July 23, 2019 Arnold Agyeman

Lessons learned from Healthcare security assessments

With cyber attack tactics and targets evolving rapidly, healthcare providers must assess how their cybersecurity (or lack thereof) will affect their patients and the integrity of their facility.

With the year on year rise of cyber attacks on healthcare establishments, securing patient records and medical data has seen healthcare providers renew their focus on cyber security. Through undertaking a number of assessments with Healthcare providers, we have observed some traits common to the sector but also applicable to other sectors also.

Uniquely challenging

Security is challenging at the best of times, however, within the confines of a hospital where timely access to electronic patient health  records could literally impact people’s wellbeing, the trade-off between access to data/system and security is a consideration that must be addressed.

In an emergency where accessing health records quickly at the expense of security is in the interest of the patient, designing access control, procedures and technical controls that factors in the clinical need of staff is essential.

Hospital administrators and technical teams must not be afraid of this but aim to compensate the risk by developing a nuanced role-based approach.

Furthermore, in doing so, this nuance should not only differentiate between clinical and non-clinical staff but also assess the difference between the busy chaos of an emergency room ER/A&E and the relatively tranquil space of a ward.

TL’DR: Design authentication to systems based on the role (think of the chaos of the ER/A&E, Clinical staff vs Non-clinical). Where there are increased risks put in place technical controls that do not impede the functions of the role.

Medical devices

Management of medical devices such as scanners can be a problem that require special attention. With medical devices central to the effective delivery of healthcare, organizations should set out a long-term risk-based approach for the management of their medical devices.

It is important to understand that medical devices are sophisticated systems that are subjected to the same range of cyber attacks as other systems. As more devices are now designed with security in mind there are many legacy systems that are increasingly being brought online and connected to networks and are vulnerable to attacks. This is a real thing and has happened (Example: Hollywood Presbyterian Medical Center HPMC—2018).

With this understanding acting accordingly creates the mindset required to develop the layers of defenses needed. Thereafter, boxing the devices off through secure networking practices such as segmentation, increasing monitoring and developed incident response processes strengths the defenses and improves response to events.

For administrative controls, monitoring and risk management of medical devices is a function which should be performed as part of the risk management process. For that, establish management accountability for the system and hold those accountable for security and patching     is a must.

TL’DR: Medical devices are costly and central to the functions of hospitals, connecting them to networks (internet & LAN) introduces risks. Those risks should be assessed and mitigated against. Do the risk analysis, secure them from the LAN through network segmentation    (secure ring-fence), monitor the devices, develop, and hold accountable maintenance agreements.

Wireless

There is little doubt about the benefits of wireless networks in healthcare environments (mobile access to records,quick connectivity, and transfer of information). However, with the unique challenges of a healthcare operating environment (see point 1), the focus on securing the wireless environment can be lost. Maintaining a “guest network” where patients and visitors can access WI-fi on their personal devices although beneficial  to the user also has overheads. Ensuring a separation between the organization wireless and the ‘guest network is a must.

In both cases, encryption, and technical policies to enforce strict access to data is fundamental. For the guest network, patients and their families should have limits on the types of information they can access (lock-down to essential protocols only) and monitoring, alerting and response processes should be in place.

TL’DR: Guest/patient wireless networks should be locked down to essential protocol and Internet services only. Question: What services do patients require? Answer: entertainment/streaming & email.

BYOD why bother!

Challenging the conventional wisdom of the benefits of BYOD, are the security challenges worth it? BYOD provides flexibility but does the benefits offset the risks of data exfiltration, risks of malware and overheads of ongoing management devices (MDM). Healthcare organizations need to focus on the Why, cost, and overhead and not simply follow the herd. That being said, if introduced, technical controls such as ‘quarantine” VLAN (segmented networks) where the admission server won’t let the device join the LAN unless the device’s OS is

up-to-date with patches and/or suitable anti-malware package is in place should be adopted. Or alternatively, the BYOD is merely a gateway to a terminal session.

TL’DR: Assess if the overheads and risks of BYOD worth it for the hospital? If worth it, what are the cost, how is it expected to be used and what controls can be put in place to limit the risks.

Think before leaping

The challenges faced by healthcare establishments and all organizations (irrespective of the sector) are similar, yet different. Creating a security program which meets the demands of the organizations requires a nuanced approach which understands the challenges facing the sector and the particularities organizations is key.

Be it challenges for medical devices, network, or device management, thinking about and putting in place the controls for the particular environment and not simply following the prescribed ‘technical’ remedy is a difference which shapes a mindset that is responsive to the security needs of the organization.