Where rural hospitals can find cybersecurity threat intelligence
Healthcare organizations of all sizes can protect against data breaches and system disruptions by maintaining strict cybersecurity standards such as implementing best practices, staying up to date on software vulnerability patches and backing up systems, says Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center.
For small and rural systems hospitals hard pressed to stay on top of their cyber defenses, they can find essential support, expertise and collaboration from other members of Health-ISAC that can help them boost their cyber maturity.
Strong spirit of collaboration
Before joining Health-ISAC six years ago, Weiss had spent 13 years defending against cyber threat intelligence in the financial industry.
“I think back to my time in the banking sector,” he said. “We literally had an army of people just in cybersecurity – thousands of people just doing cybersecurity for a bank.”
Most hospitals are not so lucky. Even large health systems are strapped for resources and skilled security staff, despite being especially vulnerable to threats.
“Number one, they don’t have the budgets to properly protect their networks and organizations as they should,” said Weiss. “And number two, I think that the attack surface area is just so much bigger.”
Weiss expresses admiration for the stamina of healthcare’s cyber defenders.
“I thought the level of collaboration, cooperation – the spirit of wanting to help each other out – was just so much better here in healthcare than anything I ever saw in financial services,” he said.
Health-ISAC is dedicated to sharing actionable cybersecurity information across the healthcare sector. Weiss encourages organizations of all sizes to join (and says membership costs less than many might expect).
“If you have questions, if you need best practices, people are very willing to put something out there, share example policies that they’ve developed that people could reuse,” he said. “There’s a lot of great sharing happening in those areas and good collaboration happening amongst members.”
For example, “they’re comparing notes with each other about some of the things that they’re doing in terms of third-party risk management and how they’re achieving that,” Weiss said.
Walking a tightrope
The healthcare industry must find a balance between utilizing innovative technology and maintaining strict security to protect patients as well as provider organizations.
“There are some really cool things happening in healthcare when it comes to advances in medical technology,” such as remote patient monitoring, hospital-at-home “and, of course, we can go off about the artificial intelligence as well being a component of all of that,” Weiss said.
The rise of these new technologies creates “avenues of vulnerability for the adversary” that compromise patient safety and privacy, and healthcare buyers should beware.
“The innovators in the space, the ones who are moving really fast, trying to get product to market as quickly as possible, may be shortcutting some of the cybersecurity steps that they should be considering as they’re fielding products,” said Weiss.
In the case of hospital-at-home, technology relies on patients’ home networks, which only increases attack surfaces for the adversary.
“It’s not just about breaking into a hospital.” he said. “That might be well-protected, but now going after a patient at home who’s on their home network that’s probably not at all well-protected and a lot more vulnerable to these kinds of attacks.”
While updates to the HIPAA security rule are more specific about what needs to be done to tighten data privacy and reduce risks, “there’s a big but,” Weiss said.
“It’s the money, the resources and the talent to make all of that happen.”
Reading HIPAA cybersecurity requirements to the letter, it’s going to be difficult for anyone to implement them with the variety of IT systems on healthcare organization networks with these deficits, he said.
The updated rule proposes estimates, such as with penetration testing.
“I would call the estimate ludicrous,” Weiss said. “It was orders of magnitude way off in terms of how long it would take to properly do a regular repeating penetration test of a network.”
IT staff at some rural health systems also wear more than one hat, he pointed out.
He said he spoke to one specialist with considerable security responsibilities in his role who also cut the hospital’s lawn weekly.
Resources to focus on
“We’ve been saying for a long time in cybersecurity, there’s some basic cybersecurity hygiene you have got to have in place if you’re going to be connected to the internet,” said Weiss.
To help out rural and small system security specialists, Weiss advises them to start with the U.S. Health and Human Services’ voluntary Cyber Performance Goals.
“If you can get through the first part, then maybe it’s time to start tackling the second part,” he said.
The second critical resource is the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, which recently almost lost its funding under the Trump administration.
Staying up to date on patches “is where we see the health sector being vulnerable in particular,” Weiss said.
Cyber criminals gain footholds into organizations because they’re running exploits on very old vulnerabilities.
“We’re seeing exploits from vulnerabilities that literally came out in 2014,” said Weiss, but “people can look at that list and say, ‘Hey, what are the bad guys attacking right now?'” and use KEV to prioritize patches for vulnerabilities in their environments.
The next key step is backing up systems, and making sure those backups work properly and regularly – maybe twice per year – practicing all systems down.
“Can I rebuild from scratch? How would I do that and try it out and make sure it works? Make sure the backups work,” Weiss advised.
In addition, he said, “audit the user community on a regular basis to make sure everyone is forced to log in with multi-factor authentication.
“Sometimes whole classes of users do not have MFA turned on, or tokens were turned off and never turned on again,” he noted, so they should be checked monthly or quarterly.
“We had some really big, ugly events, incidents that were traced back to the failure of multi-factor authentication [being] enabled,” Weiss added, referring to incidents such as the Change Healthcare and Ascension breaches.
Rural hospitals have always been regarded as highly vulnerable to cyberattacks, but now, with near-daily attacks on hospitals and health systems, organizations of all sizes are being asked to get involved in improving their cyber resilience and helping their peers.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
link
