We are approaching the one year anniversary of the WannaCry incident that held many hospitals in the UK and the US for ransom. With a year under our belt, was WannaCry the wake-up call the healthcare industry needed to take better care of the systems and data they use to provide patient care? Or do we still see a situation where our protected health information is less than its name defines: not protected?
To answer this question, the teams at HITRUST and Trend Micro partnered to do some research, leveraging methods and tools such as that found in the open source intelligence search engine, Shodan, to see just how the industry is doing. All the findings can be found in the report, Securing Connected Hospitals [opens PDF].
Sharing some of the details from this report are Elie Nasrallah, Director – Cyber Security Strategy at HITRUST, and Greg Young, Vice President Cybersecurity at Trend Micro.
If things aren't getting better, just how bad is it? What are we seeing across the healthcare ecosystem? What devices, systems, and databases are exposed to the Internet? What is the top threat vector? How does the supply chain play a significant role in the overall safety of patients in the healthcare ecosystem?
Listen in to find out.
About Our Guests
Greg Young has 30 years of experience in IT/cyber security. His experience includes product companies, the private and public sectors. He spent his military career in technology security, was head of IT security for the Federal Department of Communications. Most recently he was a Research Vice President at Gartner, where he spent 13 years covering security for network and clouds, and authored more than 20 Magic Quadrants.
He has headed large security consulting practices, was chief security architect for a security product company, served as an officer in the armed forces, and is a graduate of the Canadian Forces School of Intelligence and Security.
He received the Confederation Medal from the Governor General of Canada for his work with smart card security, and his recognition includes mention in Network World's "12 Most Powerful Security Companies", and was listed in Sys-Con's "100 Most Powerful Voices In Security".
Elie Nasrallah, Director of Cybersecurity Strategy at HITRUST is responsible for solving complex cyber security problems for US Healthcare. With over 20 years in the IT security field, his in-depth knowledge and experience in cyber defense solutions assist organizations in making the right decisions to align with their business requirements. Before joining HITRUST, Nasrallah worked for security companies such as Trend Micro, FireEye and RSA. His experience spans many areas in security with various industries but has recently been focused on helping healthcare strengthen their defenses against cyberattack and has integrated the HITRUST Cyber Threat XChange (CTX) intelligence sharing system with the health community.
Helpful Tips and Resources from the Guests
Greg Young from Trend Micro suggests that healthcare CISOs can take a few concrete steps to help mitigate the risk to their organization:
- Get ahead of potential attacks by identifying and prioritizing all data and devices. Get ahead of IoT, especially for legacy devices that are getting connected.
- Secure all exploitable avenues based on this prioritization to prevent attacks from being successful. Start with patient care devices and PII, and work backwards from there.
- Quickly identifying and responding to security breaches is also important, along with containing a breach to stop the loss of sensitive data. Run a ‘classroom’ (i.e. not on live networks) ransomware exercise, to learn what steps you would take to limit its spread and impact.
- It is also important for organizations to be nimble and apply lessons learned from a breach they experience, as well as breaches impacting other organizations in this industry.
- Additionally, make sure your internal networks are properly segmented to isolate vulnerable devices from the corporate backbone.
Elie Nasrallah from HITRUST recommends taking a calculated approach to addressing the risks associated with connecting hospitals and patients to each other and to the Internet. Here are a few things healthcare companies can do to raise their security posture:
- Leverage a risk management framework to understand where your critical resources are located/connected and what the impact to both the business and patients’ safety would be if compromised.
- Implement and assess your information security controls to ensure adequate segmentation and protection of these resources from both internal and external threat vectors.
- Engage with the community and share threat intelligence to help surface indicators of compromise early to help avoid a massive outbreak throughout the industry.
- The HITRUST CSF and NIST CsF are better together; leverage risk and controls frameworks look in every corner of your supply chain to mitigate risks related to third-party vendor vulnerabilities and exposure.
The Full Research Report | Securing Connected Hospitals [opens PDF]
Trend Micro Blog | Best Practices: Ransomware
More About Shodan | Cities Exposed in Shodan
Cyber Threat Information | Cyber Threat Briefings
Threat Intelligence Sharing | Cyber Threat XChange
Cybersecurity Labs Communications | Cyber Threat Bulletins
Editor's Note: Sean has worked with HITRUST to help analyze the healthcare tech and security space, occasionally writing for their blog.