By maintaining strict cybersecurity standards – implementing best practices, staying up to date on software vulnerability patches and backing up systems – healthcare organizations can protect against system disruptions and data breaches, according to Errol Weiss, the Health Information Sharing and Analysis Center’s chief security officer.
For rural systems hard pressed to stay on top of their cyber defenses through these modalities, they can find a deep level of support and collaboration among members of Health-ISAC that can help them achieve greater levels of cyber maturity, he said.
Strong spirit of collaboration
Before joining Health-ISAC six years ago, Weiss had spent 13 years defending against cyber threat intelligence in the financial sector, he said.
“I think back to my time in the banking sector,” he said. “We literally had an army of people in just in cybersecurity – thousands of people just doing cybersecurity for a bank.”
There are many cyber threat similarities shared by the financial and healthcare sectors, “but I think it gets even worse for healthcare,” he told Healthcare IT News.
“Number one, they don’t have the budgets to properly protect their networks and organizations as they should. And number two, I think that the attack surface area is just so much bigger.”
With fewer resources and greater vulnerabilities, Weiss expressed admiration for the stamina of healthcare’s cyber defenders.
“I thought the level of collaboration, cooperation – the spirit of wanting to help each other out – was just so much better here in healthcare than anything I ever saw in financial services,” he said.
Health-ISAC is dedicated to sharing actionable cybersecurity information across the healthcare sector. Weiss encourages organizations of all sizes to join with organizational membership rates starting at $1,200 per year.
“If you have questions, if you need best practices, people are very willing to put something out there, share example policies that they’ve developed that people could reuse,” he said.
“There’s a lot of great sharing happening in those areas and good collaboration happening amongst members.”
For example, “they’re comparing notes with each other about some of the things that they’re doing in terms of third-party risk management and how they’re achieving that.”
Walking a tightrope
The healthcare industry must find a balance between utilizing innovative technology and maintaining strict security to protect patients as well as provider organizations.
“There are some really cool things happening in healthcare when it comes to advances in medical technology,” such as remote patient monitoring, hospital-at-home “and of course, we can go off about the artificial intelligence as well-being a component of all of that,” he said.
The rise of these new technologies creates “avenues of vulnerability for the adversary” that compromise patient safety and privacy, and healthcare buyers should beware.
“The innovators in the space, the ones who are moving really fast, trying to get product to market as quickly as possible, maybe shortcutting some of the cybersecurity steps that they should be considering as they’re fielding products,” said Weiss.
In the case of hospital-at-home, technology relies on patients’ home networks, which only increases attack surfaces for the adversary.
“It’s not just about breaking into a hospital. That might be well protected, but now going after a patient at home who’s on their home network that’s probably not at all well protected and a lot more vulnerable to these kinds of attacks.”
While updates to the HIPAA security rule are more specific about what needs to be done to tighten data privacy and reduce risks, “there’s a big but,” Weiss said.
“It’s the money, the resources and the talent to make all of that happen.”
Reading HIPAA cybersecurity requirements to the letter, it’s going to be difficult for anyone to implement with the variety of IT systems on healthcare organization networks with these deficits, he said.
The updated rule proposes estimates, such as with penetration testing.
“I would call the estimate ludicrous,” Weiss said. “It was orders of magnitude way off in terms of how long it would take to properly do a regular repeating penetration test of a network.”
IT staff at some rural health systems also wear more than one hat, he pointed out.
He said he spoke to one specialist with considerable security responsibilities in his role who also cut the hospital’s lawn weekly.
Resources to focus on
“We’ve been saying for a long time in cybersecurity, there’s some basic cybersecurity hygiene you have got to have in place if you’re going to be connected to the Internet,” said Weiss.
To help rural and small system security specialists out, he said he advises them to start with the
U.S. Health and Human Services’ voluntary Cyber Performance Goals.
“If you can get through the first part, then maybe it’s time to start tackling the second part.”
The second critical resource is the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilitiescatalog, which recently almost lost its funding under the Trump Administration.
Staying up to date on patches “is where we see the health sector being vulnerable in particular,” Weiss said.
Cyber criminals gain footholds into organizations because they’re running exploits on very old vulnerabilities.
“We’re seeing exploits from vulnerabilities that literally came out in 2014,” said Weiss.
But, “people can look at that list and say, hey, what are the bad guys attacking right now?”
and use KEV to prioritize patches for vulnerabilities in their environments.
The next key step is backing up systems, and making sure those backups work right and on a regular basis – maybe twice per year – practicing all systems down.
“Can I rebuild from scratch? How would I do that and and try it out and make sure it works? Make sure the backups work,” Weiss advised.
Also, in addition to using multi-factor authentication, “audit the user community on a regular basis to make sure everyone is enforced to log in with multi factor authentication.”
“Sometimes whole classes of users do not have MFA turned on, or tokens were turned off and never turned on again,” he noted, so they should be checked monthly or quarterly.
“We had some really big, ugly events, incidents that were traced back to the failure of multi-factor authentication to be enabled,” he noted, referring to the Change Healthcare and Ascension cyber incidents.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.