Sergey Nivens - Fotolia
Published: 24 Jan 2017
With ransomware attacks increasing 300% in little more than a year -- from 1,000 daily attacks in 2015 to 4,000 in early 2016, according to a U.S. government interagency report -- it's no wonder cybersecurity is top-of-mind for many health IT professionals.
While it's important to train and educate healthcare employees on best practices to keep the organization secure, "we're not going to solve this issue just by educating our workforce," said Mac McMillan, co-founder and CEO of CynergisTek Inc., a healthcare IT consulting firm in Austin, Texas. The right technologies to prevent, detect, resist and recover from an attack are essential to maintaining security and keeping a healthcare organization up and running.
Technology to prevent cyberattacks
Using effective technologies to detect cyberattacks is important, but security professionals say healthcare organizations need to use technologies designed to prevent attacks as well. Many good technology options are available to do just that.
Multifactor authentication. McMillan advised that healthcare organizations use at least two-factor authentication. In addition to having a username and password, employees should have another layer of credentials, such as a security question, electronic token or biometric authentication like a thumbprint. Doing so creates barriers for anyone seeking unauthorized access to an account.
Mac McMillanco-founder and CEO of CynergisTek
"That just makes it that much harder because you might have my phone; you may even guess my password," said McMillan, who spoke at the annual American Health Information Management Association conference in Baltimore last October. "But you're not going to have my [thumbprint], and you're not going to have my token."
David Reis, senior vice president and CIO at Lahey Health in Burlington, Mass., agreed, adding that more hospitals need to follow this approach. Although encryption has become standard in healthcare, multifactor authentication has not. Such authentication for remote access is particularly important, he said.
Healthcare organizations that allow remote access to systems should insist on a username and password for each user as well as a PIN that changes every 30 to 60 seconds, Reis said. This step would apply to remote users of email, ERP systems, patient portals or clinical applications such as electronic health records.
"This type of security technology would have largely prevented the email breaches that we've been seeing in the media where someone gets successfully phished, giving up their user credentials, and then the bad actor logs in and accesses emails with patient information," Reis explained. "This scenario is exactly the kind of thing that multifactor authentication prevents from happening in almost every case."
Behavioral analytics. Using data to measure employee behavior can also help tighten security. If healthcare employees -- doctors, nurses or residents -- have access to a system, McMillan said, they usually can view information about all the patients in that portion of the healthcare organization's system.
However, some technologies can monitor how employees use those systems and track what information they access. For example, if a doctor in the emergency department looks up a patient's information in the oncology ward, that action would trigger an alert to the IT department because the doctor may be accessing information he doesn't necessarily need, McMillan said.
"We need to start normalizing behavior across platforms and across positons so that we understand what is normal for [a clinician] to look at in a given day," McMillan said. "And if he's looking at [50%] or 100% more information than is normal for him to look at, that should set off a flag, too, even if he's still within his lane. We need those behavioral analytics."
Honeypot. McMillan said another option to prevent attacks is to install a honeypot, which essentially creates a fake server that will lure attackers "and cause them to waste time playing around out there as opposed to actually hacking your network." Healthcare organizations should set up their honeypot so that they can track and block the IP address of the attackers.
How to detect cyberattacks with technology
An effective way to detect -- and protect against -- ransomware or cyberattacks is to have next-generation firewalls and security email gateways work together, Reis said. "What that interoperability between firewalls and security email gateway devices would do is identify that something was running in the environment that looked suspicious and then inspect email attachments for known patterns, ... not in an antivirus way, [but] in a crowd-sourced way," he explained. Like the internet of things, security tools would be aware of what other security devices are discovering, he noted, adding that "this is similar to intrusion detection and prevention solutions but with a different focus."
Technology to respond to a cyberattack
When it comes to meeting an attack head on, some hospitals succeed with advanced persistence threat (APT) technologies, said Mark Dill, a partner and principal consultant at tw-Security, a healthcare security firm based in Strongsville, Ohio. According to Dill, APT looks for early infections in the network that ultimately become ransomware problems.
Hospitals, grab your bitcoin wallet
Should a healthcare organization experience a cyberattack or ransomware attack, having a bitcoin wallet makes the recovery process much quicker if the organization has no choice but to pay the ransom, said Mark Dill, partner and principal consultant at tw-Security, a healthcare security firm based in Strongsville, Ohio.
A slew of healthcare organizations suffered through ransomware attacks in the past few years and were forced to pay, including New Jersey Spine Center in Chatham, N.J.; Marin Healthcare District in Greenbrae, Calif.; Kansas Heart Hospital in Wichita, Kan.; and Hollywood Presbyterian Medical Center in Los Angeles.
Without a bitcoin wallet, which is basically a bank account that holds a person's or organization's bitcoin currency, it could take up to a week for the traditional money to transfer, Dill said. Such a delay prolongs the return of the healthcare organization's data and, in some cases, could cripple hospital operations. With a bitcoin wallet, the transfer of the ransom currency is much faster.
He advised that healthcare organizations put APT technologies in block mode, which halts the communication between the malware and the organization's command control server. This defense is important because communication is sometimes necessary for the malware to get the encryption key to actually encrypt the data. But with block mode, Dill said, the technology can prevent the encryption key from ever getting into the organization. "It gives IT and antivirus software a chance to catch up and figure these things out," he explained.
Recovering from an attack
Despite knowing how to detect threats and using technologies to prevent ransomware and cyberattacks, healthcare organizations should also have a recovery plan. One method is to back up data frequently so a hospital can restore that data and keep functioning after an attack. But Dill also pointed to the data center as a way to recover.
First, he advised that healthcare organizations invest in tiered storage, in which the most frequently accessed data is stored on higher-performing storage devices and rarely accessed data is put on low-performance, cheaper storage. Tier-two storage, in particular, is important because "a tier two starts to have some redundancy [of data] and some of the controls," Dill said. If a healthcare organization is hit by a ransomware attack, those features would make it possible to recover some of the data held hostage.
He also recommended that hospitals set up their data centers so they're redundant. That means if one data center experiences a disaster -- be it a ransomware attack or hurricane -- the healthcare facility would have all that data stored in another data center. In that way, Dill explained, healthcare organizations could do what he called a "data center flip-flop," adding "where my system is so good that I can run for a month in a data center 15 miles away and then one night fail it over to the other data center."
How to stop a ransomware attack: Ten steps
CIOs offer advice on cybersecurity vulnerabilities
To ensure cybersecurity, network monitoring is essential