After cyber-attacks against US hospitals continued to be on the rise in April, the U.S. Department of Health & Human Services’ Office of Civil Rights issued a warning in its Spring 2019 Newsletter. According to the article, hospitals are the prime targets for both Advanced Persistent Threats (APTs) and Zero-Day exploits. As hackers become more sophisticated and better funded, they are combining the two using an APT to exploit Zero-Day vulnerabilities on a massive scale. APTs are not a sophisticated attack but their long-term presence is leveraged to mine highly sensitive data. Using information gained through APTs, hackers use Zero-Day exploits to share data publicly, making it highly untraceable. They expect to see more cases such as the WannaCry ransomware attack that crippled parts of the UK’s National Health Service in 2017.
Because of this, traditional security approaches have become less effective, and approaches that focus only on the perimeter and north-south traffic leave the inside network vulnerable and allow malware to move freely once the perimeter is breached. Security appliances and tools that have been deployed to protect workloads on the physical network are not effective for workloads on virtual machines or private clouds. Endpoint numbers, fueled by devices at patient bedsides, IoT projects, and biomedical devices (which can be under-patched or run legacy operating systems), are growing exponentially. While hospitals have spent millions of dollars on security tools and products, the complexity of these often-overlapping systems creates more opportunities for misconfiguration and human error, opening more holes for hackers to use.
Cybersecurity has become core to business strategy, and not putting a focus on it can cause serious financial consequences. With the risk of HIPAA and PCI compliance fines, revenue losses and reputation risk, “Are we secure?” has become a common question in the boardroom. Ransomware is expensive – and hackers use that as a tactic to penalize those who don’t pay. According to reports, a well-regarded ENT center in the Midwest chose to close its doors after non-payment of a ransomware demand resulted in the deletion of all their patient records. To make matters worse, cybersecurity insurance companies and re-insurers are raising rates for those who fail security audits or if they experience a breach. In one recent example, a large hospital system in the Northwest was assessed an additional eight percent (8%) increase in its premiums after failing to pass a second audit. And if a business can make it through ransoms and fines, they still run the risk of patients filing class actions suits for exposing their financial and personal data.
Now is the time to rethink Network Security Deployment. The process to a secure system needs to be well-funded, clearly defined and well-managed. As hospital budgets become tighter, cybersecurity needs to stay a top priority. Many of our clients are recommending security investment be 5 percent or more of the total annual IT spend.
Research shows that hospitals benefit most from a collaboration of an internal team and consultants to explore the best practices and procedures on how to combat this danger to our environments. At HCTec, we have a nationwide network of cybersecurity experts ready to be deployed. To learn more, contact us today.