COVID-19 Cybersecurity: Building Resilience Beyond the Crisis
By Jessica Davis
Visibility, network access management, and automation are crucial to securing and building resilience to the healthcare infrastructure long after the COVID-19 pandemic ends. A recent Forescout report showed more than a third of workstations in healthcare operate on unsupported versions of Windows, among a host of other vulnerabilities found in everyday medical devices.
The COVID-19 crisis fueled the adoption of even more remote connections and devices on the network, thus increasing cybersecurity risks across the sector. At the start of the national emergency, the Office for Civil Rights lifted penalties around telehealth to expand care options amid the crisis. These changes fueled the adoption of new telehealth platforms, as well as the use of platforms not previously allowed by HIPAA. During the same time period, telework increased as did the need for temporary hospitals and supporting remote devices. As previously noted by security researchers, many of these platforms were quickly put onto the network – and not always with security at the forefront.
Security researchers, the FBI, and other federal agencies have ramped up alerts during the crisis, in light of an increase in traffic and targeted attacks on the sector. These vulnerabilities range from COVID-19 fraud schemes and personal protective equipment, to nation state-sponsored hacking on healthcare and pharma entities.
COVID-19 has indeed rapidly transformed the threat landscape, with researchers predicting an resurgence in successful attacks during the second half of the year.
THE EVOLVING HEALTHCARE LANDSCAPE
To Forescout’s Chief Product and Strategy Officer Pedro Abreu, and Medigate Co-Founder Jonathan Langer, the threat landscape was already changing before the COVID-19, such as a high rate of mergers and acquisitions. And those challenges will continue long after the crisis ends.
In the last four months, the healthcare sector has faced a number of security and technology challenges, Abreu explained. While reported security incidents have remained flat during the pandemic, there are several current security challenges putting these entities at risk.
As a whole, hospital systems are bogged down by acquisitions and integrated clinics, fueling a modern, digital transformation across the enterprise.
“When consolidating health systems together, it creates a tremendous amount of data in healthcare,” Abreu said. “Providers are constantly adapting to the changing landscape of their own, often ignoring what’s going on outside their environment [as it pertains] to newer devices, in the industry in the last several years.”
“When COVID-19 hit, it wasn’t necessary unique to the healthcare environment, but an acceleration of what healthcare systems were already doing to care for patients,” he added. “It’s been an acceleration of the last 10 years, and hospitals had to do something in months that was meant to take much more time.”
Providers were already looking into new ways to care for patients, including new healthcare facilities and redirecting facilities and care spaces. Abreu noted that the crisis created a surge in these transformations with many entities attempting to adapt to the new environment, in particular, through telemedicine.
For Langer, healthcare is focusing on two key vectors: the adoption of new technology and the IoT connectivity surge, as well as optimizing spending.
Notably, the adoption of new technology can lead to better cost savings and patient outcomes, as it relates in telehealth. COVID-19 has fueled a trend in expansion in different ways.
Healthcare is also increasingly more aware of cost savings under the current envioronment. Due to the pandemic, Lander noted many organizations are looking to optimize their spending, while improving their security posture and identifying the devices needed to be used amid the crisis.
Langer stressed that the industry has been moving in this direction for a while, but COVID-19 has rapidly increased this interest with organizations looking to offset costs and for tools able to optimize their medical device fleet.
More than ever, hospitals need to rethink their technology and asset management strategies to mitigate future threats, Abreu explained. From IoT adoption, cost savings, and mergers and acquisition trends, healthcare providers need to quickly adapt their asset management strategy and how they react to a challenging problem.
Providers need better visibility to understand everything that’s connected to the network, understanding and giving sufficient access to new devices, while making sure they are correctly and safely connected to the network.
“Especially with IoT in the medical space, it’s critical the devices are connected in a way that is safe and compliant, protecting patient data and patient safety,” said Abreu. “And when it comes to network segmentation, those devices must connect safely and securely.”
“Organizations need to dynamically adapt how devices are segmented, with the right method to communicate safely with the network,” he added.
For example, as many hospitals have merged, they’ve allowed devices and other platforms to communicate across the network – and not always through a secured channel.
While it’s challenging to limit communications between devices and create the right segmented zones, it’s imperative to ensuring devices aren’t exploited by enabling proper communication channels between devices when delivering care.
When looking at healthcare use cases for security and segmentation, Langer explained that a common denominator for these entities is granular and very accurate visibility into those devices.
For security purposes, devices must be segmented across the network, and entities will also need an efficient, dynamic device policy in place that accurately outlines the workflows of the devices. Otherwise, a broad device policy without those details will lack the needed information to create an adequately segmented network and a full list of vulnerabilities.
“Given the connectivity of new devices introduced on the network, especially around telehealth, it will exacerbate the problem or even cause new cybersecurity issues.”
And without those insights, organizations won’t be able to correlate the devices with the right vulnerabilities within the threat landscape. Thus, organizations won’t be able to create actionable insights. “It all boils down to a granular, robust foundation for visibility to address these security issues,” Langer said. “Patch management goes back to visibility, as well. In order to be able to jumpstart a patching or remediation program, organizations should engage both the cybersecurity and clinical engineering stakeholders.”
Organizations also need a granular understanding of the firmware currently installed on these devices and the latest patch version.
For example, the Ripple20 vulnerabilities impacting the TCP/IP communication stack of a wide range of connected devices. While the flaw is not specific to medical devices, millions of healthcare and medical IoT devices are impacted.
Without insights into device firmware, a provider organization may be unaware of the impact the flaws will have on their enterprise.
On the other hand, with a dynamic device policy and firmware understanding, an organization can use their risk assessment with these insights to jumpstart their patch and risk management strategies.
Unfortunately, many entities are still attempting to do these processes manually. With thousands of devices operating on a hospital network, a manual process “will take forever,” explained Langer. “With technology, organizations need a focused, automated approach to simultaneously bridge the gap,” he said. “It’s not simple, and they need to have the manufacturer involved. There are still manual processes, and there isn’t a magic button. But you’ll save incredible amounts of time with an automated approach.”
Abreu added that entities need technology that can schedule these processes.
“Companies are realizing that investing in technology that wasn’t built with the mindset of upgrading and patching, in terms of finding vulnerabilities and dealing with it, [the processes are not there],” said Abreu. The 2017 WannaCry attack highlighted the risks of devices within a network. The ransomware exploited a vulnerable, unpatched device, which allowed the virus to rapidly proliferate across the network and through other connected systems across 150 countries and hundreds of companies, including US healthcare organizations.
The real-world use case highlights the need for thorough risk assessments, complemented by mitigating controls to keep devices safe, Abreu explained. “Visibility will show organizations how bad the problem is, where they will need to focus, where the biggest risk is, where to automate tools, and where to put in controls at a network level to prevent attacks on vulnerabilities they can’t tackle,” said Abreu. “Visibility and controls are the secret sauce.”
“Especially with IoT in the medical space, it’s critical the devices are connected in a way that is safe and compliant, protecting patient data and patient safety.”
THE NEED FOR COLLABORATION
Information sharing is crucial to shoring up the healthcare threat landscape, including participation in forums and groups. Langer explained that the reality is there are a range of sizes and types of healthcare organizations, and all have a different level of awareness and staffing numbers. But by leveraging public-private partnerships, organizations can share threat information, data, experiences, and best practices to determine how to put the right security architecture in place for their organization, he added. Entities can also use these insights to avoid others’ pitfalls.
The need for collaboration will be incredibly valuable as the pandemic rages on, and many healthcare organizations find themselves tapped for resources. Langer stressed that as healthcare continues to reorganize with getting remote work in place, automating new needs, and busy with the response, many health systems are in disarray. This chaotic landscape can increase the risk of a cyberattack. “Healthcare will get reorganized to tackle the pandemic, but even after the crisis, the connectivity trend and new attack surface will be out there. And given the connectivity of new devices introduced on the network, especially around telehealth, it will exacerbate the problem or even cause new cybersecurity issues,” Langer said.
“The attack surface is larger, and critical, sensitive data remains vulnerable,” Langer continued. “We’re going to be seeing a highly targeted industry. The reality is, pushing out solutions that enable connectivity and essential to day-to-day operations, are accommodating day-to-day data flows where controls are leaving this data exposed.” Abreu added that healthcare rushed to adapt quickly to this newly connected world. But providers need to be ready to quickly adapt when the environment returns to the new normal, by managing network access dynamically based on what they’re seeing in traffic and workflows, while keeping devices safe throughout the care delivery.