The healthcare industry knows this scenario better than most: when a virus makes its way into a hospital, the most important thing to do is identify patient zero. That way, there is a much better chance of determining how and when the outbreak started, and therefore how to stop it.
Healthcare facilities have many layers of strict procedures around real-life infection control, but when it comes to the cyber world, they are decidedly behind the curve. This is despite the fact that digital attacks pose as great a threat to human life as physical infections.
Hospitals are among the most vulnerable institutions to cyberattacks for three key reasons. Firstly, there is various legacy technology that resides within them as a result of organic growth. Secondly, there is a lack of diligence around updating and patching software; according to an independent investigation, if UK National Health Service (NHS) organisations had followed basic IT security, the WannaCry ransomware attack in May 2017 could have been prevented. Finally, a hacker knows the risk an attack presents, and that healthcare providers are dedicated to protecting their patients’ safety.
Even if facilities have significantly modernised and do not rely heavily on legacy systems – like many in the Middle East – they are still at risk from cyberattacks because using smart technology introduces more connected devices, from thermostats to heart rate monitors. With more connections come more attack vectors to protect.
“If it’s connected, it can be hacked. If it’s hackable, they can get onto the data, the network and into the applications themselves,” says Scott Manson, cybersecurity sales and operations leader, Middle East and Turkey for technology giant Cisco.
Services like Wi-Fi offer another route into the system; if cybersecurity is not up to scratch, hackers could potentially access the network through their own device – and many do.
Policy is essential
Before throwing technology at the problem, the first step for a healthcare facility is to establish a cybersecurity policy. “Policy is king,” Manson stresses. “Nobody has an open cheque book, so you need to define what your priorities are and create different swim lanes of initiatives, with priorities one to ten. Without that prioritisation, it’s very hard to make your money work for you.”
First in the frame are life-critical devices. “We want to air gap these devices on networks, and IP local-area networks (LANs) and wide-area networks (WANs) that do not open themselves up to the ability for hackers to enter,” Manson explains. “It’s like an army-grade, intelligence-level type of network, which is expensive.
“Then we get into a discussion about what you connect and what you don’t. It’s great if a lot of these things are connected, but if they add an extra overhead and risk to the administrator of that service or device, and it could be life-threatening, then sometimes you have to say, ‘We love innovation, but we’re not prepared to put our patients at risk in this way.’ Or you design your networks and zones and segmentation from an IT perspective to cater to the high-level nth degree of security.”
Healthcare records should also be a high priority for healthcare providers. “These often contain valuable information for hackers, such as credit card data, email addresses, social security numbers and employment information, and remain valid and exploitable for years on a network, so there’s a massive threat for fraud and identity theft,” states Manson. “This is one topic you can really focus on, and it’s an area we talk to a lot of our customers about.”
Priority levels decrease for areas that the healthcare provider cannot afford to protect to a similar degree, and would not affect a facility’s operations in the event of infiltration.
“Policy must be at the centre of dictating not only priorities, but also how customers are going to run their environment before an attack happens,” Manson says. “For example, the policy says that this machine can talk to that machine, or this piece of the network is segmented, or this is a demilitarised zone that nothing can get into. Once you have that hierarchical view of your network, data centre and applications, you can look at what’s available in the market to help you deliver that.”
Unfortunately, there is not a catch-all cybersecurity system that can stop hackers infiltrating healthcare facilities. “The idea is that we’re trying to reduce the operating space that the hacker works within,” he adds. “If we can reduce that space then, of course, the gaps for the hacker to get in are fewer and farther between, making it harder.
“If we fortify, prioritise, put policy in the middle, reduce the attack surface and take out some of the attack vectors, the hacker will tend to give up and go somewhere else, because time is money.”
Training is the best medicine
Wi-Fi networks and emails are the easiest ways for hackers to access a hospital’s network and, in some ways, are the most difficult to safeguard, largely because of the human factor. While there are technological ways to fortify Wi-Fi environments, and it’s an area on which Cisco works frequently with its clients, training is the key to ensuring that risk is mitigated.
“Humans are absolutely the weakest link,” Manson says. “Ransomware coming in through emails is the biggest and easiest way [for hackers to infiltrates hospital networks], but people also bring their devices into hospitals and organisations are often not able to control what they do on their Wi-Fi network. Training is a great medicine for this type of issue.”
Indeed, Cisco estimates that training can allow a hospital to cut out 33–37% of attacks simply by helping people understand what not to open and click on from an email perspective, when to update their patches on their environment, and when not to accept files that come in from certain individuals and corporations.
“Organisations do train, but aren’t thorough enough,” Manson notes. “We really need to be sure that individuals on the network understand the pressure and risk they can create within the environment if they’re not careful.”
During and after an attack
The chances are that large-scale healthcare providers will be targeted at some point by hackers, so after the attack surface has been reduced and as many of the attack vectors removed as possible, it’s time to think about what to do during an attack. “At this point, it’s about risk mitigation,” says Manson.
When Cisco works with healthcare providers, the cybersecurity policy will state what they will do if a hospital is attacked; for example, how certain systems will be switched off and how the facility will be able to get back online quickly to provide their most critical services. “We’ve got a lot of processes in place and technology that can help us do this in an automated way, mitigating the risk and the hospital’s exposure,” Manson says.
Finally, it is crucial to remember that what is done after an attack is just as important as what is done before and during, and it is here where patient zero becomes key. “We need to be sure that if we have been infiltrated, and there hasn’t been any malware or sleeper malware injected into our environment,” Manson states. “When we’re talking to customers, we talk about the ‘first patient’ being infected, and then work out where that file moved and what it potentially infected.
“The ‘after’ piece is all about retrospectively looking at what’s been infected so we don’t have this dormant sleeper cell, which could sit still for up to two years and then rear its ugly head. If it’s already in there, you can’t defend against it.”
Back to basics
He advises healthcare providers should start with the basics if they are worried that their systems are not up to the task of protecting their data or patients against a cyberattack.
“Create a runbook that says, ‘This is what we want to protect, these are things we’d love to protect but probably can’t afford to safeguard to the same degree, and these are the things that won’t affect the business if they were infiltrated,’” he affirms. “Then breathe life into that with technology and services to make it into a reality.”
Crucially, operators should not worry about the fact that they have an existing environment of legacy systems that have been built – and invested in – over time. “Healthcare providers can sweat a lot of the assets they’ve already procured over a number of years,” Manson advises. “It won’t be a case of throwing everything out and starting again. Knowing their priorities will guide them to spend money in the right areas.”