I was sitting with a cup of coffee (this is Seattle, after all), warming my hands, having just come out of the drizzle (this is Seattle, after all), talking to a friend about my recent webinar with Mike Hamilton with Healthcare InfoSecurity, where we covered 2020 strategies and tactics for cybersecurity in healthcare using the lessons learned from the past and present. You can view the on-demand webinar above or here.
“Sounds like you’re doing Dicken’s 'Christmas Carol' – only for cybersecurity.”
Never being one to waste a good analogy, I did get some help from the “ghosts” of cybersecurity past and present to come up with seven priorities I believe healthcare organizations need to make for a more secure future in 2020.
Lessons from the Ghost of Cybersecurity Past
You don’t have to spend a lot of time on HHS’s Breach Portal, fondly known as the 'Wall of Shame', to see the kind of challenges we’ve faced over the past couple of years in healthcare.
When healthcare’s not being sucker-punched via phishing and ransomware, we’re distracted by alarms, projects, and investigations. And then one stumble in IT operations discipline causes us to accidentally expose PHI data – a self-inflicted breach – via misconfigured servers or lost/unencrypted equipment.
Oh, and our third-party partners will, from time-to-time, also let us down.
The “Ghost of Christmas Past” solution? Building a castle guarded by strong protective controls, with our network, systems, and PHI data secure inside, while keeping the cyber problems outside the walls. It was a great approach, for a while.
Lessons from the Ghost of Cybersecurity Present
Over the past 18 months or so, a lot of us have begun to rethink the “Fortress” security strategy. As a CIO friend says, “We think about cybersecurity as a picket fence. We can make the pickets higher, and move them closer together, but in the end, we wind up with more fence to paint and maintain, while never really keeping determined bad-actors out.”
Our security life has drastically changed in the past few years. Starting with the day in 2016 that Hollywood Hospital went down from a ransomware attack, through the admission last week by Hackensack Meridian that they’d paid hackers to release their systems, we’ve become a juicy target.
The pressure on security professionals to “never-ever-ever let that happen to us” is stressful enough. Couple that with today’s relentless IT Operations pressure demanding you “never-ever-ever let the network or applications go off-line” since they’re critical to modern healthcare delivery. You’re carrying more responsibility than ever before.
Even the most heroic among us struggle to make it all work.
And that struggle – just one mistake – is all the bad-guys need to sneak into your network, lurk around for weeks (or even months, according to some of the OIG/HHS reports), find the data-crown-jewels, then slip back out between the pickets without being detected. For many orgs, the first time they know they’ve been hacked is when the FBI calls.
Even worse, the majority of your front-line defenders end-users. And they’re busy doing things other than cybersecurity. Train them all you want, but their real focus is on seeing patients, filing claims, buying supplies, and a bunch of other stuff that’s driving better care to patients and families.
Healthcare Cybersecurity Priorities in 2020 — The Ghost of Cybersecurity Future
What to do? The time has come for a strategic transition in our approach to cybersecurity. Sure, the fortress approach to security with associated protective controls is table-stakes. But it’s time to shift our thinking from keeping bad-actors out, to finding them quickly if they get inside the network. You want to quickly end their visit, and thoroughly remediate any damage done.
As my colleague Mike Simon likes to say, "You have to see the criminal to catch the criminal," we absolutely have a path to a better 2020. Here are seven practical ideas about where to focus, and how to improve:
- Third-Party Partners: Everyone will sign a BAA (even if they don’t really understand what it means) just to get your business. So, ask questions. Ask to see any cyber-certifications they might have; demand their latest audits and remediation plans; ask about how their third-parties will access their system and your data. If they don’t want to answer, take that as a sign. And because there are so many of these partners, consider outside help with this process. It’s tough to stay on top of this work, and while it’s critical, it can distract you from daily security business.
- Two-Factor Identification: It’s one of simplest things you can do, and there’s some great tools out there. Politically, I know it can be difficult, but somewhere, even if it’s just a few applications, or an external access requirement. When done well, it’s like punching ransomware in the mouth.
- Personal stuff on personal devices: Again, politically challenging to do this, but staff can sometimes have sloppy personal-security habits. It’s a question of risk. Don’t make their problem, your problem.
- Leverage Supply-Chain: Lots of examples here, from non-IT-departments buying software/hardware/cloud services, to acquisition of Internet-of-Things (IoT) equipment. Don’t let existing problems get worse – for example, you’re likely already doing compensating controls for IoT that can’t be patched – don’t keep adding problematic gear to the inventory. Raise the alarm, build new policy, and have a game-plan in hand.
- IoT: Speaking of IoT, know what’s on your network; patch everything you can; segment and monitor all of it. There are some great tools (as associated service) for asset discovery and management available today, so put this project on your list.
- Speak in business and clinical terms: not IT and security terms. Non-IT people, especially those with responsibility for approving cyber-projects, are also the most likely to “glaze over” when we start tech-talking. Figure out what “channel” they’re on. Meet them where they are when it comes to technical discussions. Work on your story – build business plans – don’t wing it!
- Finally, most important – You will be breached – FAST detection/removal is critical: Consider managed services as an extension to your current team to mitigate the impact of these foreseeable events as a risk reduction method. Building an in-house Security Operations Center is an expensive proposition, and 24/7 coverage is mostly unrealistic for most healthcare organizations. Get help! Managed Detection and Response (MDR) is usually about the cost of a single security FTE, and can provide a fully functional, 24/7 SOC with US-based qualified analysts and threat-hunters.
Cybersecurity Built for Hospitals and Clinics
With increasing regulatory requirements, medical devices, user training, and limited staff and/or budget, most IT leaders in healthcare have more to do than there are hours in the day. CI Security’s MDR is built for HIPAA-regulated environments. Our Critical Insight team of experts use advanced threat technology to watch clinic and hospital networks around the clock. If they confirm a security event, we help remove the threat in minutes, without unnecessarily exposing personal health information. Our team of threat hunters have been known to stop security events within a few hours of starting CI.Security’s Critical Insight MDR services. If you’d like to learn more, I’m a quick phone call or LinkedIn message away.