Making security a priority is imperative to reduce error in handing healthcare data
The healthcare industry is a favorite target for cybercriminals, and it’s been that way since I began writing about cybersecurity more than a decade ago. Northern California healthcare system Sutter Care, for example, has 3 million patients in its system and reported 87 billion cyberattacks in 2018.
Healthcare data is clearly under siege, which means protecting patient medical, insurance and personal information must be a top priority. However, to best protect that data, security professionals need a better understanding of the types of cyberthreats they are up against.
Ransomware attacks cause serious problems in health care, having knocked hospitals offline for long periods of time. But while these disruptive attacks make headlines, ransomware is no longer health care’s most prevalent security threat, according to a Vectra study. Rather, internal human error and misuse are a much more common occurrence than hacking. This high degree of error stems from unmanaged devices and lateral movement of device-to-device communications.
I asked Chris Morales, head of security analytics at Vectra, about the security problems surrounding these unmanaged devices, including the privacy risks and potential violation of privacy regulations. The rise of security threats involving devices is centered on the increasing use of IoT in the medical industry, he said.
“Medical IoT devices offer new ways to monitor patients and equipment while improving care and lowering costs,” Morales explained. “But many of these smart devices have unknown security protections. Connected medical devices, from Wi-Fi-enabled infusion pumps to smart MRI machines, increase the attack surface of devices sharing information.”
Medical facilities use IoT devices for their specific capabilities; however, most hospitals don’t have network segmentation of IoT from other devices, he said. The result is that any device that is introduced locally can end up having a global impact.
Compounding the problem is the disconnect between onboarding these devices and the security teams’ participation. Security isn’t often included in the device acquisition or implementation. This opens up the risk of human error, which can take many different forms ranging from poor medical system configuration to absence of audit logs, unauthorized access control or even a lack of processes surrounding the device’s use.
The device problem isn’t just about medical IoT. Medical facilities also allow BYOD, and many of those devices are considered non-compliant. “Often this error occurs due to lack of understanding of proper handling of devices even when the proper policies are in place,” said Morales. “Violation of policy then becomes unintentional by staff focused on providing optimal patient care.”
Hiding in DNS Tunnels
According to the Vectra report, the most common method attackers use to hide exfiltration behaviors in healthcare networks is hidden DNS tunnels. The second most common exfiltration method used was smash and grab, which occurs when a large volume of data is sent in a short period of time to an external destination not commonly in use. The third most detected method for hiding data exfiltration was data smuggling, which occurs when an internal host device acquires large amounts of data from one or more internal servers and subsequently sends a significant amount of data to an external system.
So, how do these data exfiltration methods mesh with the human error and insider threats listed in the report as the primary healthcare security issue?
“In a hospital, the moving of patient data is quite normal,” Morales explained. “This is to both through the sharing of patient records between medical professionals to provide health care as well as the management of medical devices by the device manufacturer.”
This can emanate as outbound network traffic in many different ways, he said. “Hidden DNS tunnels often are associated with IT and security tools that use DNS communication. Smash-and-grab behaviors can reflect the normal operation of an IoT device. And data smuggling behaviors can occur when patient medical records are transferred.” Bottom line, anytime a misconfiguration error leaves this data exposed during transfer of information, it becomes easier for an attacker to compromise and access the system involved in the data transfer. The misconfiguration error also easily hides the efforts of someone interested in unethically acquiring medical information.
Decreasing the Human Error Risk
To decrease the human error security risk in health care, Morales said the problem is best addressed by providing simple organizational measures. This includes policies and procedures on the proper handling of medical devices and medical information, along with measures to create and maintain awareness of the healthcare security risks. Policies and procedures should describe acceptable and unacceptable behaviors for data and device management.
Along with policy, he added, proactive and reactive means such as asset classification, network segmentation, risk analysis and audits should be practiced on a regular basis.
Keeping on top of the way healthcare workers use IoT and other equipment, bringing in security early in the decision and implementation process and deploying security best practices should cut down on the internal human error and misuse—and, in turn, better protect patient data.