Articles, blogs, and whitepapers written about the rise in cybercrime targeting healthcare have become routine even as they reflect a mounting threat to one of our most critical industries. Virtually anyone who has access to a computer and has a propensity toward criminal activity is now able to enter the global criminal marketplace and profit from malware proliferation. This trend continues to gain critical momentum, and has shown no sign of slowing down. Even worse, government agencies are unable to keep pace with the demand for prosecution and investigation of these crimes, which are being perpetrated by a decentralized and global criminal enterprise with the potential to overwhelm the industry if left unchecked.
An example of this type of do-it-yourself cybercrime offering is malicious-tools-as-a-service, which is a fast growing segment of readily available and pre-packaged toolkits located on the deep web through foreign-run forums. The dark web marketplace has become a stable producer of malware services for sale or rent as hackers realize that there is a growing demand for attack software as a retail commodity. Most of the consumers of readymade malware are known as script kiddies, and can pick up a kit for less than $500. A script kiddie is someone who possesses rather low programming skills who would rather buy a prepackaged toolkit than take the time to produce it themselves. The thought behind this is that there is no need to reinvent the wheel when they can easily purchase a product that already has a reputation of producing results. Once purchased via the popular internet currency known as bitcoin, these toolkits come complete with instruction manuals and readymade web sites located on the dark web that help the script kiddie arm, deploy, and eventually reap the low-risk rewards from their investment.
As malware in the form of ransomware continues to gain popularity, and becomes an easily obtainable commodity, the cybercrime-wave continues to keep pace. While the percentage of successful attacks is still fairly low for each individual criminal, the effort to launch such attacks is minimal and represents a rather low risk, so the number of individuals launching attacks continues to growing every day. Once an attack gains foothold, however the reward can be great. Typically, organizations that suffer a successful ransomware attack lacked the proper data security measures needed to prevent such an attack in the first place, and are often forced to pay large ransoms in order to regain access to the resources affected. As a result, the cybercrime industry just in the US has been reported by the FBI to be worth over $110 million in Q1-Q2 2016, and is projected to surpass $200 million by the end of the year. This is a direct result of the growing popularity of ransomware, the ease of obtaining it, and the amount of return possible from a successful attack.
It is far too common for threats like these to target the healthcare industry, resulting in considerable damage to operations and an impact to revenue. In addition, these threats often damage an organization’s reputation, and hinder their ability to deliver reliable patient care. While the tendency has been to give in to cyber blackmail in order to regain access to those resources held for ransom, it isn’t especially the best response, and should only be the last resort in finding a resolution. More often than not, once a ransom is paid there is a low rate of success in regaining access to affected resources.
The common perception of how such hackers gain access to systems is through system vulnerabilities and backdoors. While this is often true, and should not be avoided as a potential attack vector, it isn’t the biggest threat, and it is doesn’t necessarily represent an accurate assessment. Most successful hacks are, in fact, perpetrated by unsuspecting employees who were unaware of the threats presented via drive-by-downloads and email phishing and spear phishing schemes. A single unprotected and vulnerable employee has the power to take down an entire organization with just a single click, and this is where any threat strategy must begin its focus.
Most complex security systems include layered defenses to help prevent attacks and protect many of the different threat vectors that hackers tend to exploit. Healthcare, however, is a unique industry in that it contains literally oldtown of distinctive threat vectors. This reality alone can be daunting, and even overwhelming to security administrators who are trying to grasp this scale of the issue. This can then lead to severe frustration, and impede progress towards developing a strategy and implementing a solution to address the issue. Far too often, solutions and strategies are perceived as too complex and involve too much change in order to be adopted to mitigate the most critical threat vectors.
While the challenge of rebuilding security measures is daunting, the good news is that it can be done, and that many healthcare providers have already started down that path. However, this new era of threat availability and proliferation is requiring virtually every healthcare company to rethink security and explore new ways to implement protection against the growing threat of malware such as ransomware. In addition, healthcare regulations, such as HITECH and HIPAA, are being adjusted to include security measures as part of an effort to beef up compliance, which will help force the issue even further.
So, what does an effective security strategy for healthcare organizations look like?
Often, it starts with an effective layered security strategy that allows organizations to focus on the biggest threat to resources, which is the unsuspecting and untrained end user. This threat vector is often overlooked in healthcare because most of the individuals in the organization are focused on the patient, and not the technology. While their devotion to the patient is vital, a lack of sensitivity to security issues, if left unaddressed, can be the single biggest threat to the organization. As a result, a regular security awareness program for staff is highly recommended, and can be effectively delivered throughout the organization in many creative and low impact ways in order to raise awareness and readiness for the cause of better security.
There are many programs available to help encourage end user awareness, which include posters, email tips, and newsletters, or even online video or interactive web-based training. Many of these programs focus on behavioral changes in how employees interact with email, how they protect their passwords, and so on. In addition, all endpoints should require a comprehensive end-point security solution capable of integrating with the organization’s larger security platform, and should actively contribute to the overall security of the infrastructure. It can do this by doing such things as actively monitoring for user driven activities that may introduce a virus, such as surfing malicious websites, downloading an unauthorized application, or initiating a zero-day threat via a USB drive.
Another way to build an effective security strategy is to focus efforts on fortifying the newer tools and technologies that are powering the modern Software Defined Data Center (SDDC). Many of these technologies allow administrators to contain, inspect, and scrub any and all data traversing their core virtualized systems without hindering access or performance. In addition, these tools also offer the visibility and reporting capabilities needed to produce real-time threat analysis capable of getting ahead of threats before they produce large-scale damage.
Security strategies should also include layered defenses around and behind the perimeter to help secure critical services and platforms, as well as legacy systems and critical patient interfacing devices. Legacy systems and medical devices historically lack the proper security measures needed to prevent modern threats. Successful approaches to fortifying security need to include implementing low impact, high performing next generation firewalls throughout the infrastructure at key locations, which often includes both the distribution layer and often the endpoint itself, in order to effectively segment and secure the network. These segmentation security devices can effectively inspect traffic and block threats that would exploit vulnerable medical devices. When considering a security platform, look for tools that have the ability to interconnect and share data in order to effectively quarantine suspected nodes, and provide ample protection to neighboring devices. This sort of dynamic interaction will contribute to a security platform capable of providing healthcare companies with a real-time threat status view throughout the entire organization, while protecting those resources that are not able to protect themselves and which represent an attack vector that can hinder patient care if disabled through something like a ransomware attack.
Finally, any modern security solution should have considerable focus on email and web site security, backed up by sandbox functionality capable of scanning unknown attachments and links for malware before allowing access to the end user. Most successful attacks occur through spam delivery or web site exploits that are easily delivered and propagated through innocent-looking threat vectors. Healthcare is particularly vulnerable due to the high volume of email transactions taking place on a daily basis, as well as the many services offered via web access to referring physicians and third party payers, etc. An effective solution will help stop forced attacks, as well as allow unknown threats to be inspected in real-time for virus activity. Email and web site security solutions should also leverage existing layered security services already in place by working in tandem to provide layered defense. If properly deployed, the entire security solution will consolidate, condense, and reduce administrative overhead while offering a comprehensive, collaborative, and dynamically adaptable security solution for the organization without compromising performance, or hindering access to critical applications or services for healthcare providers.
As the industry of cybercrime takes on new forms and gains more momentum, it is imperative that those in the security industry continue to educate and inform. Healthcare is unique, and its business model has made it a popular target for cybercriminals looking to make a quick, easy, and untraceable score off of the critical data held within the porous walls of hospitals and clinics. Healthcare organizations should be now searching for advanced, interactive cybersecurity solutions, and building strategies around plugging existing security gaps and identifying and securing the most exploitable threat vectors in their organizations.
In addition, they should be actively pursuing the consolidation of solutions to improve their ability to effectively and simply manage, monitor, and report on security incidents. This strategy should include security best practices and solutions that cover the perimeter, the data center, the end user, remote clinics, vendor connections, medical devices, departmental segments, virtual desktops and devices, Wi-Fi, and cloud services. Once implemented, the ability to produce reliable threat management will greatly reduce the risk from threats, and allow the organization to survive an attack. This will in turn preserve operations, protect revenue, minimize damage to reputation, and reduce risk while delivering reliable patient care.