As a result, delivery of patient care and services can be disrupted. The May 2021 ransomware attack on the healthcare system in Ireland created radiology outages for many weeks across the country.
With an immediate threat looming over hospitals, security teams need a game plan with the most cost-effective actions they can take today, including actions to mitigate the threats. The following are 10 practical tips hospitals, healthcare providers, and networks can implement to help prevent breaches.
- Create an accurate inventory. The base of good cybersecurity is visibility. You cannot protect a device you don't know exists, so it's critical to know exactly what you have and where you have it. If you don't know exactly how many devices you have and where they are, this should be the first step. Implementing a tool that can scan your network and create an accurate inventory should be the first priority, as this is the basis for extending more advanced security protections.
- Educate staff. The largest and weakest link in almost every situation is the staff. Hospital staff are incredible at providing healthcare, but they are often complete novices in areas such as cybersecurity. Educating staff in proper cybersecurity protocols, such as not leaving terminals logged in with no supervision or training them to recognize and report potential phishing emails, goes a long way toward reducing the threat surface.
- Protect typical entry points. It is essential to validate that all internet-facing user endpoints and servers run some form of endpoint protection (antivirus or an endpoint detection and response [EDR] agent). Allow traffic only to endpoints where absolutely necessary and deny access as the default state. This denies access to bad actors that can infiltrate your network and breach private protected health information (PHI) data or impact patient safety. Additionally, apply multifactor authentication (MFA) to challenge the threat actors when they try to gain initial access or spread within the network.
- Patch devices for vulnerabilities. Known vulnerabilities are one of the most dangerous entry points as the playbook for how to exploit them is readily available from online sources. The flipside is that the patches or methods for mitigation are also available, so security professionals should take advantage of this fact to secure their devices.
- Disable unused remote desktop protocol (RDP) ports and monitor RDP logs. RDP vulnerabilities were a major exploitation technique for recent ransomware attacks -- including BlueKeep and DejaBlue, which are wormable vulnerabilities. Many ports are open by default and don't need to be, especially when not in use. It's important to identify all open RDP and SMB ports (i.e., network ports commonly used for file-sharing) on devices that are not in use and disable them accordingly, only opening them when needed.
- Develop a network segmentation strategy. The goal of a hacker is almost never to gain access to the initial device or entry point, but rather to use it as a jumping point to move laterally within the network and reach a more lucrative data target to maximize the impact of their breach. Implementing a network segmentation strategy is key to preventing lateral movement by hackers within the network. When done properly, segmentation enables security teams to isolate an infected device and contain the attack when signs of a breach are detected, thereby preventing the bad actors from roaming freely within the network.
- Implement measures for early detection of an attack. In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) publish alerts that include a list of indicators of compromise (IoCs). Security teams should identify and be aware of these IoCs to help with early detection of attacks in lieu of a medical device security solution. Additionally, having solutions that detect anomalies is a must. These solutions leverage their advantage of recognizing any variations in typical behavior and can flag potential breaches far quicker than any manual processes. It will be very hard for a threat actor to perfectly mimic the natural behavior of the network, and these automated solutions provide an opportunity to detect the presence of a hacker before they have a chance to move within the network.
- Have a written and communicated incident response plan document. IT/security teams need a plan to stop, contain, and control a cyberbreach quickly to mitigate any impact. A solid plan will include who needs to be contacted if an incident takes place and the roles and responsibilities of each person/department.
- Review and establish plans for business continuity. A cyberattack will disrupt operations, so a business continuity plan is critical to ensure that the 24/7/365 operations of a hospital are not shut down. Any sort of disruption could impact patient safety, which only magnifies the need to have a plan for continued operations.
- Verify backups are in place. If data are encrypted as a result of a ransomware attack, the only reliable way to recover the data in a reasonable amount of time is either paying the ransom (this should not be an option) or having a backup. Backups of critical information systems such as medical records should be implemented, offline, and regularly tested.
The comments and observations expressed herein do not necessarily reflect the opinions of AuntMinnieEurope.com, nor should they be construed as an endorsement or admonishment of any particular vendor, analyst, industry consultant, or consulting group.
Motti Sorani is chief technology officer of CyberMDX, which provides healthcare delivery organizations with cybersecurity technology to protect connected medical devices and clinical networks.
Copyright © 2021 AuntMinnieEurope.com