Digital Health Age continues its look at cyber-crime with Rob Embers, chief commercial officer at information security specialist Dionach, writing about the steps needed by healthcare organisations if they are to improve their “cyber-hygiene”.
One of the key topics of this year’s UK Health Show, held at ExCeL in London on 25-26 September, is cyber-security – and the stakes could not be higher for the healthcare sector. Today’s providers – both public and independent – increasingly rely on internet-enabled technologies to perform critical roles at every level. Indeed it is predicted that the ‘Internet of Things’ market in healthcare, valued at $22.5 billion in 2016, will reach $72.02 billion by 2021. This both increases the sector’s attack surface and heightens the fear of downtime, putting public trust – and patient lives – on the line.
It has been reported that 200 NHS hospitals inspected by the Care Quality Commission since last year’s WannaCry ransomware attack still did not meet the minimum standards set out by the UK government’s Cyber Essentials Plus scheme. A lack of basic cyber-hygiene is a key culprit, compounded by fragmented IT governance, legacy equipment and out-of-date software.
A prescription for cyber-health
Despite the complex challenges and budget restrictions, there are a number of technically straightforward steps that can be taken to tighten up controls and make a tangible difference to security postures, while keeping systems up and running.
The starting point must be a comprehensive risk assessment covering IT needs, resources and risks. Only then can informed decisions be made regarding acceptable levels of risk, mitigation priorities and longer-term remediation plans.
In our experience, quick-fixes to reduce immediate vulnerabilities typically include the following:
Patching and updates
This should always be performed as widely as possible. If software is obsolete, talk to your vendors first and push for continued support. We’ve seen cases where vendors have supplied updates or recommended that patches are applied to legacy systems because the need for continued availability outweighs the risk of incompatibility issues.
Where password policies haven’t been correctly formulated and enforced, user passwords end up being short, easily guessable and highly insecure. An internal password audit will quickly highlight where guidance revision or staff training is needed. Current guidance is often too complex and leads staff to write down their passwords or find ‘workarounds’. Once you’ve struck the right balance between realistic and secure, enforce your policy – and have a process to pinpoint any weak links.
Antivirus protection falls down if some systems – laptops, for instance, or certain workstations or servers – are not managed by the central antivirus solution. This is a very common occurance (and straightforward to rectify). Responsibilities for basic tasks such as updating antivirus software must be clearly assigned, as these systems need continual monitoring.
If a system can’t be updated and your risk assessment has identified that it carries unacceptable risk, it must be isolated – using firewalls or segregated VLANs – and a plan made to migrate away from it. An example is where Windows Server 2003 (or an even older version) is in use. Segregation and migration is vital – as is restricting internet access on these systems.
Review firewall rules
An efficient firewall is your primary defence against network intrusion, especially where full segmentation isn’t realistic. Services should be restricted to trusted IP addresses or network segments, and internet-exposed systems should be deployed within a DMZ.
NHS Trusts are generally good at conducting hourly or daily backups of critical systems. However, they often don’t test whether those backups could be successfully restored in the event of a crisis. This must form part of any backup policy.
Best practice in the long-term
Of course, these quick-fixes should form part of a longer-term plan to improve all aspects of cyber-health. Ongoing initiatives may include:
Penetration testing, conducted at least annually and usually by a third-party, helps you to maintain a realistic view of your ability to detect threats and defend yourself against them. Likewise, regular vulnerability scanning is crucial to identify weaknesses such as missing patches or updates that have not been applied properly.
Get your Active Directory group policy settings right
As a general rule, Active Directory group policy settings need to be reviewed and hardened. A password policy can be defined in line with the current guidelines, and software installation can be restricted or access to removable media such as USB devices disabled.
Multi-factor authentication (MFA)
Implement MFA for services exposed to the Internet, as some healthcare organisations have already done. Ensure that it covers all publicly-exposed services. Look at implementing MFA internally, although this can be a challenge for many organisations that use legacy systems.
In the majority of cases, standard system users have access to too much sensitive data. It’s vital to impose network restrictions based on the principle of least privilege in order to mitigate the risk of insider threats and to contain any breaches.
People generally want to follow rules – if they are user-friendly and well-communicated. Creating a culture of security awareness, based on in-depth training (especially about phishing) will pay dividends in terms of your resistance to future attacks.
Splitting the network into segments and putting technical barriers in place to restrict and monitor the flow of traffic is an ideal way of combatting the risks associated with flat networks and upping your security posture.
Your staff need to know what to do in the event of a potential breach. Locking down your response plans, assigning responsibilities and testing those procedures regularly is the best way to contain an incident.
With patient data representing gold dust to fraudsters and cyber-crime having become a daily threat, the healthcare sector must urgently mitigate the plethora of risks associated with its technologies, its data and its workforce. It is possible for providers to make improvements to overall security posture relatively quickly – in many cases by embracing the basic principles of IT security so that cyber-hygiene becomes as culturally ingrained as hand-washing.