Cyber attacks against all industries are on the rise, but the healthcare sector, in particular, continues to face increasing threats against its electronic data and infrastructure. Recent studies suggest that healthcare organizations are the most targeted sector – and breaches in the healthcare industry are costlier than any other sector. Although attack methods continue to evolve and become more sophisticated, we continue to see companies in the healthcare industry fall victim to the same types of attacks, most of which could have been prevented or mitigated by sound security practices.
Common attack vectors against the healthcare sector include email phishing schemes (which often serve as the initial ingress point into the environment before threat actors leverage other vulnerabilities to move across the environment), ransomware attacks, website vulnerabilities, and remote desk protocol (RDP) exploits. Healthcare breaches often garner media attention and frequently result in regulatory investigations and class action lawsuits.
As mentioned, many of the healthcare breaches we have managed could have been prevented or mitigated if certain safeguards were implemented as part of the entity’s cybersecurity program. Below are a few examples of best practices that can help prevent many of the cyber-attack methods common to the healthcare industry:
- Training. Conduct routine and ongoing training with all personnel (people continue to be the weakest link). Interactive training programs, such as phishing tests, are a great way to educate staff on information security practices. Training on incident response is also necessary.
- Patching. Implement an enterprise-wide patch management process to ensure vulnerability reports are timely received, prioritized, and acted upon.
- Administrative Password Management. Ensure that privileged accounts (e.g., system administrators) are unique to each individual with system access (i.e., do not use the same log-in credentials for all users with access to a given system). Do not use default credentials, and require that administrative passwords be changed periodically and upon termination or a change of job duties.
- Prevent Open Port Scanning. If using RDP, change the default RDP port to another unused port and block the RDP port via firewall.
- Multi-factor Authentication. Require multi-factor authentication for all access to the internal network.
- Whitelisting. Although a more costly solution than blacklisting, implementing application whitelisting on critical systems can help mitigate unauthorized system access.
- Role-based Access Controls. Limit access to data and systems on a need-to-know, pursuant to individuals’ job duties and responsibilities.
- Backup Systems. Conduct regular system backups and store the backups offline. Periodically verify that the backup process is preserving all necessary data and capable of being fully restored.
Maintaining robust cybersecurity safeguards is an on-going process. In addition to the above examples, entities should periodically conduct comprehensive assessments of their cybersecurity programs to identify and remediate risks across the organization, as threats to the industry continue to evolve. Similarly, healthcare entities need to be able to respond quickly and effectively to incidents. Well-rehearsed and understood incident response plans are critical. Testing incident response policies and procedures should determine whether (i) personnel are following company protocols; (ii) terminology is commonly understood; (iii) appropriate characterization, categorization, escalation occurs; (iv) communications paths are clearly established; (v) teams are ready for when an incident goes public and prepared for the resulting regulatory, legal, public relations, and brand risk; and (vi) existing policies and procedures are sufficient to respond to a cyber incident or need adjusting.
Preparation activities and cyber breach exercises present an excellent opportunity to assess your policies, processes, and practices around incident response and cyber security, while simultaneously training the various staff, management, and leadership who will necessarily be involved if a major event occurs in breach response processes as well as corresponding legal obligations.