Richard Barretto, Chief Information Security Officer, Progress, speaks to us about the priorities healthcare organisations should be addressing in 2023.
Cybercriminals are primarily hunting for sensitive data and the healthcare industry is the second most likely sector in the UK to hold personal data about customers, according to the Cyber Security Breaches Survey 2022. While healthcare organisations are embracing digitalisation and developing advanced and complex tech stacks, they will need parallel and adequate cybersecurity defences.
Whether it is to sell personal information on the Dark Web or hold organisations for ransom, healthcare is one of the most popular industry targets for malicious threat actors. According to a 2022 report, healthcare organisations experienced a 74% surge in cyberattacks worldwide when compared to 2021. Because the business of malicious hacking can be a lucrative and well-paid one, healthcare organisations should implement strategies that a) make it difficult for even the most highly skilled attackers to breach, and b) ensure in the case of a data breach, they can quickly restore back-up solutions.
Costs and consequences of healthcare breaches
Healthcare breaches average US$9.23 million per incident and is the most expensive of any industry, according to an IBM/Ponemon analysis reported in a Beckers Hospital Review blog. The report revealed that nearly half (44%) of the breaches exposed customer personal data, including healthcare information, names, emails and passwords. Additionally, due to the Protected Health Information (PHI) these organisations are entrusted with, they can be hit hard by global regulatory compliance fines and actions if they fall victim to a cyberattack.
It is important to note, the consequences of a breach can travel far beyond financial losses and have a major impact on reputation.
2023 healthcare strategic cybersecurity priorities
In addition to the day-to-day responsibilities of a security team, such as assessing technology infrastructure for vulnerabilities, applying the appropriate compliance and regulatory framework policies and procedures, or deploying technical security controls, there are three priorities that healthcare security and IT teams should focus their attention on in 2023.
Adopting a Zero Trust model
The concept of ‘Zero Trust’ is still early in its coming but means just this – trust no identity or system and verify everything. This means that organisations should not automatically grant trust to systems or identities requesting access to its perimeters (inside or outside) but assume every request could be hostile. The trust is short-lived and ephemeral. Basically, this means that access or connection requests are guilty until proven innocent.
While focusing on securing new or updated applications and services, critical data stored in legacy systems can sometimes go overlooked. Services like web services, remote consoles or file transfer services need to have security controls closely deployed and acting as a security guard at every touch point. Several factors of validation can be applied to capture the authenticity and validate a trusted request for access including source IP address, device or identity fingerprints, and other metadata.
Moving from CIA to DIE
The CIA (confidentiality, integrity and availability) security triad is a model that has been adopted by the security industry and its leaders for decades. As security decision-makers built upon their strategy, the CIA principles were always applied to data security, “How can we ensure the confidentiality, integrity, and availability of our data?”
However, the current threat actor sophistication and capabilities are outpacing organisations’ investments and resources, and the healthcare industry is no exception. With insufficient resources, the CIA methodology is not as popular as it once was in mitigating risks that are dynamically changing.
The evolving cybersecurity landscape is now pushing security experts closer to the methodology of the DIE (distributed, immutable, and ephemeral) triad; as explained in Sounnil Yu’s CISA Daily Keynote presentation. DIE focuses more on the technology architecture, blueprints and life expectancy of an organisation’s systems and assets versus the sole specific security controls around sensitive data. For healthcare organisations, this model can enable the reduction and overall impact of a cyberattack and offer the business benefits of speed, agility, and market responsiveness.
Backups should be forefront
Organisations today need to be diligent responders and have mature recovery capabilities. Ideally, they should be able to detect and eradicate threat actors before they gain access to an organisation’s network environment or sensitive data. But in the case, let’s say, your organisation is hit with ransomware or access to critical systems is lost, having a backup solution ready is imperative to resume business operations.
Threat actors are taking the time to understand your organisation’s technology operations. Validate that your backups live in highly restricted environments with ‘Zero Trust’ principles applied. This can prevent a cybercriminal from lateral movement across your network and compromising your ‘just-in-case’ assets. Lastly, it is worth asking your vendors and partners if your backups are air-gapped from your network and require a multi-person authentication form to delete or decrypt those systems.
Maximising defence for healthcare systems
The security challenges particularly in the healthcare industry can be complex and securing such sensitive data requires a multi-dimensional strategy. Healthcare organisations should continue implementing minimum security controls such as encryption and anti-virus, among others and prioritise their strategic initiatives on great observability and monitoring capabilities so attacks can be quickly identified and responded to.
Rather than debating the best cybersecurity practices or hottest new technologies, security decision-makers should strongly consider travelling down the path towards Zero Trust and DIE principles in their strategy to defend their increasingly borderless networks and critical data.