It’s often said that people don’t appreciate insurance until they need it. Security is similar; once an organization discovers a data breach, they will back-track to find out what was missed and then hopefully act with expedience to fix it. We all learn as we go, but some mistakes are more costly than others.
Two recent exposes, one in the Wall Street Journal, the other from SFGate, shed a shocking light on the threat potential that targets the most vulnerable — medical patients, that rely on technology-driven supplies and solutions to keep them healthy and alive. These medical cyberattacks target hospital infrastructure technology, medical IoT devices, and other healthcare-related equipment. These kinds of attacks are clearly far different from an S3 bucket breach; they literally create a life or death situation. A doctor in the SFGate article makes the point about as clear as possible when he says, “Why do we need to wait for people to be hurt by this?”
Now, these are two separate issues; a breach of personal health data is very bad but recoverable for the victim. The malfunction of life-preserving equipment is draconian. But both invade the most vulnerable of human experiences and the protection of them is of the highest priority for those entrusted as caretakers of patient health and information.
The WSJ piece makes the reality quite clear the risks in all of this technology, and specifically cites a Moody’s credit-rating report that ranked hospitals as one of the sectors most vulnerable to cyberattacks. It goes on to report that since 2009 more than 150 million personal health records have been breached in cyberattacks. The current situation is now creating an industry that is scrambling to assign adequate security and compliance across everything from stored records, to the actual device technology that operates things like insulin pumps, pacemakers, and a myriad of devices and tools, ALL of which are directly tied to patient well-being.
To combat threats, many healthcare organizations and device makers are taking the necessary steps to gird their infrastructures in the cloud and in hybrid environments, as well as the software and services they develop to run their solutions with continuous threat detection. According to the WSJ report, some of this is a major shift that’s taxing long-held and inefficient practices that are beholden to beaurocratic behavior. In other cases, they are simply beginning to adhere to security best practices and investment in threat detection so they are best equipped to avoid security issues.
Modern healthcare and medical device companies are focusing on these five areas of their environments to improve security visibility, threat detection, and incident response:
Start by emphasizing visibility: Healthcare and medical device organizations should consider the solution architecture they’re using, which in cloud-native applications relies heavily on containerized services. With containers, you can easily deploy functionality, whether it’s complex applications or microservices, in containerized environments that are inherently secure. However, this architecture can limit visibility. For instance, a network intrusion detection system might be able to monitor traffic to and from an EC2 instance, but it would miss activity between multiple containers sharing data inside one EC2 instance. To further complicate activity monitoring in this environment, container instances come and go on-demand, as can EC2 instances. Some microservices, data caches, or temporarily assigned IP addresses may only be active for a few minutes before being deleted. Any activity not logged during that brief service period is unavailable for analysis and forensics.
Compliance needs automation: Health and medical companies must be compliant with a variety of industry and governmental standards in order to operate and bring products and services to market. They need to be assured that their data is operating in accordance with the standards provided in HIPAA, SOC 2, and others. Organizations are able to move past compliance hurdles and meet requirements faster by putting their workloads and applications in cloud environments. Yet, in these agile, complex environments, configurations change continuously, and human activity can’t keep pace with detecting where and when misconfigurations exist.
Storage: Effective use of data can help medical professionals in research and development of new medications and procedures. It’s also necessary for patient data that needs to be stored for historical and comparative purposes. When stored and transacted in the cloud, data can integrate among disparate sources to provide a more clear picture of issues and solutions. But storage resources are easy to spin up in cloud environments, and ease of use often leads to non-compliance with security best practices and lax oversight for requirements being met. Rigorous password rules and access management practices must be followed to prevent ransomware and avoid breaches.
Authentication and authorization: Access to data is important for healthcare organizations; when physicians share patient information they can come up with a better course of action for prevention and recovery of health issues. Researchers that are informed by data from different sources, they have a clearer picture of options available to them. Yet while access is important, it’s also where holes can open up. Medical enterprises need to enumerate roles and look for over-privileged access not just for IaaS hosts and devices but SaaS and PaaS deployments and cloud management consoles as well.
A good cloud security solution regularly audits and reviews root and other superuser access, and it removes privileged access from processes that do not require it. It will warn if a cloud environment permits the use of root and when the root account is used. This information should be displayed graphically for easy recognition of the risk.
Apply anomaly detection: Attacks in a rules-based system are hard to define because effective breaches are often based on impersonation of something legitimate. Because patient data is so valuable, it is increasingly targeted, and breaches are difficult to uncover in complex modern environments. Take unauthorized access for example. Employees leave their jobs, but organizations don’t follow a discipline to remove them, so dead accounts are actually active. Since those accounts have access to cloud resources, someone impersonating credentials is able to operate freely within the environment while looking like they’re legitimate. The answer is to apply automated anomaly detection.
With automated anomaly detection, security teams will always be notified of events that are not normal to your environment. This ensures that you are notified of the activity that you want to know about without having to sift through all the noise. In the case of dead accounts, anomaly detection will recognize and report on accounts that are suddenly active after periods of inactivity. They can identify when abnormally large amounts of data are extracted from databases, or if users are accessing from unusual IP addresses.
Healthcare and medical companies are among the most innovative when it comes to research and development of new solutions. To support the implementation of these solutions, they will need to increase their security posture and build security and compliance into their entire architecture and processes.