Cybersecurity is a big concern for the healthcare industry executives. Some healthcare organizations learned that the cost of a major cyber incident can include not only financial loss, but significant disruption to operations and reputational harm. Ofer Amitai, CEO & Co-Founder at Portnox, answers to our Managing Editor's questions about the biggest cybersecurity challenges in the healthcare industry.
Lucian Fogoros: What are the top cybersecurity concerns faced by healthcare institutions in the Industry 4.0 era?
Ofer Amitai: It seems that healthcare is one of the industries that’s most eager to move into the Industry 4.0 era, but it’s also one of the most hesitant. That’s probably because there are so many things that could go wrong – not just putting sensitive patient information at stake, but potentially lives and livelihoods. The recent June Petya attack is a clear example of the severity of cyber threats faced by healthcare – because some healthcare systems were operating without the appropriate Windows XP patch, ransomware took control, causing emergency rooms to send patients away. These kind of malware attacks are faced by some healthcare institutions on a monthly or even weekly basis. Another major security concern is with the growing use of IoT in the medical industry, which creates even more vulnerable endpoints and ample opportunity for hackers to gain access to patient records and medical devices. Healthcare IT is struggling to keep up the pace with Industry 4.0 digitalization, which means its more vulnerable than ever to cybercriminal attacks.
Lucian Fogoros: Cybersecurity is much more than protecting the privacy of patient's information. What are your biggest challenges in the healthcare industry?
Ofer Amitai: Protecting patients’ information is a big one, but as I mentioned, making sure that digitalization isn’t putting lives at risk is the most challenging. With medical devices, like heart monitors, surgical tools and glucose monitors, connected to the Internet, there is a tremendous need to make sure that these devices are protected from malicious attacks. The challenge here is getting healthcare IT up-to-speed with the appropriate patches and authentication mechanisms that will ensure that these devices are full-proof from attacks. Another big challenge is email authentication, which has been found to be quite low in the healthcare sector, as evidenced in the Petya attack distributed via email. Also, BYOD presents another significant challenge. I remember when cell phones didn’t even work in the hospital. Now doctors can take calls or send text messages freely – but do they know that these seemingly innocent actions could put their patient’s life at risk? Another major challenge is that healthcare organizations are still using legacy systems that, together with the process of digitalization and connected devices, could put critical information at risk and make them vulnerable to zero-day attacks.
Lucian Fogoros: What are the most common attacks in the healthcare industry? Is it possible to avoid them taking into consideration that the information is stored in the cloud?
Ofer Amitai: The most common attacks in the healthcare industry are Advanced Persistent Threats (APTs), or malware that exists for a long time on a system to extract sensitive data. Some healthcare organizations report an APT attack once every three months. These APTs seek to exploit zero-day vulnerabilities, or undisclosed computer software weaknesses (like missing patches) that could affect computer programs, data or perform lateral attacks on entire IT systems. Unsecure medical devices are probably the next biggest threat because so many more connected devices are added to hospitals as the age of digitalization progresses. The third would be BYOD or unsecure mobile devices that use and access the healthcare organization’s network. These devices maybe the private property of hospital or clinic employees, but for cyber criminals they are a gateway to even the most protected IT networks.
There are a number of ways to avoid these risks, the most effective being adaptive authentication and behavioral analytics. Adaptive authentication is critical for monitoring and securing access to healthcare providers’ networks, and advanced access controls can be a good scare tactic to get hackers off your back. It has a lot to do with effectively managing access controls, device authentication and network segmentation. This is a critical security measure, together with behavioral analytics, for managing and controlling APTs, medical devices and BYOD. Behavioral analytics are firstly accessible, because many IoT devices already collect behavioral data and analyze usage patterns over time, and useful because they help IT administrators understand network areas and devices that pose imminent risk. Over time, they can develop their policy to suit the behavior of the network, which goes hand-in-hand with Industry 4.0 in IT, or automation of network maintenance and control.
Lucian Fogoros: What types of products being offered by cybersecurity companies are not helpful or may even be counterproductive?
Ofer Amitai: First off, a lot of the pressure that IT teams are faced with to purchase “useless” cybersecurity products, i.e. shelfware, doesn’t result from their own research or even department; a lot of the pressure can be traced back to the Board of Directors that often fails to understand their organization’s security risks. It’s not that these technologies are actually counterproductive, but in the case of healthcare, for instance, there is need for solutions that can specifically address the rapid pace of digitalization in the industry.
To your question: Some of the basic products, like encryption keys and firewalls, are necessary for protecting healthcare networks, but they are limited in scope (and could be called counterproductive). While necessary on the basic level – to make sure hospital employees aren’t surfing the Dark Net, for example – they have very little impact on the larger security state of the organization. In addition, anything that has to do with legacy applications (or Windows XP for that matter), is completely counterproductive because there is a clear shift away from these architectures. Many healthcare professionals want to keep these legacy applications around to preserve data, and don’t have the time or mindset to move this data onto more current applications. This creates a clear security risk for the organization, and will continue to not only impede security, but efficiency as healthcare professionals widely adopt the practice of the electronic patient record (EPR).
Lucian Fogoros: ISACA estimated a global shortage of 2 million cybersecurity professionals by 2019. How much will the healthcare industry be affected?
Ofer Amitai: Hopefully, by 2019, major healthcare organizations will have more cybersecurity professionals in-house to manage policies. But if that’s not the case, then many of the actions performed by cybersecurity professionals will be automated by that point. This goes back to my point about adaptive user/endpoint authentication, which is already leaning in the direction of automation. However, aside from technological advances that will help protect healthcare from this shortage of cyber manpower, the healthcare industry needs to start thinking seriously about their information security policies and adjust their IT infrastructure accordingly. It’s safe to say that those institutions still using legacy systems two years from now will feel the brunt of this burden. Hopefully by that point, regulations like HIPAA will be expanded to include specific security requirements (for example, beyond protection of patient information) for healthcare networks.