Security threats may impact more users
April 29, 2019
When a zero-day virus hit Health Sciences North in Sudbury, Ontario, earlier this year, HSN and 21 hospitals put their main electronic medical records on downtime to avoid further contamination. No data was corrupted and there was no privacy breach, but it did lead to a slowdown in a number of departments until the issue was resolved four days later.
In May 2017, the National Health Service in England was hit by WannaCry, a virus that encrypts data on infected computers and demands a ransom payment to allow users access. It was the largest cyber attack to affect the NHS, resulting in the cancellation of thousands of patient appointments and surgical procedures.
And on Boxing Day, 2018, Seattle’s University of Washington Medicine in Washington became aware of a vulnerability on a website server that made protected files available and visible by Internet search. Though there was no evidence of misuse or attempted use of the information, letters were distributed to approximately 974,000 patients to alert them that files containing their names and medical record numbers had been compromised.
The list of events like these will go on, say security experts. From ransomware attacks to server misconfigurations and unpatched programs, the threat of new vulnerabilities is ever-present in healthcare.
“Security is never 100 percent solved,” says Josh Wood, solution lead, Security, at Compugen Inc., an IT solution provider based in Richmond Hill, Ontario. “It’s a treadmill where you’re always moving, trying to work to a better position.”
According to PricewaterhouseCoopers (PwC), healthcare is a greater target than other industry sectors because personal health and research information is deemed such a high-value commodity. Health systems are also increasingly interconnected, meaning more people have access to networks from all over, which in turn poses greater risk.
In 2017, PwC assessed the cybersecurity readiness of a sampling of Ontario healthcare organizations by simulating techniques used by attackers. Not surprisingly, they were able to access sensitive information without being detected. Based on their analysis, they recommended that organizations take five steps towards cybersecurity resilience: develop a risk-informed cyber strategy; actively monitor systems; improve security awareness among staff; discover and act on vulnerabilities; and, engage leadership.
In short, healthcare organizations need to develop a culture of security which must be accepted and adopted at all levels, says Wood. “You can’t just have silos of security,” he says. “Security has to be managed right across your organization, from the person at the front door all the way to the person at the back of the building and everyone in between, including the doctors, the surgeons, the admin staff and IT departments. They all have to be aware of security and the potential breaches.”
Compugen security solutions focus on eliminating both internal and external risk. Not long ago, says Wood, it was normal for new iterations of security products to arrive on the market every two to three years. Today, major revisions are coming out every three to six months.
“The core problem is customers need more security than they think they can afford and they need to implement it more quickly,” he says, noting that the shortened timeline is in direct response to the increased velocity and complexity of attacks.
“At the moment, the skills of attackers are getting better faster than many companies can adapt to the attacks,” adds Wood. “There’s always going to be someone out there looking for your vulnerabilities. If you’re not locking your doors, watch out because they’re always going to be knocking on them to see what they can get.”
Many healthcare organizations face the need to secure both older on-premise infrastructure as well as newer cloud services. One important concept that is emerging as a security best practice for the cloud is micro-segmentation, a method that creates secure zones in data centres and cloud deployments by isolating workloads. Wood says it’s analogous to giving every user on a network their own office with soundproofing.
When micro-segmentation is properly architected, it is transparent to users, doesn’t impact performance and dramatically improves security. Yet, just like any other security implementation, it needs to be routinely reviewed and improved over time in order to maintain effectiveness.
Compugen is currently working with Mackenzie Vaughan Hospital, a new build in Ontario expected to be complete by 2020, to ensure security challenges are addressed in its design. A smart hospital equipped with state-of-the-art technology, the site is introducing cutting-edge innovations that rely heavily on a secure, highly available wireless network and that means security needs to be forward-thinking.
One of the objectives is to implement a smart tracking system for hospital beds. As a patient is wheeled in a bed from one floor to another, or from an inpatient ward to a CT scan suite for example, the elevator will be able to track the bed’s location and ensure an elevator is ready and waiting when it arrives with a goal of expediting patient care, particularly in critical situations. On the security front, the challenge is to enable uninterrupted wireless connection while protecting sensitive data.
“Our team is working to make sure that as much as possible, we future-proof … We have to think ahead to the standard two to three years from now,” says Wood.
First Nations Health Authority (FNHA) in B.C. is another healthcare organization partnering with Compugen to provide best-in-breed security for health records. Established in 2013 to reform the way healthcare is delivered to First Nations communities within the province, the health authority manages primary, mental, dental and environmental health services, and health benefits for roughly 142,000 citizens.
In response to a provincial mandate that all health authorities install a secondary data centre to safeguard patient data and maintain operations in the event of an attack or other catastrophe, FNHA implemented hyperconverged technology from Nutanix that integrates compute, storage and virtualization resources in a single system. Data from its primary data centre is replicated to the new environment every 24 hours; in the event of a compromise, health records seamlessly failover to the backup data centre.
As a young organization, FNHA had the benefit of putting privacy and security departments in place from the start, and systems are “growing in parallel” with privacy and security policies, says FNHA IT manager, Core Technology, Valeriu Surdu. “Everything is monitored 24/7; we’re trying to be proactive rather than reactive,” says Surdu.
In addition to its 12-person IT team, which is responsible for applying patches and configuring firewalls, the health authority has a dedicated IT security team of two people who manage governance, policy and ongoing system monitoring. According to Surdu, the hyperconverged architecture is inherently secure and simpler to manage.
“It gives us the ability to easily segregate data so we can protect client data much better and more efficiently,” he says. ‘With hyperconvergence you also have the ability to encrypt data at rest, which is a future we’re looking at.”
Michael Lonsway, president of Toronto-based Dapasoft Inc., says the more interconnected the healthcare ecosystem gets, the easier it is for threats to pop up and propagate. Hence the need for an approach that embraces “secure by design.”
“All developers need to be thoroughly trained in secure development principles, and that needs to be part of any solution deployed in healthcare today, recognizing the new and ever-changing threats related to cybersecurity,” says Lonsway.
In March, Dapasoft merged with iSecurity Inc. of Toronto to collaborate on evolving Dapasoft’s Corolar Cloud product. The move is intended to benefit customers “looking for a highly secure cloud integration platform” and to “offer cybersecurity along with DevSecOps advisory and managed services to customers across multiple industry verticals,” including healthcare.
Raheel Qureshi, a partner at iSecurity, says the two companies are working hand in hand to identify the real security challenges facing healthcare and correct them at the root cause. He points to several areas of security that need to be top of mind for any healthcare organization, in addition to microsegmentation and disaster recovery.
First, it’s important that organizations maintain the right level of applying software updates. “Patch management continues to be a challenge and we need to understand why,” says Qureshi, noting that some organizations delay applying security updates because it may require downtime and they are reluctant to negatively impact system availability.
Compugen’s Wood agrees that effective application of security updates is an area with which every customer struggles, regardless of industry. There are different approaches to mitigate the risk, including using an external or automated patch management service, but nothing on its own offers the perfect scenario, he says.
“Some patches you can automate but sometimes it requires a human eye,” he explains, noting that an update in one area may cause an unwanted cascade effect in another. The benefit of using an external managed service, he says, is that a service provider can keep on top of the process and “clean it up as quickly as possible” if or when a patch goes awry without adding a large amount of work to the existing IT staff.
A second recommendation from Qureshi is that healthcare organizations focus on providing the right level of protection to privileged users, who often hold the proverbial keys to the kingdom. “When hackers get in, the first thing they want to do is get access to the privileged IDs,” he says.
Protection means designing a security architecture so that identity and access management is properly handled, using tools like Microsoft Azure Active Directory, a cloud service that can also be integrated with on-premise directory tools. Manual practices for tracking and sharing privileged account passwords should be replaced with automated privileged account management (PAM) software that will provide visibility into who’s doing what, when, helping to identify potential threats.
As pointed out by PwC, active monitoring is another step healthcare organizations should be undertaking to safeguard systems and data. It’s not enough to implement a security information and event management (SIEM) product to provide real-time analysis of security alerts and call it a day. Qureshi recommends organizations start with an effective threat modelling exercise to truly understand their infrastructure and all of the various avenues of inbound and outbound traffic that are unique to it.
Even when effective strategies are applied to guard against cybersecurity threats, no organization is immune from an incident. Sometimes the best defence means going on the offense, applying a red team, blue team approach. Borrowed from the military, the terms are used to signify teams that simulate real-word attacks using the same techniques of a would-be hacker.
Red teams focus on penetration testing, exposing back door or exploitable vulnerabilities that pose a threat. Blue teams focus on strengthening incidence response efforts and making the entire security infrastructure more responsive to unusual or suspicious activity.
Often the challenge is finding the security professionals to do the testing. For years, industry analysts have predicted a shortfall of cybersecurity talent with recent estimates suggesting there will be as many as 3.5 million unfilled cybersecurity positions by 2021.
Qureshi says that’s why hospitals need to rely on security partners, like the way car manufacturers rely on suppliers. A large automobile manufacturer sources multiple parts from multiple vendors in order to assemble a car, for example, but at the end of the day they still maintain responsibility over the end-product and its certification.
“It requires a team of individuals who bring all of this together to build a robust security strategy for an organization,” says Qureshi, pointing to skills such as security architect, forensic security officer, threat specialist and those with deep knowledge of security monitoring techniques. “No one hospital has all of those skill sets and no one person does either … Own the governance, own the oversight, have the right security program but when it comes down to validating and securing all of those components, leverage your partners,” he says.