Recent high-profile ransomware attacks on hospitals have once again demonstrated the vital importance of securing healthcare IT infrastructures. When cyberattacks have the potential to cause morbidity and even loss of life, it’s absolutely imperative to understand and mitigate vulnerabilities in the technology environment and cultivate the strongest cybersecurity posture possible.
Medical campus environments present a complex set of challenges and rapid digital transformation is pushing the boundaries. IT infrastructure is converging with operational technology (OT), which supports building management and operations, and also with IoT, which supports cameras, thermal cameras, biomedical engineering clinical devices and much more. With the expansion of the digital landscape, a rise in BYOD, and a growth in the number of workers moving outside the corporate network, the security perimeter has dissolved and the attack surface rapidly increased.
Given the complexity of the cybersecurity challenges that hospitals and healthcare organizations face as IT and OT infrastructures converge, this is no easy task. Rapid digital transformation is collapsing the boundaries between IT networks and devices and technologies that were formerly separated by air gaps. These include OT underpinning building management and operations, Internet of Things (IoT) devices including thermal cameras, patient monitors and equipment trackers, as well as biomedical engineering systems supporting clinical devices. The global COVID-19 pandemic has further complicated the situation, coupling the recent expansion of the digital landscape with a great increase in work-from-home for non-essential workers and corresponding uptick in BYOD. The end result has been a swift expansion of the attack surface.
The convergence of IT and OT infrastructures is exposing healthcare IT infrastructures to the inherent vulnerabilities in these devices, some of which have little to no integrated security, and many of which are incapable of receiving firmware updates. In these environments, uptime and reliability are critical to patient care delivery models, which can make altering the clinical operational procedures to deal with potential cyberattacks a very disruptive proposition. Not all healthcare cybersecurity programs function at optimal levels of maturity, and not all have access to as many resources –budget and staffing – as they’d like.
Even as digital transformation amplifies the difficulties of securing healthcare IT systems, however, it’s still possible to make meaningful improvements that will reduce real-world risks. The key is to begin with a holistic view of your environment, balance compliance needs with actual operational readiness, and adopt a strategic approach. We’ve put together a list of the five most important tactics to pursue.
Best Practices for Securing Healthcare IT Infrastructures
Tip #1: Inventory Your Assets
Gain visibility into what’s connected to your network, including devices that aren’t considered part of traditional IT.
Understanding the security vulnerabilities that impact medical devices and networks supporting biomedical systems is difficult in and of itself. Healthcare CISOs must also consider the myriad of systems that support hospital operations outside of the clinical environment. These include everything from digital signage to heating, air conditioning and ventilation controls. They also incorporate physical security controls like badge readers and door locks. Ancillary support equipment designed to enhance patient experience, such as smart TVs, noise regulation systems and guest Wi-Fi networks, are usually present as well. Any of these connected devices might potentially have a vulnerability that an attacker could exploit.
A critical first step in improving your hospital cybersecurity posture is gaining visibility into all of these assets. How many systems and devices are connected to your network? Are any misconfigured? Is every device’s firmware up to date? Do any of them have vulnerabilities that appear on MITRE’s Common Vulnerabilities and Exposures (CVEs) list? Taking inventory allows you to recognize what might become a pivot point or threat vector exposing your broader environment.
Tip #2: Ensure Proper Network Segmentation
Operate mission-critical systems in separate network zones from those that are less essential.
Many healthcare organizations still operate relatively flat networks, leaving them vulnerable to attacks that move laterally across the environment after exploiting a vulnerability in a medical device or other operational technology (OT) system that’s inherently insecure. Medical device lifespans are typically much longer than those of IT hardware, so most older devices in use are likely to have been built before current FDA cybersecurity guidance came into force. These systems remain difficult if not impossible to secure with post-market modifications.
Putting network-level controls in place to build segmentation and enforce distinct zones for different device types should be an especially high priority for organizations lacking the budget to replace these types of devices.
Tip #3: Increase Governance
Make sure you have proper policies and procedures in place to deal with the changing threats across the cybersecurity landscape.
Increasing a healthcare organization’s cybersecurity maturity goes beyond implementing best-of-breed tools. It must also take into consideration operational and clinical processes are in line with cybersecurity best practices. It’s also paramount to identify the areas where you face the greatest risks and begin by making changes there first.
Key components of strong cybersecurity governance include:
- Developing incident response procedures. These should include detailed playbooks explaining what stakeholders will do in case of an incident or breach. Conducting tabletop exercises enhances preparedness.
- Employee education. Changes to clinical procedures are far more likely to be successful if employees understand their purpose and importance.
- Integrating compliance with broader risk management strategies. Though regulatory requirements such as GDPR, HIPAA and PCI cannot be ignored, compliance is only one facet of an overall security strategy.
Tip #4: Allocate appropriate resources for security
Without an adequate budget, you’ll encounter endless and near-insurmountable challenges.
Take a systematic approach to cybersecurity spending, prioritizing those investments that are likely to yield the best return in terms of risk reduction. Nonetheless, the operating costs involved in keeping your devices and network secure aren’t negligible. A certain minimum outlay — of money as well as effort — is required to make meaningful progress against the major cybersecurity issues in healthcare.
Tip #5: Maintain awareness of supply chains and the security posture of partners and vendors
Every connected device you bring into your environment has the potential to increase vulnerability, as does every vendor who handles your data or network.
Many medical devices, especially legacy systems, simply weren’t designed with security in mind. In addition, firmware updates intended to add features or functionality may inadvertently introduce security flaws. Keeping track of software, embedded microcontrollers and communication protocols can be challenging even for the device manufacturers themselves. For a hospital tasked with managing tens of thousands of devices, it’s a colossal undertaking.
That’s why choosing hardware that’s secure by design can result in a significant cost savings, even if device costs are initially higher. Ensuring that there’s a secure method of firmware update delivery is also important aspect when evaluating a vendor’s products. Cybersecurity needs to be engaged in vetting vendors at the procurement process.
A similar principle holds true if you’ve outsourced the management of a portion or the whole of your network to a third-party provider. If your hospital makes use of managed services, be certain you’re dealing with a quality vendor who relies on best-of-breed tooling and has a strong record for cybersecurity. It’s a good idea to include a security validation check within decision-making processes when ranking prospective providers. Be sure your MSP has the capability to effectively monitor your network in order to detect anomalous behavior quickly.