The Most Contagious Vulnerabilities in the Healthcare Sector
If injections scare you, think about the cyberattack on the London hospital on June 3, 2024, which resulted in the release of 400 gigabytes of stolen data and the disruption of over 3,000 hospital and GP appointments and operations.
The cybersecurity challenges faced by healthcare providers are immense. Patient data must be constantly protected, and a large number of connected devices must operate consistently and securely in an environment where patients, doctors, non-medical staff, the IT department, and external contractors require different levels of access to the system.
When considering the challenges of protecting such an environment along with the high value of patient data, it’s easy to see why healthcare is the industry most frequently targeted by hackers. A typical electronic health record (EHR) can contain information such as name, social security number, medical history, banking and credit card information, family members’ names, and much more of great value to hackers.
In 2023, the healthcare sector reported data breaches with an average cost of $10.93 million per incident, nearly double that of the financial sector, which came in second with an average cost of $5.9 million. Additionally, over the past four years, there has been a 239% increase in major breaches reported to the OCR involving hacking, and a 278% increase in ransomware attacks. In 2023, major breaches affected more than 88 million people, 60% more than the previous year.
Examining Healthcare Sector Vulnerabilities
To better understand how to secure healthcare IT, it’s essential to delve into specific vulnerabilities and how they can be mitigated.
1. Connected IoT & Devices
One of the biggest vulnerabilities within the healthcare industry is that IT infrastructure tends to have a very high number of access points.
Think of equipment like connected MRI machines, staff iPads, desktop computers in nursing stations, laptops on carts, wireless repeaters, and any other device connected to a network. Without adequate security, any of these access points can be used as a gateway to the larger system. This leads to another vulnerability in the healthcare environment: understaffed and underfunded IT departments.
2. Insufficient IT Staff
Hospitals and other healthcare organizations primarily focus on patient care. However, with budgets focused on patient care, very little is often left for the IT department.
This means that the IT team is small and operates on a reduced budget, despite having long task lists that include compliance with strict security regulations. Sometimes corners are cut as the IT team struggles to keep up with the workload. This is not meant to criticize IT teams; they are hardworking professionals. But it’s true that small, overburdened IT teams are a potential vulnerability because they can’t meet all the demands that adequate cybersecurity requires.
3. Third-Party Contractors and Vendors
Because IT teams are small and face an overwhelming list of tasks, external providers are often called upon to perform specific jobs. These high-tech connected machines require licensed technicians for maintenance and calibration.
To do this work, privileged access to the system is often granted to contractors, either remotely or on-site. If this access is not closely monitored and limited, a contractor can have free reign within the system or jump across the network to other valuable targets. This creates a potential vulnerability in terms of security and privacy. With inappropriate access, a contractor can view patient records or wreak havoc with life-saving equipment, violating cybersecurity protocols and compliance measures such as NIS2 and GDPR in Europe, HIPPA, HITECH, and PCI DSS in the US, and UK-GDPR and Data Protection Act 2018.
Remedies to Mitigate These Vulnerabilities
Given the particular needs and environment of a healthcare provider, any solution designed to close these vulnerabilities needs to have several key qualities. An adequate solution must:
- Be low impact, so healthcare delivery is not affected.
- Be high yield, so vulnerabilities are closed.
- Be easy to implement, so it can be quickly deployed with minimal disruption.
- Incorporate security by design principles, to minimize the IT workload while maximizing security throughout the system.
These qualities are vital, but what specific problems should such a solution address and what features should it have to do so? An adequate solution should:
- Control remote access: Ensure that only authorized users can access systems from external locations.
- Provide user session monitoring: Monitor and record user activities within the system in real time.
- Enforce the principle of least privilege: Ensure users only have access to the data and systems necessary to perform their job.
- Optimize management for the IT/security team: Facilitate the administration and control of systems and data.
- Ensure compliance with regulations: Ensure the solution meets the numerous healthcare-related regulations, such as UK-GDPR, DPA 2018, and NIS Regulations in the UK, among others.
Implementing these measures will help protect sensitive patient data and strengthen cybersecurity in the healthcare sector.
The Effective Cure: Privileged Access Management (PAM)
A robust Privileged Access Management (PAM) solution can meet these requirements, but only if it comprises several key components that work together. First, it must have an access management component that gives security teams control and visibility over privileged access. Managers must be able to define privileges for any user, ensuring that they can only view systems and perform tasks they are authorized for.
Additionally, it must provide session management capabilities both in real time and automated. The session manager must be able to detect inappropriate session activity and automatically terminate such sessions or generate real-time alerts. It should log all sessions, which is critical in a healthcare environment, providing an audit trail for compliance and as a training tool and diagnostic resource.
Finally, an adequate PAM solution must have a strong password management component, ensuring that passwords are sufficiently strong and rotated regularly. Session-based password expirations are particularly useful for contractors, ensuring that passwords cannot be reused without the security team’s consent.
By addressing these critical vulnerabilities with a comprehensive PAM solution, healthcare providers can significantly enhance their cybersecurity posture, protect sensitive patient data, and ensure compliance with stringent regulatory requirements.