What healthcare organizations need to do to protect their patients from data breaches.
The digital and physical worlds are not just intersecting — they are merging. And it seems clear that there are few places where the implications of such convergence pose greater risk than in the healthcare industry, where lives are literally on the line.
To better understand the risks and concerns of this latest trend, Fortinet recently surveyed members of the College of Healthcare Information Management Executives (CHIME), a professional organization for chief information officers (CIOs) and other healthcare IT leaders.
The survey reveals two noteworthy trends regarding the state of security in healthcare — as well as what care providers need to do next.
Three-quarters of survey respondents ranked the integrating of physical controls and cybersecurity as “critical” or “important.” That’s because respondents also identified that this issue will only become more acute over time as physical security systems increasingly connect to the network. Physical security is used to lock down sensitive hospital areas and to protect electronic patient data stored in medical devices, computers and data centers — as well as to secure access to stored paper documents. But most physical access controls to data-sensitive areas (e.g., key card readers and number pads) do not collect or analyze access data or share that information with other security systems.
Of course, correlating data from physical systems with an organization’s broader cybersecurity architecture can help reduce risks and better identify compromised patient data from sources inside the organization. Last year, 56% of healthcare cyber-incidents came from insider threats. Sharing data between physical access controls and cybersecurity solutions — such as identity and access management (IAM), network access control (NAC) or user and entity behavior analytics (UEBA) solutions — can help organizations more effectively detect suspicious user or device activities.
However, according to Fortinet’s recent Q4 2018 Threat Landscape Report, six of the top 12 exploits identified in Q4 2018 were Internet of Things (IoT)-related — and four of those twelve were related to IP-enabled cameras. IoT devices are notoriously vulnerable to attacks, and access to these security devices represents a serious threat for healthcare institutions. Compromised cameras could not only be used to obscure malicious onsite activities or prevent healthcare providers from monitoring patients, but they could also open an entry point into connected cybersystems from which cybercriminals could launch DDoS attacks, steal PII information, initiate ransomware attacks and more.
While the Internet of Medical Things (IoMT) keeps growing, most healthcare organizations are still unprepared to address the security concerns they are introducing. In rating security priorities for 2019, survey respondents listed IoMT device protection at the top: 60% ranked this as a “critical” or “high.” However, almost three-quarters (71%) of survey respondents also admitted that they are still in the process of segmenting their networks to protect these devices — and the patients who rely on them — from compromise.
Like traditional IoT, most IoMT devices lack built-in security capabilities. Not only can they not defend themselves, many cannot even be patched. Even more alarming, many of them include hard-wired backdoors to allow vendors to troubleshoot these devices remotely.
This inherent vulnerability exposes organizations to significant risk. Cybercriminals in search of electronic medical records (EMR), for example, or opportunities to disrupt broader institutional services, are increasingly targeting IoMT devices. Of course, network segmentation gives healthcare IT and security teams a more comprehensive view of internal traffic, allowing them to detect anomalous activities associated with compromised IoMT devices. And at a minimum, medical devices and sensitive patient data should have their own dedicated network segments to ensure threats are detected and mitigated faster than with edge protection alone.
However, traditional network segmentation isn’t enough to defend against today’s advanced threats. Instead, intent-based segmentation needs to be implemented due to its ability to efficiently and dynamically translate business intent into the “where,” “how” and “what” of network segmentation. This functionality shortens the time needed to provide fine-grained access control, and those segmentation rules can be automatically adjusted based on continuous trust assessments of users and device behaviors. As part of an integrated security architecture, intent-based segmentation is essential for effectively improving an organization’s defensive posture, mitigating risks, supporting compliance and boosting operational efficiency.
At more than half of surveyed organizations, physical security is overseen by building and maintenance teams, with virtually no interaction with the cybersecurity team. In fact, fewer than one-third of organizations track and measure physical security at the CEO level at all — and only 17% of organizations involve their boards of directors in decisions related to physical security policy.
In the era of digital transformation, however, where physical security and cybersecurity solutions are being converged, executives now need to be able to measure risk and track it on a regular basis. As a result, security now needs to be elevated to a line-of-business concern for C-suite executives and boards of directors. Without an effective and comprehensive security strategy in place that addresses both physical and cybersecurity concerns, the costs of a major data breach that compromises this new attack vector could cripple or even kill an organization.
As the survey results suggest, there are some critical areas of concern that need immediate attention. While the merging of physical and digital tools and the continued adoption of IoMT devices in healthcare deliver better patient outcomes at lower costs, for these trends to be successful they must be fully integrated in the organization’s overall security solutions strategy.
To accomplish this, business and security leaders must work together to identify new points of exposure and implement security strategies designed to protect vulnerable patient data while reducing risk exposure. For many organizations, this requires creating and deploying a fully integrated security architecture that delivers threat-intelligence sharing, visibility, control and automation across the distributed network for consistent management and orchestration that close the gaps between converging technologies and networked environments.
Sonia Arista is a seasoned Information Security and Technology specialist with over 20 years’ experience. At Fortinet, she is responsible for the go-to-market strategy, solutions and sales growth for the company’s healthcare business.
Get the best insights in digital health directly to your inbox.Related
How HHS Is Addressing Cybersecurity Threats
Consumers Are Not Prepared to Handle Cybersecurity Threats, Report Finds
Why Experts Think e-Commerce Hacker FIN6 Is Moving Into Healthcare
Cybersecurity panel: Hospitals threatened by attacks aimed at vendors
November 4th 2024Chief Healthcare Executive presents another installment from our conversation on cybersecurity, with experts from the American Hospital Association, HIMSS and Providence. They talk about breaches tied to business partners.
Cybersecurity panel: The scope of recent ransomware attacks in healthcare
October 28th 2024Chief Healthcare Executive hosted a discussion on cybersecurity with leading experts from the American Hospital Association, HIMSS and the Providence health system. They talked about the growing problem of cyberattacks.