Canada’s hospitals must monitor cyber-threats to avoid attacks
March 31, 2022
Canadian hospitals continue to be targeted by hackers, and in some cases, their systems have been disabled for days – recent examples include Eastern Health in Newfoundland and Labrador, and Humber River Hospital in Toronto.
Yet, despite the warning signs, many hospitals have yet to invest in the technologies and procedures that could stop these intrusions.
In a recent webinar on cybersecurity that was sponsored by Calian, an Ottawa-based company with a presence in both healthcare I.T. solutions and security, a quick poll of the 140 online participants found that only 13% were confident in their I.T. security. Moreover, 30% were worried, saying they needed to rethink their I.T. security strategy.
Not only can cyber-crooks steal data, but they can also infect hospital systems with ransomware that freezes the system until the organization pays a ransom – sometimes in the millions of dollars.
A key problem faced by hospitals today is the pressure to share data with patients, clinical partners, research partners and companies. While this can lead to better healthcare outcomes for patients, and to productivity gains for partners, it also opens up the system to many more points of attack.
“As the system moves forward to share the patient record, and to share data in the cloud and in labs, your threats and exposure increase,” said Raheel Qureshi, partner, Cybersecurity Risk and Advisory Services with iSecurity, a Calian company.
Qureshi asserted that cyber-criminals have become more sophisticated in recent years. “Sometimes the attackers know your network better than you do, they know what is exposed.”
What’s needed to combat the growing sophistication of cyber-criminals is a pro-active strategy that uses technology to monitor an entire hospital network – meaning all of its devices and endpoints. And the surveillance has to be done quickly to be effective, observed Drex DeFord, executive health care strategist with Crowdstrike.
In addition to working with technology companies, DeFord was also a CIO with the Scripps chain of hospitals in the United States, and with the Seattle Children’s Hospital.
DeFord described how attacks typically start – and the best way of stopping them.
Often, the attackers will search for an unprotected device where they can gain entry to the whole system. “The point where they get into the network and move on to the next device is really crucial – at Crowdstrike, we call that the ‘breakout time’.”
He continued, “Once the adversary breaks out of the first machine and makes a lateral move, containment of that cyber-event becomes way more complicated.”
He compared this event to a stroke, in which there is a “golden hour” for optimal treatment. “Our research shows that it takes about an hour-and-a-half for an adversary to break out of that first device and move laterally,” said DeFord. For this reason, monitoring systems that can detect intrusions and respond within an hour are crucial.
“Cyber-security teams should think about a standard response time for end-point break-ins that we call 1:10:60 – where you can detect an attack on an endpoint within a minute, triage it within 10 minutes, and eradicate or contain the attack within 60 minutes.”
Crowdstrike has its own solution for monitoring of this sort called Falcon Complete. (Other leading I.T. security companies have their own solutions.)
DeFord asserted that Falcon Complete is much faster than standard anti-virus systems, which tend to require extensive software at each endpoint. This resource-heavy solution often slows down the system, as the software constantly compares a database of viruses with every file that crosses its path.
By contrast, Falcon Complete is cloud-based and makes use of very small pieces of software that are embedded into the endpoints. “We built a super-tiny sensor that goes to the end-point. That sensor is listening to everything and it’s pulling it into the cloud.”
Moreover, he said the solution is monitoring systems worldwide, and using the knowledge gained in various sites to help all others.
Erin Leonard, senior sales engineering manager at Proofpoint, explained further how breaches often happen.
“The weakest links are people,” she said, “and email is the number one vector for how the threats are getting in. They take advantage of how easily people fall for certain things.”
She cited a HIMSS survey on security that found 89% of compromises started with email.
Some systems, like Proofpoint, can filter out suspicious emails before they even hit the in-box of staff and clinicians. Techniques like “browser isolation” can also be used. “So, if an end-user does click on a link that is malicious, they’re taken into a browser where nothing can be uploaded or downloaded.”
Of course, not every malicious message can be eliminated 100 percent of the time – which means that people must be on guard. “The best strategy is a multi-factor approach of training and trying to ensure that your end-users are as aware as possible, so they know what to look for,” said Leonard.
Damian Chung, business information security officer with Netskope, a cloud security company, observed that most organizations have been migrating applications to the cloud – or they’re planning to do so. With cloud-based apps and data, employees and clinicians can work anywhere, accessing the information they need remotely.
“COVID pushed people out of the workplace and into their homes, into coffee shops and hotels,” said Chung. “We’ve been seeing this trend for a while, COVID just pushed it forward faster than expected.”
However, that means users are taking the data far outside the walls of the hospital or clinic. Further, they’re often contractors or research partners who are bringing their own devices and sending the data into their own clouds.
Chung said solutions like Netskope can determine where an organization’s data is going – and whether that destination is acceptable or not.
“Hopefully you don’t get into the situation where your data is already exfiltrated to an attacker. But if you do, knowing where your data is, and where your sensitive data is, is key.”
Panelists also discussed the growing importance of multi-factor authentication (MFA) to gain access to applications and data. MFA requires the user to enter more than one password, enter a fingerprint, or to respond to a code sent to his or her cellphone.
While MFA greatly improves the security of systems, in the past it has irritated clinicians because it slows down their access to data.
Adam Crown, group product marketing manager, Healthcare Solutions, with Okta, asserted that today, MFA is a lot easier to use than it used to be, but many users don’t yet understand that.
Moreover, MFA requirements are starting to show up in the cyber-insurance policies of organizations. For this reason, “MFA is no longer a ‘nice to have’ technology, it’s a necessity,” said Crown.