By Cris Ewell, PhD, CISO, UW Medicine
Healthcare continues to be targeted by cybercriminals, and we have seen an increase in the number and sophistication of attacks. We all need to recognize that the cybercriminals are well motivated and resourced, and the multi-faceted attacks impact all aspects of the organization. Over the past few years, increase reliance on third parties to protect our organization’s information has increased as well as the attacks on third parties by cybercriminals.
From Trojans like Trickbot and Emotet to ransomware, I am disheartened by the level of attacks by the cyber criminals without any regard to the impact on patient care or how it directly impacts people’s lives. This past year we saw the real negative outcomes of these types of attacks, which included physician practices being closed, hospital systems needing to turn away patients, surgeries having to be canceled, and delayed patient care because the entity could not access the patient record.
Our healthcare systems are complex and complicated, often relying on interconnectivity and a wide variety of operating systems that cannot always be patched against all threats. Also, information security professionals continue to face challenges related to budgets, resources, and support from the organization. While most organizations adopt traditional information security controls to protect the systems and data, only implementing these approaches is, unfortunately, diminishing in value and effectiveness. We have to adopt a balanced and targeted approach to have any chance of decreasing the effectiveness of the attacks and try to stay ahead of the evolving threats.
The organization also needs to understand that improving information security is a journey and not a one-time expense. The information security teams must work with the business to support patient care and at the same time, be adaptable, nimble, capable, and continue to improve to have any impact on the pervasive threats. There is no one solution that will be effective in all organizations. We do need to focus on allocating and designing protection measures around the most valuable assets and services. The prioritization of asset protection must carefully consider the strategic, operational, financial, and compliance risks associated with each asset.
These outlined practices below do not exclude the use of more traditional practices. The traditional information security practices are the foundation for additional practices to be impactful. The goal is to build a smart and nimble protection program that achieves a reasonable level of care with available resources in balance with the compliance, strategic, financial, and operational risks of the organization.
- Adoption of a formal risk management practice and framework. Adopt a system for reporting and prioritizing work efforts based on a risk-managed approach. Have a structure that is easily repeatable and reporting that is easily understood by all audiences within the business. Good places to start are the National Institute of Standards and Technology (NIST) Risk Management Framework or Cyber Security Framework, Health Information Trust Alliance (HITRUST), and Center for Internet Security (CIS) Critical Security Controls. Executive leadership must be involved in the risk management practices, and the information security team must report overall risks to them periodically.
- Completion of inventory (assets, systems, services, people, and partners) and asset risk. Identify and document critical data assets, critical technology services, key people, business relationships, and partners. Learn what assets can be lost with minimal impact. Learn what the most valued assets are and understand the harm that could transpire if the asset is lost. Remember that this includes third parties and data they are hosting for your organization. Once the assets are discovered and risk understood, you can focus on allocating and designing traditional controls that make the most sense based on available resources balanced against strategic, operational, financial, and compliance risk considerations.
- Implementation of clearly defined governance and roles. Governance is critical to the success of the information security program and must be well defined. Their executives need to provide clear direction regarding roles and responsibilities, objectives, and enforcement of the security program. The executives should ensure that an appropriate organizational structure exists to provide oversight and governance for information security services, related planning, and associated risk management practices.
- Implement a monitoring and operational intelligence program. An effective monitoring and operational intelligence program can be of enormous value to an organization’s efforts to protect its information assets. It can provide forecasting and analysis of threats and conditions to assist with strategic, tactical, and operational decisions. It can provide information about risks to specific assets allowing for better targeting of protection measures and associated resources.
- Establishment of an active and trusted network of strategic partners and experts. Building strong alliances with outside organizations and individuals that can assist with problem-solving, enhance incident response capabilities, enrich intelligence gathering, provide more opportunity for information and resource sharing. With all the difficult challenges involved, it only makes sense for security professionals to seek assistance from others facing the same challenges.
- Implementation of mature incident response and management capabilities. Having mature incident response and management capabilities is critical when the cybercriminal gains access to critical assets. Think outside of the normal incident response practices. Make it easy to integrate active support from external experts and establish options for isolated and stealthy communication channels.
- Minimization of the “electronic attack surface” for all critical assets (systems, data, and people). Delete all unnecessary instances of critical data assets. Eliminate all useless online information that may be used as surveillance and planning sources for potential attackers.
It is not reasonable to expect that our current traditional practices will all of a sudden protect our healthcare environments. Information security professionals and executives must learn from the prior attacks and implement additional practices to mitigate the risk of successful attacks. Without any changes, we are relegated to repeating the past – which is something none of us want to do. We can never forget that what information security professionals do is an important part of the patient care team. The above practices can make a difference and help to protect the patients we care greatly for and want to provide a safe environment the improves their health.