The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center has issued a threat brief spotlighting cyber organizations connected to the Russian Intelligence Services that continue to pose threats. This takes the form of guidance for healthcare organisations.
Considering appropriate healthcare sector business responses for Digital Journal is Scott Kannry, CEO of Axio, who produce cyber risk management and quantification software.
Kannry looks at the shifting global situation and the consequential disruption as ways in for hackers to strike healthcare, as well as placing healthcare in a more vulnerable position.
Here Kannry finds: “The pandemic, and escalating geopolitical tensions, have demonstrated the susceptibility of U.S. critical infrastructure to cyberattacks—including healthcare.”
Kannry’s view on the U.S. system is not positive, for her adds: “Several hospital systems and healthcare providers lack cutting edge cyber defenses, and many leaders of these organizations lack a fundamental understanding of overall risk exposure and susceptibility to attacks.”
He also draws criticism on the U.S. system’s ability to prepare for attacks, pointing out: “Historically, the dominant conversation around cybersecurity within healthcare has focused on the security and privacy of patient data. But healthcare carries an enormous attack surface given the amount of healthcare IoT existing within facilities.”
As technology has become more sophisticated so too has the potential or disruption. Here v cites: “Connected IoT devices (think: x-ray machines, insulin pumps, MRI machines, etc.) remain a top target for attackers, as many of these devices have embedded firmware vulnerabilities and poor identity security controls, like default, unchanged passwords.”
Therefore, measures need to be taken and one means to do this is a digital silo. Kannry recommends: “It’s critical for hospitals to continually understand their network environment and architecture: Are IoT devices fully segmented from the outside world? Is MFA enabled across every user, on every device, to ensure full Zero Trust? Appropriate network segmentation, MFA implementation, and ongoing patching and vulnerability management are critical to ensuring attackers stay out of hospital and healthcare networks.”
Taking the segmentation argument further, Kannry puts forward: “Any device that is connected to the Internet can, theoretically, be profiled by malicious actors using popular tools like Shodan and Cencys. Many hospitals have embraced connected technology as in their digital transformation and modernization efforts, which ultimately promises to deliver better patient care and outcome. However, device manufacturers are notorious for ignoring appropriate cybersecurity testing and safeguards during their production cycles. This creates fertile ground for cyber actors who can hold, for instance, a hospital ransom by taking certain devices offline.”
There are other things the U.S. sector can do, and Kannry adds: “Hospital Administrators and Hospital Boards, the key executives who run these organizations, need to think about cybersecurity as an existential threat to their business. Outages within these facilities will not only cost a hospital money, but can also cost lives. We will absolutely see an uptick in attacks on healthcare facilities in the coming years, and this needs to be a wakeup call for security and business leaders around continuous monitoring and improving of cybersecurity defenses.”