Going On the Offensive in Healthcare Cybersecurity

With evolving healthcare cybersecurity threats, organizations must be prepared and ready to go on the offensive against attacks.
I don’t think anyone needs much more convincing when it comes to healthcare cybersecurity.

It’s clear that healthcare is under attack by a host of different cyber criminals who seek to steal and monetize its information, extort it for financial gain, and compromise its networks and data for state-sponsored cyber espionage and hacktivism.

Adding to the problem is the costs of these incidents, which have risen considerably in the last 18 months to the point that continuing to do the same things is just not reasonable anymore. In fact, according to recent estimates, cybercrime will net $6.2 billion in illicit revenues in 2016.

Hackers are not going to stop targeting healthcare as long as their activities are profitable and the chances of being caught continue to be low.

Simply put, the only thing that’s going to stall the rate of these continued attacks is fighting back. Healthcare must change its approach to data security and go on the offensive. For those organizations looking to take action, here are a few proven strategies:

Know the enemy.

Raise the level of cyber awareness at all levels by increasing training frequency and adjusting the delivery of cyber threat education for workforce members. Employ more interactive or experiential learning and less theoretical or lecture-based approaches. Engage with peers as well as external agencies and sources for cyber threat information, and take advantage of the briefings that the FBI and DHS provide. I also recommend becoming a member of the National Healthcare and Public Health Information Sharing and Analysis Center (NH-ISAC), the local Information Systems Security Association (ISSA) chapter or the FBI Infragard program.

Get serious about security hygiene.

More than 95 percent of 2015 hacks took advantage of vulnerabilities that were more than a year old, and nearly 50 percent were more than five years old. This means there was patch that could have been applied, a port closed, a configuration applied, or a default password removed. In short, the way these attacks started could have been avoided. Ensure enterprise systems and applications are kept up to date, hardened before deployment, tested regularly, and patched as soon as practical.

Embed security in every layer of the enterprise.

Cyber incidents can and do occur throughout the enterprise. Users must apply security at every avenue that the threat could potentially attack to ensure optimal asset protection. That means implementing controls at endpoints, the network layer, within applications, around files and on servers. Make the attacker fight for every inch they take.

Employ complimentary controls.

Traditional controls, like antivirus for instance, typically rely on known signatures to react. In today’s environment we can’t wait for the good guys to develop those signatures, as in some cases we may never know the signature until an attack happens (zero day attacks). This means more active controls that employ advanced malware detection are needed, as well as heuristic approaches and behavioral analysis to help identify, quarantine and review potential threats.

Enhance detection capabilities.

Organizations can do this by integrating Next Generation Firewalls (NGFWs), advance malware, antivirus, intrusion detection and security logs with a Security Incident Event Manager (SIEM) capable of collecting and analyzing their output to provide actionable information for the security and IT teams to respond to. Do this through a third party SOC who can provide the additional benefit of in-depth experience, analysis and visibility across the industry.

Re-prioritize and revisit contingency plans.

Have a good inventory of the critical or important assets needed to remain viable as a business. Then, plan for the worst to enable a swift response and take the advantage away from the attacker. Make cyber exercises a regular part of emergency planning or risk management drills. Credible response and recovery rely on secondary means of accomplishing the mission, planned coordination and well-practiced processes.

Be ready for anything.

Run drills without communications, the network, or access to data. Ensure the workforce can accomplish any task manually that they would normally rely on a system or program to do for them. Acquire the tools, resources and supplies necessary to investigate and operate during a cyber incident. Establish relationships with external resources that can be of assistance and conduct orientation periodically so they can be most effective when called on.

Be objective.

Understand that no battle plan ever survived crossing the line of departure, meaning there will always be things unanticipated, but that doesn’t have to equate to not being ready. Good solid plans, properly architected enterprises that demonstrate vigilance in monitoring, and well-trained staff are an effective offensive deterrent to threats. Being objective also means undergoing external assessment and testing to take advantage of what others know or have seen. Good security relies on constant vigilance and evaluation of controls. Effective evaluation relies on knowledge and objectivity.

Take back control.

Be ready to react and remove the threats’ advantage through better hygiene, earlier and more effective detection, and effective responses that make every inch of the enterprise something they have to battle for.

Mac McMillan, FHIMSS, is co-founder and CEO of CynergisTek, Inc. He brings nearly 40 years of experience in security and has worked in the healthcare industry since his retirement from the federal government. McMillan participates on many advisory boards, and is recognized as a thought leader in healthcare IT for his contributions to industry publications and events on compliance, security and privacy.


. . . . . . . .

Leave a Reply