The security team for a healthcare organization is worried about hackers targeting the healthcare system while everyone is busy treating COVID-19 patients. Specifically, the team asks:
- How can security teams stay on top of the threat?
I would be meeting with your chief medical information officer (CMIO) to understand what critical infrastructure is required to support the continuum of care for COVID-19 patiients. Ensure you know what devices are critical and understand their threat posture. Also, everyone is ignoring change control and standing up all sorts of ad hoc solutions for remote access and self-assessment websites. Those are the things that will bite you, changes made in the dark.
I would ensure you have excellent backups and practice your rollbacks. Ideally, you would patch and harden everything, but that is a huge undertaking. By ensuring you can rollback fast and completely if attacked by ransomware, you can mitigate your most likely attack vector.
Most organizations in the healthcare industry are way behind on patching – not just Windows patches, but third-party software as well. I strongly believe that unless/until patching is fully mastered across the network, including network infrastructure and medical devices, healthcare organizations will continue to see exposures/exploits. Focus on patch management. Spend the money to get the right tools. Do it as soon as possible.
Another thing to focus on (especially now, given the distractions of the novel coronavirus) is network visibility. You most certainly cannot protect against the threats and vulnerabilities you don't acknowledge. Now, more than ever, you need good information on what's happening on your network. The quickest solution: Outsource this to a managed security solutions provider (MSSP) that can get you up and running sooner as opposed to later. Stop trying to do everything. You don't have the time and quite likely, no offense intended, the expertise. Arguably the most important thing is to not turn a blind eye on these basics.
Finally, do what you can to stop focusing on Health Insurance Portability and Accountability Act (HIPAA) compliance and instead focus on security and resilience. If you're doing security the right way, HIPAA compliance will happen as a result.
I see three main issues:
- The new SMB vulnerability could have an effect like WannaCry.
- Network-connected ventilators are a thing. Basic Health Level 7 (HL7) information is sent from them, and straight-up connectivity can be an issue.
- Communications – it causes panic, but I think the first two issues cause more direct harm.
Focus on increased patch management, isolation of waste and connected health devices, and increased threat hunting/signature creation for attack precursors (and scanning for those specific vulnerabilities). Now is some of the nest time to conduct red/purple teaming activities, identify soft spots and go directly into active rule-writing and defensive improvement, because there is a new flow to network traffic and signals.
Medical Device Security: A Status Check, July 18, 2019
Explain the Relationship Between Strong Security and Good Patient Care, July 29, 2019
Indicators of Compromise: Identify the Latest COVID-19 Attacks, March 20, 2020
Poll: Scanning Medical Devices for Security Vulnerabilities, Sept. 18, 2018
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.