For most of the population, cyber-security is not the first item that comes to mind when thinking about healthcare.
Malicious hackers, however, target rich sources of data, and healthcare organizations collect and store a plethora of high-value personal, medical and financial information for large portions of the population. The collected data value is also much higher. The black market value of Personal Healthcare Information (PHI) is ten times higher than the value of debit or credit card data, in part because, unlike credit information, they cannot usually be modified and thus remain marketable for extended periods.
This makes healthcare organizations prime targets for hackers.
The Healthcare Cybersecurity Threat Landscape
According to the 2018 Healthcare Information Management and Security Society (HIMSS) Cybersecurity Survey , over 75% of healthcare organizations experienced a significant security incident between December 2017 and December 2018.
This trend shows no sign of abating in 2019. May’s Health Insurance Portability and Accountability (HIPAA) Healthcare Data Breach report paints a dire picture of the extent of the security breach crisis in Healthcare:
On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.
From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.
And that data was tabulated before the American Medical Collection Agency (AMCA) breach was revealed -- a massive incident that hit the news in early June, affecting both LabCorp and Quest Diagnostics and exposing the data of around 20 million people.
To add insult to injury, the mean breach size for stolen healthcare records rose from 6,908 records in 2017 to 16,605 records in 2018 and is still on the increase. At $408 apiece, the median cost per breached record in the American healthcare industry dwarfs parallel costs in other fields.
Hackers benefit from the increased adoption of SaaS solutions and reliance on connected devices, which may improve the efficiency of healthcare organizations but also expand the attack surface for hackers. With the ever expanding need to connect between physicians, labs, health insurance providers, billing services and more, the adoption of electronic health record keeps accelerating, both in hospitals and in private practices.
This increases the potential points of entry for hackers who can hitch a ride on a SaaS provider, or leverage a vulnerability in the growing number of connected devices used for record keeping and patient care.
As Hackers are generally efficient and look for the easiest path to exploit, this paints a target on the back of healthcare organizations. Aside from a lack of focus in investing into effective cybersecurity measures as opposed to focusing with complying with HIPAA standards, healthcare organizations have a larger number of people who come in contact with sensitive information during the course of normal business operations than in other industries.
Typically, the same people are also facing a heavy workload and are focused on patient care rather than on preserving access to data. As a result, Phishing attacks are disturbingly successful and, according to HIMSS, “the top threat actor [leading cyber-attacks] was the online scam artist involved in activities such as phishing and spear phishing”.
Hackers are generally efficient and look for the easiest path to exploit, this paints a target on the back of healthcare organizations. Healthcare organizations face two industry specific issues. When designing cybersecurity measures, they are more focused on complying with HIPAA standards than on actually providing effective protection.
As a result, it is only once full compliance is established that the remaining resources, if any, are devoted on creating a secure environment in keeping with the constantly evolving threat landscape.
This is further compounded by the structural weakness stemming from the large number of people who come in contact with sensitive information during the course of normal business operations. This number is far larger than in other industries and are typically facing a heavy workload that requires them to devote the lion share of their attention on patient care, leaving little room for thinking about preserving data’s safety.
As a result, Phishing attacks are disturbingly successful and, according to HIMSS, “the top threat actor [leading cyber-attacks] was the online scam artist involved in activities such as phishing and spear phishing”.
And it only takes one dupe for the hacker to gain a set of employee credentials, and then pivot from there into the central PHI database…
The Usual Protection
Two Factor Authentication
Many healthcare organizations implement two-factor authentication (2FA) to ensure that only authorized parties can access sensitive internal data and systems. This is both efficient and totally inefficient.
While two-factor authentication is effective in preventing unauthorized access in the absence of proper credentials, it is inefficient in preventing breaches stemming from phishing, malware and other web-borne attacks.
These will infect the device of the victim and, once in the device, hackers might access the network and bypass two-factor authentication from within the network.
Detection and Prevention Approaches
Detection and prevention approaches, such as anti-virus solutions and firewalls, aim to evade malicious web-borne content by discovering and/or blocking it. These solutions use signature-based detection and heuristics that check whether files and applications resemble or behave like known malware or threats. If the resemblance is close or behavior familiar, the code is deemed likely malicious and kept out.
Anti-virus solutions and firewalls are highly effective at filtering out the lion’s share of malicious content before it can do any harm. As such, they are essential and valuable elements of any layered network cybersecurity solution for healthcare organizations.
However, filtering based on known threats can’t reliably distinguish all malware from legitimate content. Sophisticated hackers are experts at developing malware with novel signatures, as well as evading heuristic-based detection by delaying, randomizing or otherwise altering how malware executes.
New types of threats can sneak in before anti-virus signatures and heuristics are updated. And with new malware specimens emerging every 4.2 seconds, detection-based solutions can’t possibly keep up. Malware that lurks on websites can easily penetrate endpoints when a user clicks a URL in an email or browses an infected site.
If the user is authorized to access hospital networks, the malware can spread freely from his device throughout the network.
For any healthcare organization, protection depends largely on how promptly new vulnerabilities are discovered, patches are issued, and updates installed on each of the thousands of devices throughout each organization. For too many, delays result in disaster.
Secure web gateways and URL filtering
Site-categorization approaches used by secure web gateways rely on “blacklisting” or “whitelisting” sites – that is, designating them as risky or safe. Like anti-virus and firewall solutions, this approach serves as an important layer of security by barring browsing on sites that are known to be security threats or inappropriate for the workplace.
However, no list can encompass – or stay abreast of – the constantly growing and evolving pool of sites and apps on the web.
It is beyond the ability of anyone – cybersecurity solution vendor, network administrator, or security officer to white- or blacklist more than a minuscule fraction of the websites that are out there. Helpdesks face a constant – and time-consuming – stream of access requests for unlisted sites. More significantly, this approach fails to block malicious code that’s injected in benign sites, which can infect unwitting users who click a link or simply browse the site.
Chillingly, even legitimate sites may unwittingly serve up malvertising-laden ads or other drive-by malware. In fact, a survey led by Confiant indicates that nearly 1 in every 100 ads was impacted by a malicious or disruptive ad. Combined with a conservative estimate of 4-5 display ads per page and 5 pages per session, this suggests that over 20% of user sessions might be impacted by malicious or disruptive ads.
The Cure: Detectionless cybersecurity protection
As a detectionless, patch-free approach to secure browsing, remote browser isolation (RBI) adds a powerful layer of protection to healthcare organizations’ cybersecurity portfolios. It dramatically reduces the risk of malware infiltration of endpoints and networks, with no need to identify malicious content or distinguish it from browser-executable code that’s (thought to be) safe.
Critically for chronically understaffed and oversubscribed healthcare organizations, RBI is transparent to users, who browse the internet as usual, on any device and browser they choose, with no degradation in performance.
While users experience websites entirely naturally, on their device browsers, each browsing sessions is executed, from start to finish, on a remote virtual browser that is isolated in a disposable container, located in a “safe zone” of the organization’s network DMZ. There, far from the endpoint device, sessions are rendered in real time and streamed to each user’s local browser.
A new container is allocated for every remote browsing session and tab, which is then discarded once it’s closed or inactive. Browser-executable code, including malware, never reaches the endpoint, yet the user browsing experience is totally seamless.
The Cure in Action: How one tech-savvy hospital keeps web-borne malware out
ALYN Hospital, one of the world’s leading facilities for active and intensive rehabilitation of children with physical, respiratory, and developmental disabilities, employs several medical teams and experts that routinely leverage technology to maximize patient care.
Because technology contributes immeasurably to patient care, it, unfortunately, places ALYN at risk of cyber attacks – risks that Uri Inbar, Director of IT, is adamant to guard against.
"ALYN Hospital has zero tolerance for malicious attacks that can cripple hospital systems, threaten patient wellbeing, and expose private information. It’s crucial for us to have all relevant protective layers against cyber attacks and other disasters, well beyond those required for our ISO certification," Inbar explained.
RBI brings a powerful layer of protection to ALYN’s existing cybersecurity portfolio. It dramatically reduces the risk of malware infiltrating ALYN endpoints and network via browser-executable code that can slip past defensive cybersecurity solutions.
The solution is transparent to ALYN users, who use the Internet as usual, on any device and browser they choose, in every treatment room, with almost no degradation in performance.
Content disarm and reconstruction (CDR) capabilities are integrated with the Alyn RBI solution to enable secure download of content from emails and websites while ensuring that it does not harbor hidden malware. Both solutions are clientless and centrally managed, enabling hospital IT staff to easily control permissions based on Active Directory users and groups.
An ounce of prevention…
The healthcare industry’s success in reducing the sheer number of breaches in recent years is encouraging. But it’s time to take a page from the public health playbook and ALYN Hospital. By preventing malware from ever touching their endpoints, healthcare organizations can help protect patient records, smooth internet access, contain IT costs, and most important of all, ensure uninterrupted care.