Written by Elie Nasrallah, CISSP, Director – Cyber Security Strategy at HITRUST
Research from Trend Micro and HITRUST points to the healthcare industry continuing to experience challenges in addressing threats and attacks they’ve experienced first-hand…seriously!
The one-year anniversary of WannaCry is quickly approaching—you remember, that time when hospital systems in the UK and US, and even some medical devices were held for ransom for the first time. Hospitals now have to ask, have we learned anything in the last 11+ months from the challenges we’ve endured and from the experiences of being under intense scrutiny at all levels within our organization?
Or, can nothing frighten us enough to take action? Are we doomed to repeat the mistakes we’ve already made?
The answers to these questions may lie in the recent research report—Securing Connected Hospitals—produced by Trend Micro’s Forward-Looking Threat Research (FTR) team in partnership with HITRUST. The findings may not shock you, but you may still be in awe of the results.
What you will discover in the 60+ page Securing Connected Hospitals report
In addition to some critical research surrounding the threats and vulnerabilities facing healthcare organizations small and large, readers of the report will find what essentially is a state-of-the-union report on the security postures of the healthcare ecosystem:
- What is at risk for the healthcare industry to address?
- Who is attacking the healthcare industry?
- Why is the healthcare industry being attacked?
- How are the threat actors attacking the healthcare industry?
- A healthy list of the most common attacks in the hospital supply chain
At first blush, readers will see that healthcare organizations are still connecting tons of systems and devices with access to electronic personal health information (ePHI) to their networks. And with a combination of the Internet of Things and Industrial Control System (ICS) devices, organization are introducing additional vulnerabilities and risk. Furthermore, the networks they are connecting to are misconfigured and opening up a multitude of ports, thus introducing even more vulnerabilities and risk.
Perhaps more troubling than the device and network issues uncovered in the report are the types and volumes of data exposed via a number of systems, databases and applications connected with electronic health record (EHR), electronic medical record, (EMR), and medical device imaging products. The bottom line: healthcare companies are continuing to increase their attack surface while exposing their devices, systems, applications and data directly to the Internet for consumption by the general public and, oftentimes, criminals.
Key findings in the report
While there is a tremendous amount of data to look through in the report, here are some of the main findings:
- The HITRUST Cyber Threat XChange (CTX) program—the threat-indicator sharing platform used to provide some of the key statistics as part of this report—showed that email-borne threats were the most common infection vector across the healthcare industry.
- Data breach attacks against hospitals resulting from hacking or malware attacks are on the rise.
- The WannaCry incident was the highest profile case among a slew of healthcare-related ransomware attacks.
- Many medical devices and industrial control systems were exposed internally and to the Internet.
- Many ports/services were exposed inside hospitals and clinics.
- MySQL was the most popular database exposed inside hospitals and clinics.
All of these finding should put healthcare organizations on immediate alert!
How to move forward knowing what you now know
Pointing to the challenges without providing any guidance for how to overcome those challenges can be frustrating. Fortunately, HITRUST and Trend Micro have made an effort to provide some meaningful guidance that organizations can begin to take action on:
Technical recommendations for IT teams
- Segment your network
- Leverage and properly configure firewall and unified threat management devices
- Employ anti-malware and anti-phishing solutions
- Employ intrusion detection/protection systems (IPS/IDS) and breach detection system (BDS) solutions
- Encrypt data and communications
- Patch, patch, patch
- Scan for vulnerabilities and misconfigurations
- Employ deception technologies
- Scan open source sites for company information
Non-technical advice for non-IT representatives
- Take the time to understand your risk
- Allocate adequate resources to address the risk
- Do your best to prevent an attack
- Be prepared to respond to an attack
- Be prepared to recover from an attack
- Engage with the healthcare community to share threat information
- Engage with the healthcare community to leverage shared indicators of compromise
- Proactively manage your third-party risk throughout the supply chain
Controls-based programs and guidance
The HITRUST CSF provides a guide to address common (and seemingly pervasive) healthcare industry risks. The CSF meets the requirements and practices necessary to help ensure information and cybersecurity-related risks are managed smartly and consistent with business, risk and compliance objectives, including those uncovered in the Securing Connected Hospitals report. Refer to this HITRUST resource for more information regarding the programs and controls framework capabilities available to healthcare organizations large and small.
The WannaCry event case study: keeping an eye on things, just in case
As noted in the guidance provided earlier, when identifying and managing risk with well-defined and enforced controls, there are no guarantees that something bad won’t happen. As a reminder to the reminder made earlier, we’ve seen it happen with last year’s WannaCry event.
The HITRUST Cyber Threat XChange (CTX) was created specifically to help healthcare organizations keep on top of these threats that are targeting the healthcare industry. Keeping with the WannaCry example, the HITRUST CTX actually detected and shared early indicators of the attack with participating members, which resulted in immediate protection from this ransomware.
The benefits weren’t limited to the US: HITRUST CTX also detected early stages of the WannaCry threat several weeks in advance of the NHS UK Breach.
How did HITRUST do this? CTX sensors are able to analyze and detect malicious behavior of both known and unknown stealthy and persistent threats such as ransomware, Trojans, and worms. Once detected, the HITRUST CTX shared the Indicators of Compromise (IoCs) instantly and anonymously amongst the participants, which included many healthcare payers and providers in the US.
WannaCry indicators were detected during the intelligence gathering stage, and IoCs—such as malicious IP addresses, domains and hashes—were instantly shared throughout the HITRUST CTX community. Those that participated in the program were able to consume those IOCs into their incident response workflows to quickly defend against an attack and to thwart a WannaCry breach.
Participating members were also automaticity receiving up-to-date threat bulletins on WannaCry. These included the details, the IOCs detected, variants, removal instructions, and best practices on defending.
Beyond an individual event, health organizations will benefit from a common risk management framework
With the overall level of vulnerability still very high and attack vectors continuing to grow, the research also points to the need for healthcare organizations to adopt a cybersecurity framework—a need that has never been greater. Independent industry surveys, including a recent publication from HIMSS, point to more healthcare organizations adopting cybersecurity frameworks and prioritizing risk assessments as a priority in 2018.
Specifically, the new draft of the National Institute of Standards and Technology (NIST)—Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework)—emphasizes the importance of supply chain relationships and considers supply chain risk management (SCRM) to be a critical organizational function. The HITRUST CSF provides the foundation for the NIST Cybersecurity Framework implementation in the healthcare industry and fully addresses the NIST framework’s objectives around SCRM.
In fact, the integration and harmonization of multiple regulations, standards and best practice frameworks relevant to healthcare has positioned the HITRUST CSF as the most widely-used, controls-based risk management framework in the industry. The HITRUST CSF provides organizations with the ability to leverage a single assessment to report against multiple standards and reporting requirements (such as the AICPA Trust Criteria used in a SOC 2 report and the NIST Cybersecurity Framework’s cybersecurity outcomes like SCRM) more efficiently and cost-effectively than other approaches.
For more information on how HITRUST supports the NIST Cybersecurity Framework, see the HPH Sector Cybersecurity Framework Implementation Guide, available from the US-CERT.
To learn more about HITRUST, HITRUST CSF, HITRUST CTX and other HITRUST risk, compliance, and cybersecurity programs, please view our latest brochure at https://hitrustalliance.net/documents/csf_rmf_related/HITRUST-CSF-and-CSF-Assurance.pdf.