Healthcare continues to be one of the most hacked areas. It is therefore time to catch up on homework that has been put off for a long time in order to face the new demands and risks of a digitized and protected healthcare system.
Comprehensive IT security technologies, possible funding and strong partners can initiate the therapy that seems more necessary than ever in view of the current crisis situation.
Complex, often outdated and heterogeneous IT and technology and a lack of security strategy make hospitals, for example, a worthwhile target for hackers who can be blackmailed. Because system failure is not an option here. The data loot is just as coveted: depending on how complete the information is, medical records can cost up to $1,000 on the dark web. Only US passports are more expensive, ranging from $1,000 to $2,000 each.
In addition, most victims in the healthcare sector are often completely unprepared. In addition to the lack of money, the main reason here is a lack of staff, for example when in Germany two employees are sometimes responsible for the entire IT administration of three different companies and have hardly any budget. In view of the ongoing consolidation of parts of the healthcare sector in Germany, which was only temporarily interrupted by Corona, cost pressure is likely to increase further.
In addition, the demands on IT in a healthcare system that is to be digitized are increasing. The current crisis and danger situation in particular shows that hospitals are increasingly to be treated as critical infrastructure. In administration, the increasing requirements in terms of data protection are increasing the hurdles for data security. Compliance rules are increasingly to be observed – from the GDPR to ISO certifications to radio guidelines for technical devices.
Healthcare cybersecurity also still suffers from the following symptoms:
Hospitals in particular cannot sit out ransomware attacks that encrypt data or block systems if they want to continue caring for patients. Here the attackers will be even more aggressive in the future: on the one hand through automated attacks on unprepared IT and on the other hand through more targeted ransomware-as-a-service (RaaS) attacks, which are initiated with social engineering on the decision-makers in human resources, administration and accounting will.
2. Risks of connected devices
In healthcare, the number of connected medical IoT and OT devices is skyrocketing. However, this attack vector is still often neglected and networked devices are integrated into networks without due care. Hackers also know the specific risks of this hardware: they know how to find out the hard-coded passwords of most devices – and can use them to penetrate the network. It is often not even possible to prevent unauthorized users from accessing the devices. Astonishingly often, devices are used that are only insufficiently certified. Systems with outdated operating systems that are no longer supported also introduce new risks over time.
3. Lack of visibility of hardware
Many organizations do not see IT as a whole. The encryption of the servers in the Lukas Hospital in Neuss was only possible because an old, invisible client had administrator rights and thus enabled the malware to spread further. With IoT and OT, this danger is even more fundamental because most of these devices are not subject to the access of the internal IT organizations.
4. Zero-day vulnerabilities continue to increase
Log4j has shown that zero-day vulnerabilities can still cause massive damage and threaten countless organizations. The healthcare industry is more vulnerable to such vulnerabilities, and lack of attention can lead to these vulnerabilities being exploited more widely.
If you want to ensure the safety of the systems and the health of the patients, you should and can make several adjustments:
- Protection of all devices: An Extended Detection and Response (XDR) solution not only protects the usual endpoints, but also devices on which – as in the case of IoT – there is no possibility to install agents or they are beyond the control of IT managers .
- Ongoing vulnerability management and assessment: Due diligence checks and vulnerability assessment and management are key elements to discover and close potential and existing vulnerabilities before attackers exploit them.
- Isolation of network segments: This allows damage to be limited. If you quickly separate network areas from each other, you can prevent ransomware from spreading further, for example.
- Identity management: This reduces the risk of employee misconduct. This is particularly important in view of the size of many facilities and the number of employees who are often not particularly experienced or security-conscious in IT security.
- Penetration Tests: They test the responsiveness of their own IT defenses and help to identify parts of the organization or employees at risk and determine areas in which incident response can be improved.
Commit yourself to external expertise
Healthcare IT administrators are not only overburdened, they often lack the expertise or time to build it. They often don’t even get to deal with IT security and react to specific incidents. An analysis of anomalies in the behavior of endpoints is usually not possible for them.
partner choice: Help can therefore only come from partners with the appropriate IT security and industry knowledge. For example, when changing providers. For example, many IT departments do not know how complete the deinstallation of the old system was and how many clients ultimately still have to be manually reconfigured. Because new rulesets to be created can have unpleasant effects for everyone involved in live operation, the causes of which then have to be analyzed and eliminated in a time-consuming manner. Partners can contribute their expertise here and provide intensive support for roll-out processes in order to keep this reworking to a minimum and to be able to react promptly. A value-added reseller plays an important role here and can be accounted for separately as a service item in the budget.
Security Analysts: Equally important are managed detection and response (MDR) services. Larger clinics in particular with highly complex systems that need a SIEM or ISMS (Security Information and Event Management or information security management system) for reasons of compliance can combine the necessary technologies and resources with an external security operation center as part of an MDR service rent inexpensively. This is always cheaper and at the same time more efficient than purchasing and operating this technology yourself. And on top of that, MDR offers the expertise, advice and active support of security analysts.
Health costs money
Since last year, hospitals have also been able to access financial support for their IT security. The Hospital Future Act (KHZG) has brought movement to the market. The funding amount can be planned well as far as possible, but as of today many applications have not been processed. There is a need to catch up here, because it should not be the case that organizations apply for a system that is no longer future-proof due to a delay in the final implementation. Open security platforms and the constantly evolving MDR services and consultants can flexibly adapt and scale to the threat situation.