Healthcare providers hold a vast amount of sensitive and valuable data about almost everyone. For this reason, these organizations are facing more and more threats and have become a prime target for hackers. At the same time, the healthcare industry has been under relentless cost and regulatory pressure for years, which has led to corner cutting and deferred investments. And often these organizations operate in a geographically decentralized governance model, where local resources make crucial decisions about when to patch, upgrade or repair key devices and systems.
These opposing forces make healthcare providers one of the hottest battlefields for cybersecurity today, where targeted and accidental attacks meet an often poorly coordinated and under-resourced defense of critical systems, networks and devices.
Effective cybersecurity begins with the basics. Incident response and business continuity plans are essential to ensure that the enterprise can take a punch and recover its essential functions in a timely manner. And good cybersecurity hygiene requires effective programs for patching devices, network segmentation, traffic monitoring, and managing credentials. Without these, any organization is vulnerable to untargeted malware, virus and other attacks that can be devastatingly destructive.
Once the basics are in place, a strategy to build a more effective and holistic defense against cyber attackers is to implement the “Think Like an Attacker” mentality. This begins by understanding what data and information systems are most attractive to an attacker and then considering what specific objectives a hostile actor might pursue against them. Organizations should then design and implement a comprehensive security program that integrates the domains of physical security, cybersecurity, and human intelligence to protect their assets, focusing on thwarting the most likely and devastating attack objectives.
Cybis, a cybersecurity consulting firm, has analyzed the security programs of numerous businesses and have found that robust, industry-leading programs have several commonalities. Organizations that have leading-edge cybersecurity programs embody the following six major attributes:
1. Know the Enemy
Highly secure organizations know and understand their enemies at a deep and intimate level including their mindset, capabilities, toolsets, techniques, tactics, and procedures. Leading-edge organizations take painstaking efforts to research the capabilities and tactics of their adversary and engage with offensive cybersecurity experts who know how to attack and exploit an organization’s weaknesses. They provide unique insights into how advanced threat actors think and act, which allow organizations to design their defenses accordingly.
2. Assume a Breach Will Happen & Act Accordingly
Even the most mature cyber programs in the world cannot eliminate the threat of being involved in a major breach. High-level actors will find a way in if the motivation is strong enough by being able to dictate the time, place, and method of an attack. Sophisticated cybersecurity practitioners assume that they will be breached and incorporate appropriate countermeasures to quickly detect, contain, and respond to the threat actor, limiting the damage and ensuring that the enterprise can continue to operate. Adopting this “Assume Breach” paradigm brings a unique perspective and focus to these organizations, allowing them to refine their security posture and ensure that the enterprise will survive an attack.
3. Aggressively Act to Reduce their Attack Surface
Industry-leading organizations aggressively seek to identify vulnerabilities and patch them before their adversaries can exploit them. Vulnerability management programs that regularly scan their assets for critical vulnerabilities, test patches for potential operational issues, and then systematically deploy patches throughout the enterprise are essential for reducing the number of holes threat actors can exploit. Effective vulnerability management is a permanent lifestyle change, not just a one time fix.
4. Detect and Reduce Insider Threats
IBM reported that 71% of attacks on the healthcare industry in 2016 occurred by an insider threat. Of the 71%, 25% of the attacks were conducted by malicious insiders. Insiders that have conducted malevolent activities or plan to do so in the future can be difficult to detect. Insiders have access and possess varying degrees of intimate knowledge of an organization’s systems, data, and security protocols and their associated vulnerabilities. The fastest way for an adversary to achieve their objective is by recruiting an insider to compromise access to critical assets. By establishing a formal insider threat program and with buy-in from management, the financial losses and damage to an organization’s reputation can be mitigated. Often this requires investment in tools and procedures to connect the dots between physical, human, and cybersecurity data to observe and disrupt a change in behavior and flags a possible insider threat.
5. Holistically Integrate Physical, Cyber and Human Security Elements
Attackers don’t care about organizational silos and boundaries –they take the path of least resistance to achieve their objectives. Advanced actors search relentlessly for vulnerability –if one vector is secure, they will surely try another, across physical, cyber and human security dimensions. A holistic approach, integrating physical, cyber, and human dimensions is needed to connect all the dots across an organization’s networks, facilities and people. This integration allows organizations to have a broader perspective on the threats, allowing them to identify threats more quickly and respond in a more effective and coordinated manner.
6. Develop a Comprehensive Security Program Roadmap
To offset the prevailing threats and those that loom on the horizon, healthcare organizations require the integration of a holistic security program that encompasses the cyber, human, and physical security domains. What processes need to be implemented to take an organization from where they are now, to where they have a robust security program that can be effective in thwarting attacks from the adversary? An iterative process that provides a roadmap to improvement is required to move their security program from their current state to their desired target state.
The following four-step process can be implemented in any healthcare organization seeking to improve current security programs.
Assess the current security posture
Establishing the gold standard
Compare the current vs target states and find the gaps
Create a practical action plan
The healthcare industry has found itself squarely in the crosshairs of advanced, well-funded, and highly motivated criminal and nation-state threat actors. Healthcare executives who believe the threat will soon subside or that their organizations will never be targeted are viewing the battlefield through rose tinted glasses. With the threat landscape becoming far more ominous each day, the development of a leading-edge security program through a process of assessment, target state development, identifying gaps and implementing a prioritized and sequenced plan of action, is vital to developing a program that can effectively prevent, detect, contain and respond to the growing threats faced by the healthcare industry.
Cybis is a leading cybersecurity consulting firm providing Agency Grade® solutions to private sector clients. Our team is staffed by former operators from the NSA, CIA, and Department of Defense who have a cross-disciplinary expertise and help clients manage their business’s value at risk. As former offensive cybersecurity operators, we “think like an attacker” to determine where and how our clients are most likely to be targeted, and to craft strategies of defense and resilience to protect the business. Our approach integrates the technical, physical, and human dimensions of security to identify, prioritize and remediate complex risks, and vulnerabilities.