Taking an Evidence-Based Approach to Healthcare Security

By Christopher Frenz, AVP of Information Security and Infrastructure, Interfaith Medical Center

The onset of the COVID-19 pandemic has resulted in a period of significant and fast-paced change for many healthcare organizations. Within the last few months, many healthcare providers have rapidly rolled out telehealth, expanded remote access, added large numbers of medical devices to their networks, and made many other changes to deal with the challenges of COVID patient surges and the changing care landscape that stay at home orders brought to other types of patients. In a rush to meet patient care needs, many healthcare organizations did not always follow established information security standards and other IT best practices while rolling out these changes. Moreover, certain regulations were temporarily suspended to facilitate the demand for telehealth and like services. 

While not living up to best practices with regards to security should always be a concern, it is especially alarming given the large scale increases in cyber-attacks that healthcare organizations are seeing as the pandemic continues to spread. The fear and uncertainty caused by the pandemic created an ideal environment for social engineering attacks and the explosion of remote access creates a plethora of potentially public-facing vulnerabilities that could be exploited by attackers. This perfect storm environment has not gone unnoticed by attackers and many healthcare organizations have found themselves at the receiving end of a cyberattack during these already trying times. The situation is often made even worse by the fact that many such cyber-attacks are being attributed back to well-resourced nation-state attackers. 

While all healthcare organizations should take a moment to evaluate the solutions they brought live and assess them for deficiencies against current organizational and industry best practices to begin their remediation processes, perhaps the fact that the introduction of change caused significant security gaps at all should make us take a moment to reassess how we as healthcare IT and InfoSec professionals go about keeping our enterprises secure. Most organizations today still take a highly reactive approach to security, whereby they take measures to block threats that are known bad rather than taking the time to implement a more proactive approach to security that only allows for the operation of known good. The best reactive security can do is protect you tomorrow against today’s threats. With the constant explosion of new malware and the never-ending discovery of new zero-days, this is no longer acceptable as sole means of keeping an organization secure. Organizations need to begin to adapt their approaches to security to begin to take an approach that has much more of an emphasis on only allowing known good behaviors. Take for example, the recent case of expanded remote access to various systems, which many healthcare organizations have recently allowed. For any healthcare organization, there is always the chance that a public-facing or remotely accessible asset can become the target of an attack. If that system makes use of application whitelisting technologies, however, there is a much-reduced change that some form of novel malware will be able to execute on that system as compared to a system that just runs traditional AV software. Likewise, if that system was to become compromised, but it resided on a zero-trust network, whereby all non-essential network communications were blocked by default, the danger to the organization from that system would still be present, but would be heavily mitigated due to the extensive network segmentation that was in place. 

It is time for healthcare organizations to start taking a more evidenced-based approach to security, whereby they take the time to empirically measure the efficacy of the various security controls they use and begin to make security decisions based on what will produce quantifiable improvements to the security of the organization. My advocacy of zero trust strategies for networking, for instance, grew out of the evidence-based approach to security that I have been using within my organization for many years now. As part of measuring our security efficacy, we decided to simulate a mass malware attack. We quantifiably saw the effectiveness of network segmentation on stopping the lateral movement of a threat, which got us thinking about how to take network segmentation to the next level and started us on our zero trust journey. Our later addition, of application whitelisting, was similarly governed by empirically testing to identify ways of stopping threats that were able to bypass other in place security controls. Given the often limited resources and budgets healthcare organizations have with regards to security, it is critical that we ensure the actions we take and the investments we make give us the quantifiably largest returns on our investments possible. To do that we need to start to take the time to empirically measure the efficacy of our in-place security controls to identify what works and what does not work, and take the time to ensure that any additions or changes we make to our environments result in empirically demonstrable improvements to security. 

To begin to take a more evidence-based approach to security, consider the following steps:

1. Use a quantitative risk assessment framework to identify which threats pose the biggest risks to your organization.
   
   
2. Develop metrics to quantify the impact the above threat could have on your organization.  Also, develop metrics to quantify the efficacy of your controls in combatting the threat as well as controls to quantify the efficacy of your incident response process with regards to the threat. 
   
   
3. Develop a way to simulate the threat (e.g., using the EICAR test string to simulate malware) so the metrics created above can be assessed without exposing the organization to a real cyber-attack.
   
   
4. Simulate the threat and collect the metrics you developed to get real-world insight into the damage a particular threat could do as well as the efficacy of various controls.
   
   
5. Analyze the data to identify any deficiencies and possible changes that could be implemented to improve security. 
   
   
6. Remediate the deficiencies and put your security improvements in place. 
   
   
7. Repeat the testing to demonstrate that the changes quantifiably improved security. 

As security professionals, it is time that we begin to take a more evidence-based approach to our security decisions and seek empirical evidence that what we are doing is actually working to make our organizations more secure. A process of continual simulation and testing should be a key part of your organization’s security strategy. These strategies are especially pertinent in times of uncertainty and change, like the current pandemic, as the continual process of testing and refinement will help organizations to identify and incorporate more resilient controls and practices that will better stand up against an ever-changing threat landscape.