Ashish Thapar, Managing Principal and Head – APJ Region, Verizon speaks on methods organisations can employ to prevent cyberattacks
Healthcare institutions large and small can be left black and blue by a cyberattack. Larger institutions have to serve more patients and thus have more user health records that attackers can potentially compromise. Smaller institutions, on the other hand, may not have the financial resources to protect themselves against an attack or respond to one when it occurs.
In the event of an incident or breach, mitigating the risk and continuing the business can take a massive financial toll on a healthcare institution, costing the institution time, money and staffing support to remedy. This severely affects the number of patients seen in a given day (or however long it takes to address and fix the damage) and causes them to suffer financial and reputational damage as a result.
According to the Indian Pharmaceutical Congress, the healthcare industry is growing at 15.92 per cent per annum. Currently in India, digitalisation has led to a rise in collection and analysis of data making it susceptible to cyber criminals and being infected with malware. With the right to privacy now being made a fundamental right in India and increase in the number of data breaches, the Ministry of Health and Family Welfare (MoH&FW) has decided to roll out the draft legislation titled Digital Information Security in Healthcare Act (DISHA).
According to Verizon’s 2019 Data Breach Investigations Report (DBIR), for the second consecutive year, the majority of cybersecurity breaches in 2018 in the healthcare sector were attributed to internal (rather than external) threat actors – a skew unique to the healthcare industry. These internal threat actors are typically employees working within healthcare institutions (doctors, nurses, IT staff etc.) who are more likely to have incited a breach than hackers outside the institution. Though not always acting out of malice, the major concern here is that these internal threat actors have been granted access to systems in order to carry out their jobs and the breach not necessarily need to break into the system to retrieve or expose classified information.
Misdelivery (sending data to the wrong recipient) is the most common error type that leads to data breaches across sectors and the healthcare industry is no exception. The healthcare sector also suffers from the widespread problem of social attacks. Like many other industries, healthcare institutions are under the constant threat of phishing emails that ‘bait’ unsuspecting recipients to enter and expose personal information such as email credentials onto fake sites. The stolen login information is then used to access the user’s cloud-based mail account, and any patient data in their inbox, sent items, or other folders and is thus compromised.
In Verizon’s Insider Threat Report, particular attention has been paid to the types of insider threats that organisations can face. Profiled within specific case scenarios from Verizon’s own investigative caseload – from incident detection (and validation), to response and investigation, and then to lessons-learned (countermeasures) – five insider personalities have been identified:
The Careless Worker – These are employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorised applications and use unapproved workarounds. Their actions are inappropriate as opposed to malicious, many of which fall within the world of Shadow IT (i.e., outside of IT knowledge and management).
The Inside Agent – Insiders recruited, solicited or bribed by external parties to ex-filtrate data.
The Disgruntled Employee – Insiders who seek to harm their organisation via destruction of data or disruption of business activity.
The Malicious Insider – These are employees or partners with access to corporate assets who use existing privileges to access information for personal gain.
The Feckless Third-Party – Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.
So how can healthcare institutions immunise themselves from cyber incidents and breaches? There is no magic pill, but there are precautions that industry leaders can put in place to better protect themselves against threats from the inside and out.
Prescriptions for Protecting Your Network:
Locate the Problem Areas:
Practice good security hygiene by examining the current health of the network. Healthcare institution leaders and administrators should know where their major data stores are, enforce strong data-centric security controls, limit access for their employees and staff, keep a microscopic eye on user and entity behaviour analysis to identify anomalous activities. Certain staff may not need complete accessibility to files and records in order to perform their jobs, practitioners can enact low-cost least-privilege—principle controls in order to prevent miscellaneous errors that can erode the cybersecurity of an institution.
Make It Easier for Employees to Report Issues:
Minor errors like phishing can be infectious. Industry leaders should make it easy for their staff to report phishing when it occurs (whether they took the bait or not), so they can nip issues in the bud and prevent an influx of employees from potentially compromising the network. Leaders can incentivise the process by implementing reward-based motivations for employees to report incidents quickly, so fewer people and less information are implicated.
Institute Checks and Check-ups:
There should be a game plan in place to mitigate incidents or breaches from happening rather than nursing a security system back to health after they have occurred. Institutional leaders need to familiarise themselves with which processes deliver, dispose or publish personal data and put up checks to ensure that a minor mistake made by an employee does not escalate into a breach. By putting a plan in place and having regular check-ups of the infrastructure, mobile and network security, healthcare institution leaders can have a standard to measure their performance against regularly as a pulse check.
As healthcare institutions become increasingly interconnected, there needs to be a plan in place to address the state of mobile and network security before an attack occurs. Reframe the situation to think of cybersecurity as a matter of patient care: medical devices can be hacked, a breach can cause a misdiagnosis and personal health information stored on computers can be stolen. Not to mention, the downtime during a breach can put patients in critical danger.
Protect before you have to treat. Industry leaders must take all of the necessary measures to assess and stabilise the mobile and network security of their institution to better thwart attacks – especially ‘from the inside’. By putting up safeguards for employees – including doctors and nurses – to protect themselves from accidentally compromising their network, these institutions can lessen or even prevent the threat of an incident or breach.