Maintaining CIA to keep healthcare security threats at bay

Share this post:

During the recent global WannaCry malware outbreak, one of the largest healthcare security threats on record, services at up to 40 hospital trusts across the U.K. were affected. Surgery operations and appointments were cancelled, and ambulances were diverted away — not because of a shortage of doctors, beds or parking bays, but because they were under cyberattack.

CIA keeps malware away

Malware is the collective term used to refer to a variety of hostile or intrusive software actors, including viruses, worms, Trojans, ransomware, spyware, adware, scareware and other intentionally malicious programs. Malware, at its core, aims to disrupt the CIA triad of information security:

  • Confidentiality means ensuring only those with appropriate rights are able to access information, and that information is not lost or leaked.
  • Integrity is ensuring that information is not altered or tampered with.
  • Availability is ensuring that information is available when required in a timely fashion.

To examine these three dimensions within the context of healthcare information, let’s assume that the data in question is a patient’s health record, which could include sensitive medical data, personally identifiable information (PII) and even credit card information. The rising usage of mobile computing and growing bring-your-own-device (BYOD) culture increase the likelihood that this data will be breached.

An attack against medical information integrity could literally kill people. A more benign attack might aim to alter someone’s address to reroute his or her formal correspondence. But what happens when a threat actor changes a patient’s drug dosage, prescription or blood type? Such a breach could be catastrophic — even fatal.

Other healthcare security threats seek to compromise the availability of critical information. For example, an injection attack aims to disrupt or take down a system. This is often done to either halt the availability of a service, lock the information it hosts or access the underlying operating system or environment. With this additional information, an adversary would be well-armed to mount a more advanced attack against assets.

Cryptomalware such as the WannaCry family is designed to render information unavailable through the process of encryption. This ransomware attack is a direct attempt to quickly monetize the inherent value of the information you hold.

Patching is not enough

Many guidelines urge healthcare security professionals to ensure that all systems are patched, both at an operating system and application level, to thwart malware. This is sound advice, but in reality, sometimes machines cannot be patched, either due to mission criticality or software incompatibility.

In the healthcare industry, software often runs on old and outdated operating systems or application stack platforms — or, in the case of Internet of Things (IoT) devices, on old embedded operating systems. Some platforms have aged out of vendor support and thus cannot be patched. Other systems are so critical that halting them temporarily might mean compromising the entire environment.

Healthcare organisations require a defense-in-depth approach, and patching is only one method. Organisations need to consider implementing alternative and complimentary controls, as well as following risk-based evaluation and management best practices. Examples of complimentary or compensating controls include separated or dedicated network access, enhanced intrusion detection system (IDS) or intrusion prevention system (IPS) capabilities, or changes to business and human processes to reduce the residual risk to organisations and the threat to the CIA of information they hold.

Get back to basics

To securely manage information, a healthcare organisation’s most valuable asset, it is essential to build your cybersecurity strategy and operations around three key domains of competency:

  • Prevent. Know what information you hold, where it is stored, how it is managed and accessed, and the threats to the CIA of these assets. Then, use a defense-in-depth approach to ensure that the information is protected, patch systems and endpoints, perform encryption and establish the least permissive controls over information access.
  • Detect. Identify both regular and irregular access at an enterprise-wide level, and understand the behaviour and fingerprinting of information access. This means knowing nonfunctional characteristics such as the type of device being accessed, tracking the access method and the permissions used, and identifying patterns and changes in user behaviour.
  • Respond. One of the biggest cost savers during a data breach is a battle-tested cybersecurity response plan. A lack of coordination can make it difficult to react quickly and contain the costs of an incident. Additionally, after a security event, health care organizations must be able to reflect on the incident and return to regular business operations. They must also be able to measure the effectiveness of controls and response activities, including communication across the business.

Curing healthcare security threats

Healthcare organisations need a holistic enterprise approach to addressing risks to the confidentiality, integrity and availability of sensitive information. It’s critical to build a security strategy that balances risks to data while embracing disruptive healthcare technologies such as bedside entertainment systems, IoT-enabled medical devices and more. While these capabilities can certainly enhance the patient experience, they all pose entry points for malware that did not exist in decades past.

A security immune system provides an ecosystem of capabilities, underpinned by services and products that allow organisations to create a safer online environment. This strategy can be mapped specifically to the healthcare sector to help IT professionals manage the risks and threats to valuable medical information — and prevent their facilities from going on bypass.

If you would like to find out more more healthcare security, Stephen Burmester will be presenting at the upcoming HIMSS AsiaPac 2018 conference. The event will be held on 5-8 November, 2018 in Brisbane. Don’t miss this opportunity to discover IBM’s innovations in healthcare and how we’re helping healthcare organizations digitally transform and reinvent.
More Health stories

Cyber resilience: A state of unreadiness

Author: Pelin Nancarrow, Asia Pacific Lead – X-Force Incident Response & Intelligence Services, IBM Security Despite an increasing need for incident response planning, the majority of enterprises do not have an effective strategy to handle cybersecurity incidents, according to results of a recent global study of cyber resilience. The study, conducted by Ponemon Institute and […]

Continue reading

IBM is an Incident Response Leader in Forrester Wave Cybersecurity Report

Author: Pelin Nancarrow, Asia Pacific Lead – X-Force Incident Response & Intelligence Services, IBM Security These days, it’s no longer a matter of “if” you’re going to suffer a cyber breach, it’s a matter of “when.” When the inevitable breach happens, how you respond to the breach matters. An ineffective response can add even more […]

Continue reading

Are you ready to strike when threat actors attack?

Author: Pelin Nancarrow, Asia Pacific Lead – X-Force Incident Response & Intelligence Services, IBM Security As the cyber threat landscape evolves, what we saw in 2018 is organisations across all industries are facing unmanageable levels of cyber threats brought on by the changing threat landscape, the risk of exposure and an ever-growing attack surface. The […]

Continue reading