Hospitals have long known the importance of protecting against cyberthreats, but the WannaCry ransomware attack from March 2017 reinforced how essential it is to have a comprehensive cybersecurity solution. This attack affected organizations in more than 150 countries, with healthcare being the most severely affected industry. “It was the first time a ransomware attack didn’t just affect the PCs, it encrypted medical devices, too, which created a threat to patient safety,” said Christopher Frenz, Director of Infrastructure at Interfaith Medical Center, a 287-bed hospital in Brooklyn, New York.
The attack came through email, which is notoriously difficult to defend against
because it means either altering human behavior or filtering how your
organization handles communication. “If you look at phishing stats, malicious
links have a 13 percent click-through rate,” Frenz pointed out. “That means if a
hacker sends a malicious email to just 10 of your employees, there is a greater
than 90 percent chance that someone in your organization will click.”
Hospitals understand they must comply with privacy requirements, but
Frenz considers HIPAA and PCI the bare minimum. “You can be 100 percent
compliant and still be insecure. Shooting for compliance only is like shooting
for a D grade in class,” he said.
To boost your cybersecurity grade, you need to follow these five steps.
1. Know what’s on your network.
Take inventory of your network, including every device, from computers to HVAC equipment to medical equipment to door locks.
Also, know what data your systems house. “Hospitals often have
data they are unaware of, especially with the cloud. For example,
you might find your finance department is uploading data and you
don’t even know. Go around and identify everything,” Frenz said.
2. Identify the flow of data.
“Identify how data flows into and out of those systems and
between those systems,” Frenz said. It is essential that you know
how the data is supposed to flow if you are going to write rules
about it. Plus, if you have a good idea about what data is supposed
to be going across the network, it’s much easier to spot something
that should not be there. Would you know if something was out of place?
“Map it out and learn,” he advised.
3. Segment your network.
“Ideally, you should push for a zero-trust model,” Frenz said. Zero
trust restricts lateral movement along a network. Essentially, it means
that no two systems trust each other or can talk to each other, unless
you have written a rule that they can. “We use ExtremeControl
network access control, a product that allows us to apply a set of
policies that control what each device plugged into network can or can’t
communicate with,” he said. For example, a doctor can view and print medical
records, or look at imaging scans, but her computer or tablet cannot communicate
with devices on the network other than that. That way, if her device becomes
infected, the virus won’t be able to spread. It takes time and focus to build a
zero-trust solution, especially when you are dealing with thousands of devices.
But with each device that you add, it offers that much more protection from lateral
movement.
4. Build as many layers of security as you can.
“The more layers of security you have, the more effective you will
be,” Frenz said. Organizations need technology-based layers as well
as layers that deal with human behavior, such as awareness training
for employees about phishing. Layers may include a spam filter to try
to catch the malicious email, user training to try to prevent them from
clicking, web filters that don’t allow the link to work if a person clicks it, anti-virus
software on the computer, and then if all that fails, network segmentation to
contain the threat. In an anti-ransomware guide,1
which he co-authored, Frenz
identified more than 40 layers of security organizations should consider.
5. Have an instant response plan.
If your organization is compromised, you should know ahead of time
how you would deal with it and contain it as quickly as possible. One
way to prepare is to conduct simulated incidents. There are a few
different ways you could do this, including launching a faux-phishing
campaign against employees, or trying a simulated malware
outbreak using an EICAR string test. This is a harmless string that anti-virus
software treats as a virus, and should detect, Frenz explained. “Put your defenses
to the test: Launch an incident and see how staff responds.”