When analyzing cybercriminal activity, healthcare continues to be one of the most commonly targeted industries. With that being said, what should health practices expect as we move through 2017? We recently talked with Derek Manky, Global Security Strategist at Fortinet, to get his insight on cybersecurity in the healthcare industry.
Looking back at 2016, what do you think are some of the biggest security lessons healthcare organizations learned?
There are three things that can be highlighted here:
1.Threat Researchers and Vendors were not on the Same Page
In 2016 there were many instances where researchers released vulnerability reports, and as a result, security vendors faced backlash. Researchers would say certain products were vulnerable to attacks while product vendors would insist they were secure. This was a common occurrence in healthcare because many of today’s IoT vendors typically do not have dedicated security teams and don’t necessarily know how to accurately analyze reports. This type of issue needs to be addressed, with researchers and vendors needing to come together to work as a cohesive unit in 2017. Failure to do so will create massive attack opportunities for cybercriminals.
2.Honesty is the Best Policy
When looking back at what went right in 2016, my mind goes to the Johnson and Johnson insulin pump case, where more than 100,000 patients were using devices that had security vulnerabilities. In response to these findings, Johnson and Johnson publicly admitted the problem and vowed to take the appropriate course of action to secure these devices. Additionally, members of Johnson and Johnson’s leadership team said they were going to try their best to ensure their products don’t have similar bugs in the future. This is the absolute right approach to take when the security of your product may be compromised, and should set a positive example for the healthcare industry. If this type of approach isn’t taken, attackers will take advantage of the organization’s vulnerability.
3.Healthcare gave in to Ransomware
When we look at what went wrong in the past year, it’s hard to forget about ransomware and hospitals paying large amounts of money to get their data back. Ultimately, this was a win for the bad guys (financial gains) and a loss for the good guys (financial loss and reputational damage). Ransomware attacks are something that must be addressed by security postures across the healthcare industry in 2017 and beyond to limit the financial losses within the healthcare organization.
What would you say is the single biggest challenge today’s healthcare organizations are up against?
The biggest challenge for leading healthcare providers is around new attack surfaces. It’s not just the existing challenge of protecting healthcare records. That’s obviously still a primary issue due to the value of patient data and its inability to be easily erased or changed. However, as we move into 2017, healthcare organizations now need to protect critical, connected networks, like those within the ICU.
Data monitors, insulin and other medicinal pumps, and pacemakers all run on these networks. In these cases, the endpoint becomes the human life, not a PC. When it comes to protecting that endpoint, healthcare providers are faced with an extremely tough challenge because security is always seen as an inhibitor.
If you put a security measure in place to block an attack and it inadvertently blocks things it shouldn’t, it could cause a denial of service and lead to grave consequences. This challenge extends outside the healthcare industry as well, since automakers and critical infrastructure industries face the same issue.
On the flip side, if healthcare security solutions are not adopted, attackers will still be able to get through without issue. In the end, organizations must be able to trust their security vendors and gain access to high-caliber threat intelligence and mitigation.
Are there certain types of attacks you expect to see healthcare faced with in 2017 that may not have made the headlines in 2016?
I expect to see more ransomware cases in 2017. In these scenarios, while organizations may not want to publicize it, they’re required by industry regulations to report compromised (or suspected of being compromised) health information. Ransomware can be looked at as a “gateway malware.” What I mean by this is that in 2017, we will see more targeted attacks against recognizable names in healthcare, and more healthcare organizations paying ransoms to regain control.
I also expect to see more issues around ICU attacks. Specifically, I think DDoS attacks will be a huge factor in 2017. Looking at recent indications like Mirai (a type of malware that infects IoT devices), the lessons are there and the infrastructure is in place for attacks. This leads me to believe healthcare is primed to be the number one targeted industry in 2017.
How has the role of threat intelligence within the healthcare sector evolved and where do you see it headed in 2017?
While the healthcare industry does have some information sharing networks in place, I think information sharing needs to become more integrated. Relevant intelligence for healthcare needs to be collaboratively shared between organizations and vendors in an effort to improve the quality of the intelligence.
For example, Fortinet is a member of the Cyber Threat Alliance, which is a group of cybersecurity solution providers who share threat intelligence on advanced attacks, their motivations, and the tactics of the malicious actors behind them. Healthcare vendors need to take note and step up by having in-house cybersecurity teams as well as healthy communication channels with vendors.
Do you think healthcare is on the right track when it comes to protecting itself against attacks?
I’ve had the opportunity to meet some of the bright minds on security operations teams for healthcare providers and I would say that they’re definitely on the right track in terms of staffing and intent. However, I’m hesitant to say everything is in a good place. As always, there’s still much more work to be done.
When looking at the specific problems, is healthcare on the right track when it comes to protecting medical records? I would say they are.
When it comes to protecting patients, however, I’d have to say they are not currently on the right track because there’s a fork in the road here. We’re going to see many more automated attacks in 2017 that can penetrate healthcare organizations by moving from corporate networks into critical care networks. Healthcare needs to start building trusted intelligence into its automated defense solutions because it’s a primed attack surface. The humans can’t win this battle alone.
Headed to HIMSS? Visit our cybersecurity experts in Booth #981 and learn how to deliver security without compromising patient care.