Strengthening cloud security in healthcare
The healthcare industry has always had the cards stacked against it when it comes to cyber security. Medical records are a popular prize for cyber criminals looking to make a quick profit on the dark web or launch more targeted attacks. Further, with lives potentially on the line, healthcare providers are painfully vulnerable to disruptive attacks like ransomware.
Pitiless criminals even ramped up their attacks during the disruption of the pandemic, with the end of 2020 seeing a global 45 percent increase in attacks on healthcare organisations.
Despite these challenges, the industry still needs to continue to develop and grow its digital capabilities, particularly when it comes to the cloud. While practitioners could not work remotely to the same extent as many other sectors, the flexibility of the cloud was a major advantage over the last year and will be increasingly important in the years to come.
So how can the healthcare sector continue its cloud migration without putting its infrastructure – and patients – at risk?
Managing cloud complexity
One of the greatest challenges in securing the cloud is the additional layer of complexity it creates, particularly when it comes to hybrid environments that integrate new cloud assets with on-premise infrastructure. This is particularly difficult for well-established organisations that have a lot of older infrastructure, as this can lead to overly complex set-ups that suffer from gaps, ready to be exploited by threat actors. Older firms also have an additional challenge as they are likely to have a large collection of data and other assets that need to be migrated over to the new cloud environment.
A common misstep is a misplaced sense of confidence around having a secure perimeter. It’s common to find many firms still relying on outward-focused security strategies that centre on firewalls and other perimeter defences. However, this approach is no longer enough on its own as it fails to account for threats that are already inside the network.
Criminals increasingly use phishing and other tactics to steal user credentials and use their trusted identity to get through the outer defences. Similarly, the healthcare sector must also contend with insider threats in the form of unscrupulous or disgruntled employees abusing their access privileges.
Beware third party threats
The healthcare sector is also especially vulnerable to external threats from its supply chain. Providers often have extended webs of third-party suppliers, partners and contractors that require varying levels of network access. The cloud has made it easier than ever to create and grow these relationships, but has also increased the risk exposure.
For example, earlier this year San Diego Family Care, a US healthcare provider, suffered a large data breach involving the sensitive data of 125,000 patients after attackers exploited the firm’s cloud provider. The GDPR and other data privacy regulations are clear on the fact that the original data owner is liable for any fines, regardless of if the breach originated with a third party.
Compliance does not always mean security
The healthcare industry operates under a high level of regulatory scrutiny. Reporting obligations mean that healthcare firms have reported far more data security incidents to the UK’s Information Commissioner’s Office so far this year compared to other sectors.
However, attaining compliance with regulations like the GDPR and HIPAA should not be confused with achieving a high level of security, particularly as both IT environments and threats evolve.
Cloud migration for example can quickly make it harder to locate and secure all instances of sensitive data containing personally identifiable information (PII) as it becomes dispersed across several environments. Organisations need to ensure their security capabilities are evolving at the same pace as their IT infrastructure.
Ensuring that the right solutions and controls are in place to secure sensitive data will usually fulfil most regulatory needs along the way. So, what defences should firms be focusing on?
Identifying security priorities
There is no one-size fits all approach to security, so all healthcare institutions should look to create their own bespoke strategies centred on their unique infrastructure and needs. Conducting an in-depth risk assessment will help to identify the biggest priorities. IT security frameworks can also provide some useful structure, with NIST offering a distinct Health IT framework, for example.
Conducting regularly scheduled penetration tests can also help to create a deeper understanding of the organisation’s IT infrastructure and potential risks, whether on-premise or in the cloud. A penetration test involves a team of experienced security analysts attempting to break into the network in the same manner as real attackers. This can reveal more obscure paths and is particularly valuable for a complex hybrid cloud environment.
Taking action to reduce risk
There are several options for organisations to immediately begin improving their security standing. Identity security should be a priority as criminals are increasingly using phishing techniques to acquire user credentials.
Implementing multifactor authentication (MFA) is a particularly effective first step as it will make it much harder for threat actors to exploit stolen credentials without access to the secondary channel. MFA should be applied to anything that can be used to access network assets, including VPNs, webmail, and web applications.
Alongside this, organisations should audit their access controls. There should be a least privilege approach in place, with accounts only being able to access what they need for their role. This will reduce the threat posed by a compromised account, and also help mitigate the risk of malicious insiders and third parties exploiting their trusted access – especially for cloud assets.
Implementing a third-party risk management is a more long-term activity that will help to improve defences. Security is only as strong as its weakest link, so healthcare firms need to be sure their suppliers have adequate defences.
Security measures such as penetration tests and MFA can be included in contracts as service level agreements (SLAs) to ensure compliance. While the healthcare sector faces an uphill struggle to stay secure in the face of mounting cyber threats, they can still enjoy the benefits of the cloud without exposing their patients to unnecessary risk. Focusing on the areas of greatest risk will enable any organisation to improve its defences without breaking the bank.