Cyberattacks seem to be a matter of “when,” not “if.” Hospitals, which were once less preyed upon by cybercriminals, are now among the most prominent targets, with 2020 being a record-setting year for breaches of protected health information (PHI). While today’s healthcare leaders recognize the need to be prepared for cyberattacks, many emphasize defending their IT systems and data rather than preparing for what comes after ‘successful attacks’ occur.
Cybersecurity is not just a box that can be checked after firewalls or intrusion detection software (IDS) are set up – in fact, protecting your assets is only part of the equation according to the National Institute of Standards and Technology’s cybersecurity framework pillars of identify, protect, detect, respond, and recover. Healthcare organizations need to not only be equipped to detect potential threats, but also have a solid, thoroughly tested plan in place in the event of a security breach so that all involved know how to react to reduce its impact.
One key aspect of preparation is understanding the difference between an infrastructure breach and a data breach. An infrastructure breach is similar to a property trespassing – an intruder may enter your home, but there is a window of time to catch the intruders before they steal your belongings. Their presence is of course concerning, but no real harm is done if they are unsuccessful. Hospitals need systems in place to detect and understand when and how their infrastructure has been breached so they can take swift action before it evolves into a data breach, where valuable physical and digital assets or PHI are compromised.
In the NIST Cybersecurity framework, protections such as antivirus and firewalls are a necessary first line of defense, but they are only that – the earliest obstacle for a hacker to overcome. Vigilant intrusion detection systems (IDS) that alert IT when something abnormal occurs are critical to understand where there is an exploited weakness across the hospital’s infrastructure. These monitoring systems must be sensitive enough to detect the slightest unusual activity, yet be able to triage these events in order to flag viable threats rather than false alarms. For example, the IDS should notify the security team that an end-user in the accounting department is repeatedly trying to access the electronic health record. That individual might have a legitimate reason for accessing the record, or probably this could be an intruder assuming the identity of an accounting department employee. Regardless, the incident is suspicious and should be investigated.
Intruder detection is critical to raising awareness that an attack is happening, but cybersecurity efforts cannot stop here. Healthcare organizations need to determine the immediate next steps to expel the attackers from the infrastructure quickly without disruption to business or patient care – who do they involve? What is each responder’s role? How long will it take to transfer data to back up servers? This is where rigorous exercise of a solid plan matters most.
Oftentimes, cybersecurity incident response plans (IRP) are developed with good intentions, but then filed away for later. Instead, these plans should be continuously rehearsed and revised as cyberattacks become increasingly sophisticated and hospital IT systems change. Just like firefighters do not wait for a house to be burning down to know if they can put it out, an effective response is never improvised – hospitals cannot successfully put their IRP to work for the first time during a crisis.
Testing one’s IRP can lead to critical learnings around areas for improvement. Imagine a health system who created a seemingly solid, detailed IRP that included contingency backup servers and data storage. In theory, this is a great way to help ensure they can continue operations once their main servers are taken offline after being compromised. But, when testing this plan, they could find significant flaws, such as the time it takes to restore systems from the backup servers. Depending on the volume and complexity of data, this could take weeks– a reality that would be just as disruptive and costly as a cyberattack. By knowing this in advance, it could give the hospital the ability to explore alternatives to quickly transition servers and reestablish normal business operations in the shortest amount of time.
Of course, every cyberattack is unique, and one can never be fully prepared. Consistently practicing the incident response plan, learning from other hospitals and updating the plan accordingly, and ensuring staff is trained to execute next steps will not only help safeguard physical and digital assets in many scenarios, but also bolster the team’s confidence.
By seeking a knowledgeable and experienced IT security partner intimately familiar with hospitals workflows and focus on patient care, their IT infrastructure and data management, hospitals can minimize the impact of a cyberattack – and better yet – prevent attackers from ever infiltrating assets in the first place. Technology providers can speak to their experience and best practices across a wide range of clients and provide evidence-based guidance for the most effective response plans. An effective partner is one that works hand-in-hand with hospital IT departments to determine the proper procedures to protect assets and to monitor for suspicious activities.
Ultimately, the complexity of one’s response plan depends on the complexity and variety of one’s IT systems. Accidental IT architectures, due to their uncontrolled complexity, or an infrastructure that has grown and evolved organically rather than strategically, is the most common source of breaches and IRP failure, extending the opportunity for hackers to spot vulnerabilities. Secure enterprise products like Capsule Medical Device Information Platform (MDIP) will play an important role in not only improving interoperability between devices, but also safeguarding the data that flows through them. By simplifying IT complexity, health systems can reduce an attacker’s entry points, simplify the system monitoring, have a simpler and more effective IRP, and in the end makes security more manageable and cost-effective.
To learn more about today’s cybersecurity challenges and our commitment to proactively addressing our customers’ security and privacy concerns, click here.
Christophe Dore is the Cybersecurity Manager of Philips Capsule.