Cyber Security in Healthcare: Findings, Diagnosis, Therapy

Complex, often outdated and heterogeneous IT and technology as well as a lack of security strategy make hospitals, for example, a lucrative and blackmailable target for hackers. After all, system failure is not an option here. The data loot is just as coveted: depending on how complete the information is, medical records can cost up to $1,000 on the darknet. Only U.S. passports are even more expensive, with a unit price of $1,000 to $2,000.

Lack of cyber security: consequences of cost pressure

In addition, most victims in the healthcare sector are often completely unprepared. In addition to the lack of money, the main reason here is the lack of personnel, when, for example, in Germany, two employees are sometimes responsible for the entire IT administration of three different hospitals and have hardly any budget. Cost pressure is likely to increase

In addition, the demands on IT are increasing in a healthcare system that is being digitized. The current crisis and danger situation in particular show that hospitals are increasingly being treated as critical infrastructure. In administration, the increasing requirements in terms of data protection are raising the hurdles for data security. Compliance rules must increasingly be adhered to - from the DSGVO and ISO certifications to radio guidelines for technical devices.

Symptoms

Healthcare cybersecurity still suffers from the following symptoms:

1. Ransomware: Hospitals in particular cannot sit out extortionist attacks that encrypt data or block systems if they want to continue to care for patients. Attackers will be even more aggressive in the future: On the one hand, through automated attacks on unprepared IT and, on the other, through more targeted Ransomware-as-a-Service (RaaS) attacks launched with social engineering on decision-makers in HR, administration and accounting.
2. Risks of networked devices: In healthcare, the number of networked medical IoT and OT devices is growing by leaps and bounds. However, this attack vector is still often neglected and networked devices are integrated into networks without the appropriate care. Hackers also know the specific risks of this hardware: they know how to find out the hard-coded passwords of most devices - and can use them to penetrate the network. It is often not even possible to prevent unauthorized users from accessing the devices. Surprisingly often, devices are used that are only poorly certified. Systems with outdated, no longer supported operating systems also create new risks over time.
3. Lack of visibility of hardware: Many organizations do not have IT in its entirety in mind. For example, the encryption of the servers at Lukaskrankenhaus in Neuss (this cyberattack from 2016, which became public throughout Europe, resulted in damage of 900,000 euros; editor's note) was only possible because an old, invisible client had administrator rights and thus enabled the malware to spread further. In the case of IoT and OT, this danger is even more fundamental because most of these devices are not subject to access by internal IT organizations.
4. Zero-day security vulnerabilities continue to grow: Log4j has shown that zero-day vulnerabilities can still cause great damage and threaten countless organizations. The healthcare industry is more susceptible to such vulnerabilities, and lack of attention can lead to increased exploitation of these gaps.

Therapy suggestions for more cyber security

If you want to ensure the safety of the systems and the health of the patients, you should and can turn several screws:

• Protection of all devices: An extended detection and response (XDR) solution protects not only ordinary endpoints, but also devices on which - as in the case of IoT - there is no way to install agents or they are beyond the control of IT managers.
• Continuously manage and assess security vulnerabilities: Due diligence checks and vulnerability assessment and management are key elements in discovering and closing potential and existing gaps before attackers exploit them.
• Isolation of network segments: This makes it possible to limit the damage. For example, if you quickly separate network areas, you can prevent ransomware from spreading further.
• Identity Management: This can reduce the risk of employee misconduct. This is particularly important given the size of many facilities and the number of employees who are often not particularly experienced or security-conscious in IT security.
• Penetration Testing: They test the responsiveness of an organization's own IT defenses and help identify vulnerable parts of the organization or employees and areas where incident response can improve. (More information on penetration testing shows this - chargeable - article; editor's note)

Prescribe to external expertise

Not only are healthcare IT administrators overworked, they also often lack the necessary expertise or the time to develop such expertise. They often do not even get to deal with cyber security and respond to specific incidents. Analyzing anomalies in the behavior of endpoints is usually even more impossible for them.

• Partner selection: Help can therefore only come from partners with the appropriate IT security and industry knowledge. For example, when changing providers. Many IT departments do not know how completely the old system was uninstalled and how many clients still have to be reconfigured manually. This is because newly created rule sets can have unpleasant effects for everyone involved in live operation, the causes of which then have to be analyzed and remedied in a time-consuming manner. This is where partners can contribute their expertise and provide intensive support for roll-out processes in order to keep this rework to a minimum and be able to react promptly. A value-added reseller plays an important role here and can be shown separately in the accounts as a service item in the budget.
• Security analysts: Managed detection and response (MDR) services are equally important. Larger hospitals in particular with highly complex systems that would need a SIEM or ISMS (Security Information and Event Management or Information Security Management System) for compliance reasons, for example, can rent the necessary technologies and resources cost-effectively with an external Security Operation Center as part of an MDR service. This is always more cost-effective and at the same time more efficient than purchasing and operating this technology yourself. And what's more, MDR offers the expertise, advice and active support of security analysts.

Author:
Jörg von der Heydt is Regional Director DACH at Bitdefender