise of mobile devices, the attack surface of the hospital network has never been larger. Today’s hacker often exploits an overly permissive network to achieve lateral movement once they’ve gained access. A tightly segmented network can avoid lateral movement and isolate many of these attacks, stopping hackers dead in their tracks. Firewalls at the perimeter, along with internal firewalls, can restrict and secure connectivity by creating network segments, security zones and micro-segmentation.
- Enforce a network security policy baseline across all departments. Once the hospital network has been segmented into zones, each zone much be enforced with security rules. A unified security policy identifies unused, shadowed, unattached and expired security rules that can be removed without disrupting access to the system. A unified security policy also highlights rules that are risky, violating zone-segmentation policies, compliance mandates or rules that are inconsistent with best practices. IT automation is a tool that can help organizations achieve this on a much shorter timetable.
- Gain better visibility and control of all assets. Hospital security teams must have a clear understanding of the network topology in order to operate their networks securely and smoothly. This includes physical, on-premises network assets and applications as well as any cloud-based assets.
- Focus on network resiliency. No organization can prevent all breaches; that is the new reality. However, by taking the approach of network resiliency, healthcare organizations can respond to intrusion events with agility. This means that in the event of an attack, a hospital can still conduct business and treat patients. Building a moat around your organization’s network and focusing on zero-day attack vectors is not an effective strategy in today’s dynamic threat environment.
- Get network security on the boardroom agenda. It’s as important as fighting drug-resistant superbugs and improving quality-of-care rankings.
Healthcare IT and security professionals from CISOs to network administrators should take a “when, not if” approach to data breaches. They must prepare for cyber intrusions and take both preventative and proactive measures. Incident response procedures and diligent backups/redundancies are necessary for breach scenarios and other network security emergencies, but certainly are not enough.
By aligning all security policies across the entire healthcare network, implementing network segmentation to minimize exposure, using automation to mitigate network management misfires and planning ahead for how to respond to a breach, organizations can avoid becoming the next horror story splashed across the headlines and focus on what matters most: saving lives.
Ellen Fischl-Bodner focuses on cybersecurity at Tufin where she is the product marketing management subject matter expert on network security policy orchestration, compliance and solutions for industries such as healthcare and energy. She also blogs and presents webinars on hot topics in cybersecurity. Ellen is enthusiastic about innovation and has enjoyed key roles and publications that brought medical breakthroughs to mainstream adoption. Feel free to connect with Ellen on LinkedIn.