Leon Lerman is the CEO and co-founder of Cynerio, a healthcare cybersecurity company. Here Lerman tells us about cybersecurity standards in the US healthcare system and what needs to improve.
What cybersecurity standards does US healthcare have?
Currently, these are mainly focused on compliance and penalising providers when breaches occur, and the current requirements are insufficient.
In fact, one of the only healthcare-specific cybersecurity requirements is the HIPAA Breach Notification Rule, which requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information within 60 days. This rule also applies to vendors of personal health records and their third-party service providers.
What needs to improve?
There must be a clearer path for hospitals to follow in the event of a ransomware attack. To do this, the government, providers, vendors, and manufacturers all must understand that they have a shared responsibility to secure our industry and create a set of standards that all parties can implement and follow moving forward.
After the Colonial Pipeline attack, for example, the Department of Homeland Security's (DHS) Transportation Security Administration took action and issued a directive which required cybersecurity breaches to be reported to federal authorities. Additionally, the Biden Administration is currently proposing legislation to mandate that operators of critical infrastructure report data breaches to the government.
These actions show that we are starting to see the government shift beyond voluntary guidelines and move toward mandatory rules and regulations to take action when a cyber attack occurs. Now that we’ve seen direct congressional action for pipeline systems, the same actions must be taken for healthcare, especially given the important private information within it, increasing threats against the industry, as well as the fact that a recent study from Ponemon Institute, which found that one in four healthcare organisations reported increased patient mortality rates resulting from ransomware attacks.
What else should ideally be in place to help healthcare providers combat cyber attacks?
In our current environment, medical and IoT devices are arguably the weakest link for the healthcare industry. This is due to a lot of factors, including the countless varieties of devices, outdated and unpatchable operating systems and firmware, the inability to be disconnected from patients and IT network infrastructures, differentiations from standard IT solutions making them unable to be secured, and the fact that connected medical devices are often developed without cybersecurity in mind. Because of these challenges, healthcare providers need a cybersecurity solution that can protect these devices.
To prevent the risk of a cyber attack, hospitals and health systems need to adopt a Zero Trust security architecture. This approach assumes that all users in the network could be malicious and operates accordingly. The Zero Trust security model works by authenticating any access between two components within one network, and after authentication is completed, users, applications and devices are only given the minimum amount of privileges they need to function to keep the network protected.
In addition to setting up a Zero Trust architecture, healthcare organizations also need to incorporate best practices, including updating software regularly, identifying, monitoring and segmenting connected medical devices (i.e., the process of dividing a network into multiple segments, having each act as its own small network), developing an incident response plan, and increasing security education to all employees and stakeholders.
When it comes to segmentation specifically, this can be a particularly challenging feat when devices are hooked up to patients, as it must not interfere with patient care, safety or data. But in the end, once properly set in place, segmentation is able to prevent attackers from shutting down all devices with ransomware or performing reconnaissance on those devices.
Do you have any general predictions for cybersecurity in healthcare in the next 2-3 years?
Looking ahead to the next 2-3 years, I have a few predictions as to where the cybersecurity industry will change. First, I believe that we will see the shift of patient safety taking centre stage, compared to how compliance and data breaches are front and centre now.
Furthermore, we will continue to see the use of IoT medical devices grow, and more of these devices which were previously not connected will become connected. However, this in turn will mean that we will likely continue to see stark increases in ransomware attacks leveraging these IoT medical devices as an entry point.
Lastly, as the healthcare industry continues to invest more in telehealth and virtual care options, hospitals’ perimeter and attack surfaces will expand significantly beyond their physical location, into the homes of patients and to the cloud.
