PiChris - Fotolia


Hospital cybersecurity isn't easy; CIO and CISO offer advice

There is no magic bullet, no single software that will fully secure a healthcare organization. But there are strategies that will help with hospital cybersecurity. Experts weigh in.

In 2016, cybersecurity attacks wreaked havoc in healthcare. Now that 2017 has rolled around, we can see the full impact these cyberattacks have had on healthcare and hospital cybersecurity.

According to a U.S. Department of Health and Human Services Office for Civil Rights breach report, in 2016 284 breaches were reported with 500 or more organizations and 15,106,367 individuals affected, and over $20 million in fines assessed.

And the picture only gets scarier with anyone having the ability to purchase ransomware online for $39, said Ladi Adefala, senior security strategist at Fortinet Inc., a cybersecurity software company based in Sunnyvale, Calif. He spoke during a session at the Healthcare Information and Management Systems Society (HIMSS) 2017 conference in Orlando, Fla. Adefala noted that also available is an option to purchase a "Russian Roulette" feature where files are deleted every six hours until the victim pays the ransom.

And you never know where cyberattacks might come from. An audience member shared that malware was introduced into his healthcare organization's environment via an e-cigarette.

Suffice it to say, multiple health IT experts, including CIOs and CISOs, said at HIMSS 2017 that hospital cybersecurity is at the top of their list.

Network segmentation for hospital cybersecurity

Hussein Syed, CISO at RWJBarnabas Health located in West Orange, N.J., suggested that healthcare organizations look into network segmentation, a long-time security strategy that essentially separates networks based on who or what they serve, something Hussein has implemented at RWJBarnabas.

"We have urgent care, we have physicians' offices, we have specialty hospitals and we have outpatient clinical … and they're all connected together to a central EHR," he said. "All those points of entry can lead to ransomware, malicious malware … into that environment."

Syed said now that new technologies are being introduced into healthcare organizations that allow for remote access, and for providing care outside the hospital and in the patient's home -- such as telemedicine -- the area of risk has widened.

"Now we have physicians, caregivers, remote workers, you name it, all over the country reporting in or accessing the four walls and doing the work and really trying to do what they need to do and now bring in extra threats," Syed said.

Syed suggested that healthcare organizations segment their network into smaller networks dedicated to one function. For example, creating a business network and a clinical network and a network for medical devices and the EHR.

"This way if one environment is compromised at least you can contain that infection, that threat, into that little environment," Syed said, adding that these various network environments can be assigned a risk rate based on which environments are at a higher risk and which are at a lower risk.

Syed suggested that when healthcare organizations decide to embark on a network segmentation project that they adopt a framework, perform focused risk assessments, develop a strategic plan of three years or more, and focus on incident response.

Since segmenting their network, Syed said RWJBarnabas has experienced several benefits:

  • Seventy percent increased patient and physician satisfaction due to improved public internet access;
  • Forty percent true security events compared to 67% false positives;
  • Thirty percent increased visibility into advanced persistent threat activity; and
  • Seventy-five percent financial savings by avoiding architectural footprint in the virtual environment.

Prep for when a user clicks on a malicious link

Karen Clark, CIO at OrthoTennessee in Knoxville, Tenn., said simply training end users about what not to click on is not enough for a hospital cybersecurity strategy.

"We could train every one of our 700 users perfectly, and 699 of them get it and one person was sick that day or just didn't pay attention and that one person clicks on a piece of ransomware," Clark said.

We could train every one of our 700 users perfectly, and 699 of them get it and one person was sick that day or just didn't pay attention and that one person clicks on a piece of ransomware.
Karen ClarkCIO, OrthoTennessee

Clark advised that healthcare organizations identify what systems would be highly affected should they be hit by ransomware and focus their resources there.

Since it's highly likely a user is going to click on a malicious link or open a malicious email, and the results could end up with a healthcare organization's entire database being encrypted, Clark said, "that's where I'm going to put resources."

Clark gave an example of what protections she would put in place in this scenario.

"I'm going to put protections in place at the perimeter to control and prevent certain types of inbound and outbound traffic and I'm going to be sure that, for example, I do hourly backups of my major database with log shipping to a separate encrypted device that's not … a network share," she said. "So that if a user clicks on a file, it can only affect their computer. But if it escapes that defense and encrypts my main database, then I just go to my backup from an hour ago."

Have an independent security risk assessment

Clark recommended that healthcare organizations not use security vendors to conduct risk assessments. Instead, find a trustworthy third party, she said.

"One of the things we did at OrthoTennessee is partnered with our local FBI field office because the FBI has great resources for cybercrime," Clark said.

Clark and her colleagues met with their local FBI office and told them about their cybersecurity efforts, asked them for feedback, and asked them what cybersecurity activity the FBI is seeing in the healthcare space.

"They don't have a vested interest in what you buy but they're really good at what they do," Clark said.

Next Steps

Medical devices are the new threat landscape

Cybersecurity and HIPAA must complement each other

How to detect and prevent cyberattacks

Dig Deeper on Electronic medical records security and data loss prevention