cybermaxx managed security services - at 3:30am on ... › wp-content › uploads › 2020 › 04...

https://www.cybermaxx.io/

At 3:30am on September 20th, 2019, a major service disruption hit the computer systems of Campbell County Health* in rural Gillette, Wyoming.

Suddenly, the hospital ground to a halt. All EMS transports were quickly diverted to other hospitals.

All inpatient admissions and outpatient services were disrupted. Some surgery times were cancelled. The Campbell County Commissioner declared a state of emergency, mostly to ensure CCH wouldn’t lose any federal funding.

By 2:15pm, hospital IT staff had determined it was a ransomware attack. All CCH computer systems were affected. Hospital staff immediately began working with third-party cybersecurity experts and federal, state, and local law enforcement to address the attack.

While the ER remained open, ambulances were on site to take patients to other facilities as determined by clinicians. Patients needing a higher level of care from CCH’s behavioral health, hospice, OB, med/surg, and short-term rehabilitation centers were transferred to other facilities.

After two weeks of work, CCH’s clinics still had limited access to patient contact information and previously scheduled appointments. Respiratory therapy and the sleep clinic had not started accepting outpatients again.

It is unclear whether the hospital paid the ransom demanded by cybercriminals.

And the remarkable thing is how positively commonplace this kind of attack has become. *CCH is not affiliated with CyberMaxx and information was obtained from CCH’s website.

The Future of Cybersecurity in Healthcare 3

Executive Summary As healthcare technology evolves to make medical information more accessible to physicians and patients, bad actors are exploiting these same conveniences to infiltrate healthcare institutions.

Healthcare cyberattacks are becoming more common and more expensive, despite the fact that they already account for trillions of dollars per year in damages to medical systems. Not to mention, recent studies have concluded that some cybersecurity measures taken to remediate the problem may have potentially come at the cost of human lives.

Healthcare remains assailed from all fronts, with some medical systems reporting billions of attempted attacks per year. The threat is very real. An unprecedented number of medical institutions have experienced attacks resulting in stolen patient data, blocked systems through ransomware, disruptions in care, and confiscated R&D.

As healthcare cybersecurity professionals, we must maximize our security posture while minimizing disruptions to ensure patients do not suffer the ramifications of healthcare IT vulnerabilities. This seems like an impossible task, but we must rise to meet the challenge.

CyberMaxx investigated the current state of healthcare cybersecurity to uncover the most cutting-edge medical innovations and cybersecurity threats so you can be prepared to triage risks as effectively as possible.

4 The Future of Cybersecurity in Healthcare

A Brief History of Cybersecurity in Healthcare HIPAA was passed in 1996 to improve medical accountability, decrease instances of fraud, and simplify healthcare delivery. The digitization of medical records would save physical space at medical institutions while also making records easier to share between necessary parties.

Over the following decades, many revisions were made to HIPAA to keep up with evolving medical technologies. But one element remained central to HIPAA regulation: a push to simultaneously make patient medical data more accessible and shareable, without jeopardizing patient safety.

Efforts to do this successfully, however, had mixed results.

As digitization expanded to make medical access more convenient, cybercrimes unfortunately increased, opening individual healthcare institutions to new vulnerabilities. Targeted attacks, cybercriminals, ransomware, and malware have grown increasingly common. Meanwhile, no one expects to become a victim of a cyberattack. Many institutions still neglect implementing even the most basic security precautions, despite the fact that medical institutions large and small remain at risk.

Today, healthcare remains one of the most vulnerable industries to cybercrimes, even when institutions are HIPAA-compliant.

1995

1996

2000

2005

2010

2013

2015

2020


A Generational Shift in Healthcare Demand and Delivery

Millennials will soon outnumber boomers as the largest living generation. With this change, patient and consumer demands are evolving, leading to several important implications for the future of healthcare.

Millennial healthcare preferences

“With millennials, it’s about meeting them where they are, in a very cost effective and convenient way,” says Joshua Scales, Healthcare Consulting Manager at LBMC.

Known for coming of age alongside the advent of the internet, millennials are used to having near-instant access to information, which translates to their expectations surrounding healthcare. “The thing I notice about the younger generation is they expect more instant knowledge and faster outcomes,” says Dr. James Botsko, MD, family practice physician in Gallatin, Tennessee.

Many millennials also reached adulthood during the Great Recession, a financial crisis that has had lasting impacts on millennial wealth, spending decisions, and general attitudes toward money.

Millennials’ desire for greater medical transparency, lower healthcare prices, and on-demand services suggest healthcare delivery will increasingly go digital.

Ditching the primary care physician

Between online resources like WebMD and dedicated online health forums, millennials are doing a lot of research for themselves instead of solely consulting with a physician. This reflects a waning dependence on the primary care doctor as a single source of truth when it comes to health. A study by Greyhealth Group found that “just 58% of millennials said they trust their physicians compared with 73% of all other [generations].”

That lack of trust is equally clear in millennial healthcare routines. According to a Kaiser Family Foundation poll of U.S. adults, 45% of 18- to 29-year-olds did not have a primary care provider, compared to just 28% of 30- to 49-year-olds.

“We found that this generation is less likely to trust physicians and far more inclined to consult online experts and other informal sources for advice,” reported Greyhealth Group.

Without a primary care relationship, millennials are also more likely to turn to specialists or on-demand healthcare providers. This compounds the need for electronic medical records to ensure patient safety and efficiency of care when receiving treatment from multiple physicians and institutions.


More on-demand Healthcare

The need for faster outcomes is driving another emerging trend which is the rise of minute clinics or what is called a “doc-in-a-box.” According to a study by JAMA, from 2008 to 2015 visits to retail clinics increased by 214%. “I’m used to the old system where it took time to do everything. Nowadays, everything is near-instant. If millennials have a problem, they want an instant fix. Minute clinics and urgent care—I think that’s going to be the future. Folks aren’t used to waiting anymore,” says Dr. James Botsko.

“With the creation of innovative services, like ZocDoc and urgent care, patients can fulfill their immediate needs without having to interact with a primary care physician,” writes Dana Carne, MD.

Telemedicine

According to the Cleveland Clinic Journal of Medicine, an estimated 7 million patients used telemedicine services in the U.S. in 2018. This number is only expected to increase as delivery models shift to accommodate the nearly 60 million Americans that live in areas with receding healthcare infrastructure.

In 2019, rural hospital closures hit an all-time high. In the past decade, 23 rural hospitals closed in Texas alone.

Care via telemedicine comes in two main varieties that each present unique security challenges:

1. Synchronous — 1-on-1 patient and care provider conversations via secure video and chat connection

2. Asynchronous — pre-recorded sessions or data that are shared between patients and care providers that could involve a medical device that sends recorded patient data to the doctor.

“Patients are also welcoming the flexibility that technology brings to their care,” writes

Christine Walters, Industry Executive at PwC. “Increasingly, they are willing to be monitored wirelessly for their conditions… Obtaining readings from devices like electrocardiograms, pacemakers or defibrillators, which generally requires an in-person visit, can now be done through a mobile phone and wirelessly sent to a physician.”

The security risk of meeting these new expectations

Millennial healthcare preferences are leading to an obvious new standard: the digitization of healthcare delivery and on-demand access to health records.

Market demand for transparent, web-first healthcare information requires an unprecedented level of information-sharing. Patients want access to protected health information (PHI) such as test results on their personal devices.

While there is a huge push for smartphone apps containing PHI, securing consumer devices presents many challenges.

“Patients are taking a greater interest in their care and are more willing to self-manage. They want to be more empowered when it comes to their health. Leveraging available health information, new technology, and mobile health (mHealth), the empowered consumer knows more, wants more and is able to do more for themselves,” writes Christine.

Maintaining security compliance across that many users and devices is a huge challenge for Information Security (InfoSec) professionals.

But information-sharing goes beyond patient access to medical information. The focus on specialists, telehealth solutions, and doc-in-a-box also suggests the need for personal information to be shareable to tertiary healthcare providers.


From an IT perspective, each new user is a new potential for security breaches caused by human error. Every convenience offered to patients and medical professionals must be considered another door for potential cybercriminals.

The network continues to expand.

“Let me tell you what several dozen of my healthcare industry victims [at the FBI] had in common: they were all HIPAA compliant,” says Scott Augenbaum, retired FBI agent who spent almost 25 years fighting cybercrime. “So what does that mean? Being compliant is not the same thing as being secure.”

The hardest part about implementing adequate cybersecurity controls in a hospital setting is the fact that it has traditionally been treated as a remediation to an audit or compliance requirement. Hospitals do not bring in a cybersecurity solution because it makes their healthcare organizations earn more money, save more patient lives, or accomplish other business goals. No, most healthcare organizations invest in cybersecurity for the same reason they buy fire insurance: to save their patients, business, and employees from disaster.

Fortunately, patient data safety is and always will be a top priority for healthcare institutions. “We [as healthcare professionals] are responsible for the data that we collect,” says Dr. Geri Reeves, Associate Professor of Nursing at Vanderbilt University. “Once we start moving data outside of our

virtual house, how do we know that it’s being protected? I don’t think it releases us from the liability of that information being protected just because it happens on somebody else’s watch. Patients are trusting medical care providers with their lives—as well as their data. We have a huge responsibility on our hands.”

But the fact remains that healthcare cybersecurity is a dance between executives driving rapid development and implementation of new systems, healthcare providers on the ground, and IT professionals responsible for deploying, operating and securing all those systems.

And cybersecurity professionals have to manage risk wherever the business needs to go.


The Primacy of Patient Care

The operational cost of an attack is a human cost

One recent study published in Health Services Research concluded that additional security protocols added after a data breach—the new systems put in place to restore data security—can be associated with increased mortality rates for patients with critical conditions like a stroke or heart attack.

“Cybersecurity remediation at hospitals appears to be slowing down doctors, nurses and other health professionals as they offer emergency cardiac care, based on this new study,” writes Nsikan Akpan for PBS.

As cybersecurity professionals, we must be aware of the impact of our work on clinical outcomes. Not only is there a business expense associated with the extra security protocols, but there could be a human cost.

Saving lives through increased cybersecurity

With lives on the line, there is a strong demand for cybersecurity precautions that don’t slow down medical professionals. “Security has to enable the everyday functions of a hospital, not block them. We have to strive to find controls that are effective but transparent,” says Thomas Lewis, CEO of CyberMaxx.

The larger context of this discussion has to include the fact that many healthcare practitioners have been left out of the equation as stakeholders and ultimately as users—but the impact of these controls on their workflow is real.

“Even the clinicians—the doctors and nurses—typically hate whatever electronic medical record (EMR) they’re using. These EMR systems came about through HIPAA

legislation, which was more a requirement to facilitate data transfer. At the outset, they didn’t take into account the way clinicians work,” adds Josh Scales.

Implementing inefficient IT processes can negatively impact stakeholders across an entire healthcare organization—with both human and financial consequences. InfoSec has to analyze the real-world implications of IT interventions to prevent unintended consequences. We must remember: healthcare IT impacts real people providing patient care every day.

When doctors complain to business executives about the increased keystrokes or time required to log in to patient records, the execs go to IT and InfoSec. As doctors and execs become frustrated, InfoSec can be viewed as the problem.

But when done strategically, IT has the potential to boost efficiencies across an entire organization. IT efficiencies like allowing doctors to sign off on charts from home have the power to minimize operational costs— and give doctors more flexibility and work-life balance.

What is the implication? InfoSec professionals must keep the end user in mind for whatever security control we seek to implement.

“When we are fortunate enough to interact with clinicians and high level execs at the companies we serve, our message is that we try to help them understand the overall cybersecurity problem, so that they know how their day-to-day activities factor into cybersecurity outcomes. We try to speak their language,” says Jason Riddle, President and COO of CyberMaxx.

InfoSec needs to increasingly mitigate the operational impact of security controls— and indeed, find more efficient innovations like single sign-on that simplify everyday processes for clinicians.


Medical Devices and IoT

Medical Devices and IoT

The place where the Internet of Things (IoT) and healthcare intersect is still in its infancy. Industrial and consumer IoT products provide enormous convenience to end users, which is why the industry has expanded so rapidly.

But when it comes to healthcare, there are two sides of IoT that medical professionals may interact with regularly: smart medical devices and general consumer IoT.

“Smarter medical devices and robotics are increasing in usage within providers; these devices, when insecure, can greatly endanger patients and create great liability for providers,” says Thomas Lewis.

82% of healthcare organizations have faced targeted Internet of Things cyberattacks from mid-2018 to mid-2019, according to a survey published by Irdeto. “Of the organizations hit by an attack, 30% report experiencing compromised end-user safety.”

Smart medical devices

What happens when an implanted biomedical device used to keep your body running gets hacked? Other than sounding like the plot of a sci-fi thriller, this situation can be understandably dangerous to patients.

There are multiple biomedical devices that run on smart technology. Perhaps the most glaring among these hackable devices are pacemakers, according to Healthline.

At the time it was published, Healthline reported that none of these pacemakers had yet been hacked. For now, geography is the limiting factor. Unless a cybercriminal comes within 20 feet of the patient, they cannot hack the pacemaker.

But as long as hackable biomedical devices are multiplying in hospital settings, patients, manufacturers, and medical institutions are at risk. As technology becomes more sophisticated, so do the cybercriminals.

According to a report by Moody’s Investors Service, “Among the biggest risks are attacks against connected medical devices such as insulin pumps, defibrillators and cardiac monitors, which are now entrenched in remote monitoring and require constant updating and patching.”

Fortunately, top medical device makers like Abbott and Medtronic have started to work in collaboration with whitehat hackers and InfoSec researchers to secure medical devices, even staging immersive hospital-based hacking scenarios at the Biohacking Village.


For now, there are plenty of other smart medical device security risks to address:

Most pressingly, cybercriminals can use consumer tech devices to hack into clinical

1. Biomed support is largely outsourced and security responsibilities may not be clearly defined.

2. A lot of medical software runs on Windows. Many hospitals don’t stay up to date with the latest updates, which by itself is a security risk. Many healthcare institutions will defer updates for years because the process is so low on their priority list, while the cost can sometimes be very high. This problem led to the notorious NHS WannaCry attacks in 2017.

3. Many times medical devices don’t report through IT so they do not follow IT’s control processes.

4. Outdated medical devices present a clear security vulnerability, and dedicated systems are needed to quarantine and isolate them from the rest of the network if they can’t be replaced with newer machinery.

5. Many medical devices store patient information. As these tools become dated, many healthcare institutions may simply throw them away without first deleting confidential patient data stored on the devices (such as printers, EKGs, or insulin pumps).

Consumer IoT devices at healthcare institutions

Consumer devices in clinical environments are an ongoing challenge. Doctors might wonder why they can’t have an Alexa in the office, not thinking about the myriad privacy issues presented by these consumer devices.

settings and eavesdrop—or worse—as a means to worm their way into the hospital IT network.

Though Amazon is entering the healthcare industry with the introduction of a new HIPAA-compliant Skills Kit, that does not mean that generic consumer smart speakers are HIPAA-compliant and appropriate for clinical settings.

For starters, it is a well-established fact that Amazon employees are paid to listen to recordings from smart speakers. Smart speakers have been known to inadvertently send messages to third parties.

More recently, researchers from SRLabs found that malware could easily be disguised as a seemingly harmless Alexa skill or Google action—third party add-ons that some users install to add functionality to their smart speakers—allowing cybercriminals to secretly record dialogue or attempt to get the user’s Google password through phishing. In a clinical setting, this is akin to inviting cybercriminals to be a fly on the exam room wall.

A recent FBI investigation confirmed that smart TVs “can be a gateway for hackers to come into your home… At the low end of the risk spectrum, [cybercriminals] can change channels, play with the volume, and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV’s camera and microphone and silently cyber stalk you.”


Growing Networks and Evolving Risks

Ransomware

Ransomware continues to be one of the biggest threats to the healthcare sector. The 2019 Q1 report from McAfee Labs showed a 118% increase in ransomware attacks alone.

In May 2017, National Health Services in the UK was hit with a massive ransomware cryptoworm attack called WannaCry. At the time, there was no official cyberattack response plan in place. The largest impact of this attack was that an estimated 19,494 patient appointments were cancelled— including scheduled patient operations.

INCREASE IN RANSOMEWARE ATTACKS ALONE -McAFEE LABS

The entire cybersecurity community has learned a lot from this attack, most notably because of how easily this attack could have been prevented. The official report from the Department of Health found that “All NHS organisations infected by WannaCry had unpatched or unsupported Windows operating systems so were susceptible to the ransomware.”

Social engineering attacks

Another one of the most common threats is social engineering attacks, including phishing, pretexting, and spear phishing. “Your last line of defense is your end users. If they click the wrong email, accept the wrong file, or store a password in an insecure location, then it’s done. All that money I’ve spent and all the safeguards I have up are no good anymore. CyberMaxx is helpful because they continually monitor your network to find abnormal activity so you can flag it quickly and fix the problem,” says Josh Scales.

And it’s not just the untrained clinical assistants that are at risk. According to Verizon’s 2019 Data Breach Investigations Report, “C-level executives were twelve times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in years past.”

Weak or compromised passwords are yet another easy target for brute force attacks. Without additional security protocols like two-factor authentication, a stolen password can easily cascade into stolen personal or business information. In fact, the same Verizon report found that 80% of hacking-related data breaches occur because of compromised passwords.

13The Future of Cybersecurity in Healthcare The Future of Cybersecurity in HealthcareThe Future of Cybersecurity in HealthcareThe Future of Cybersecurity in HealthcareThe Future of Cybersecurity in HealthcareThe Future of Cybersecurity in HealthcareThe Future of Cybersecurity in Healthcare

https://www.mcafee.com/enterprise/en-us/threat-center/mcafee-labs.html

How do organizations protect themselves against so many possible user errors?

Start every cybersecurity effort by training your clinical staff and employees—all the way up to the C-suite—how to notice suspicious activity and report it immediately while following protocols for setting safe passwords. Use two-factor authentication as much as possible.

Securing Vast Interconnected Networks

Another issue is the exponential number of entry points into the hospital network. “By nature, hospitals have always been difficult to secure,” says Thomas Lewis. “Often, one of the biggest risks is that new systems and integrations to the network aren’t tested and vetted by InfoSec. They’re just implemented.”

In fact, this is one of the main concerns with 5G technology. In major metro areas, back offices could start to directly connect to biomedical devices or third-party imaging servers, sending PHI across an unsecured connection.

In September 2019, ProPublica revealed that millions of images on servers run by independent radiologists, medical imaging centers, and archiving services were accessible online—unprotected by even the most basic security precautions.

The fact remains that integrating with third parties or outside servers means you can’t quickly patch vulnerabilities. Hospital InfoSec must be able to take full responsibility for their own network and manage the risk posed by the vulnerabilities in outside systems.

For example, another risk is the use of third-party applications that integrate with EMRs. “With some of the smaller EMRs, clients tend to go out and partner with other third-party products who can fix particular operational and clinical problems. If that one third-party vendor gets compromised, then you can compromise your entire system. There’s so many end-points now, it’s incredibly difficult to keep cybercriminals out,” says Josh Scales.

Getting InfoSec integrated into the process of purchasing and procurement is critical to managing the sliding scale of risk when it comes to medical devices and outsourced services.

14 The Future of Cybersecurity in Healthcare The Future of Cybersecurity in Healthcare

Machine Learning & AI

The Challenge of Big Data

Medical professionals are creating data exponentially and leveraging increasing complex infrastructure to house this data. Consequently, machine learning and artificial intelligence (AI/ML) are only growing in importance in securing healthcare infrastructure. Managing such a large ocean of data is only possible with help from algorithms that can track patterns, identify abnormalities, and detect malware so InfoSec can quickly stop attacks and implement effective countermeasures.

“On the detection side of things, the key advancement that is driving improvement over the next 3-5 years is the development of data analytics,” says Jason Riddle. “It’s helping us detect sophisticated attacks faster—attacks that might otherwise fly under the radar. We’re finding things now that we probably wouldn’t have found five years ago, because of the data analytics tools we have available today. And these tools are getting better every day.”

But as security professionals implement AI/ ML, so do the bad guys. To add insult to

The same tech we’re trying to take advantage of is being used against us. In early 2019, a team of Israeli researchers showed that malicious actors can use “deep-learning to add or remove evidence of medical conditions from volumetric (3D) medical scans.” In a covert penetration test, they intercepted and altered CT scans at an active hospital. Researchers suspect this type of malware could be used to tamper with MRI and CT scans to commit insurance fraud, tamper with test results from high-profile individuals, or even commit sabotage or murder.

InfoSec practitioners need to understand that cybersecurity today requires a data analytics function. Big data is no longer on the horizon: it’s here.

The Future of Cybersecurity in Healthcare The Future of Cybersecurity in Healthcare

injury, attackers are often a couple steps ahead of healthcare institutions. As they use these advanced deep learning techniques, their algorithms are getting better.

15

Rapid Clinical Acquisitions

Acquisitions and mergers are trending upwards in healthcare. 2017-2019 have been back-to-back record-breaking years in terms of acquisition quantity. Larger hospital systems have been acquiring smaller healthcare organizations.

In the acquisitions, the purchasing party often doesn’t know the technological challenges they’re walking into. There’s no single EMR system used universally across healthcare networks. In fact, many smaller healthcare organizations still use paper charts, or do less to prioritize data safety than the acquiring organization. It’s easy, without the right preparation, to purchase a patient-data disaster.

In a 2018 study about medical device security, KLAS Research reported “Legacy Medical Devices a Universal Challenge” as one of their key findings. Dated medical technology is a common security risk. In the case of acquisitions, you could possibly be acquiring someone else’s negligence—both known and unknown.

Legacy systems also speak to another problem: a slowness to adopt new technology.

There are multiple factors causing this slow adoption. Some come down to price: it can cost thousands to multi-millions of dollars to install a robust, secure IT system with

appropriate security controls, monitoring capabilities, and more.

In addition, smaller healthcare institutions— particularly those run by veteran healthcare practitioners—fear making huge changes to daily processes. It’s hard to reset the daily working standards of an office, especially when some team members have used the same protocol and technology for decades.

Budget constraints

Moody’s reports that smaller hospital systems are most vulnerable to cyberattacks precisely because of the budget and talent restraints they have.

Due to the large upfront investment of adopting electronic medical records, younger practitioners are more inclined to use EMRs than doctors nearing retirement. Spending tens of thousands of dollars to update systems in their final years of medical practice is understandably unappealing. Many are opting to maintain physical records for their immediate convenience.

Upcoming medical students are being prepared in medical school to use and handle electronic records. Paper charts are


almost obsolete to millennials now coming up through medical school. At the same time, retiring doctors are handing off decades of patient medical data to be transferred to electronic format. To meet compliance, some of these paper records are stored for years in doctors’ homes and offices.

Preparing the next generation of medical professionals for cybercrimes

Protecting patient medical data has always been an important element of the medical profession. As these records have become increasingly digitized, new threats emerge.

At Vanderbilt University, nursing students are given a robust IT orientation. They’re taught some of the most common ways cybercriminals access patient medical information including social engineering attacks. Dr. Geri Reeves says, “We have a pretty sophisticated student orientation with our IT dept. They are detailed on the importance of keeping patient information safe—that’s the verbal record, written record, and electronic health record.”

This brings us face-to-face with the fact that there is still a wide discrepancy in

technological adoption between large corporate-owned hospital chains and small, independently-owned medical practices. A discrepancy also exists between for-profit and non-profit systems. Healthcare, as an industry, is still evolving.


18 The Future of Cybersecurity in Healthcare 18 The Future of Cybersecurity in Healthcare

10 Predictions for the 2020s 1. Cybercriminals continue to take the path of least resistance

While attackers will continue to employ more sophisticated means to hack into healthcare systems, the dictum still applies that they will take the path of least resistance. “Just like us, cybercriminals try to be efficient,” says Jason Riddle. “If they find an easier way to get in to our systems, they’ll take it.”

Verizon has indicated that cloud hacking will be one of the new key ways that cybercriminals enter our systems—stealing credentials and hacking into cloud-based email servers.

2. Mobile as a vector for cybercrimes

Verizon also notes that mobile users will be the doorway to social engineering attacks. “Research shows mobile users are more susceptible to phishing, probably because of their user interfaces and other factors. This is also the case for email-based spear phishing and social media attacks.”

3. Healthcare cybercrimes as a public health risk

Due to the resultant impact on human lives after controls are put in place after an attack on hospital network, cyberattacks should be treated as a threat to public health. Healthcare systems should continue to work together to diagnose issues and share best practices for protecting themselves from ransomware and data breaches.

4. Increased use of data analytics and machine learning

InfoSec will need data science and data analytics competencies to effectively detect and counteract advanced malware powered by AI/ML. Top cybercriminals keep pace as technology advances. To stay ahead, InfoSec will need to double down to keep companies safe by keeping security infrastructure accessible to healthcare institutions.

5. Convenience can’t come at the cost of security

Ultimately, supply and demand will define most structural healthcare changes in the next decade. Growing demands for more convenient, on-demand healthcare will be satisfied by healthcare institutions, at the risk of exposing even more doors to cybercriminals.

6. The rise of ransomware as a result of cyberattack insurance

Despite calls from the FBI and the cybersecurity community, cybercrime may only increase as ransomware attacks result in payment to cybercriminals. As cyberattacks become more and more disruptive, it is likely that more hospital systems will purchase more cyber insurance to protect against attacks. This seems to embolden cybercriminals to continue to use ransomware to demand payments from healthcare institutions who have the protection to pay larger and larger ransoms. Eventually this cycle must stop.


7. Consumers will demandgreater accountability

Data mismanagement increasingly leads to distrust from consumers. As more healthcare data breaches unfold, consumers will begin demanding higher levels of security regarding their personal information. Reputation will matter more and more.

“Informed consumers will demand increasing accountability, integrity and transparency from their health systems,” writes Christine Walters of PwC.

8. Younger generations will bebetter equipped to avoid cyberrisks

“My exposure to electronic records is very limited. Every year I learn more and get a little more comfortable with it. My daughter, who is in medical school right now, could probably do 10x more with it. With every new generation of doctors coming out of residency, the system is going to get much better,” says Dr. James Botsko, MD.

9. Electronic medical recordsadvanced by 5G

5G technology could revolutionize hospital networks in major metro areas—MPLS or WANS could be replaced with 5G broadband, directly connected to biomedical devices and systems containing PHI.

10. Consumers & industryadvocates will demandgovernment intervention tocombat cybercriminals actingfrom safe havens (e.g. Russia,China, etc.)

A theme of modern cybercrime is that technology advances as quickly for malicious actors as for whitehat developers. The 2016 U.S. Presidential election brought attention to the possibility of foreign governments interfering in our business. The coming years will see continued demand for our government to intervene on behalf of businesses and individuals to prevent similar hacking from foreign governments on U.S. citizens and businesses.


Summary: The Future of Cybersecurity in Healthcare “Cybersecurity is a part of the whole system. It takes all of us.” - Dr. Geri Reeves

In 2015, cybercrime was a $3 trillion problem. By 2021, the cost of damages is expected to double to $6 trillion according to Cybersecurity Ventures. As Scott Augenbaum asks, “What does it mean if we spend that kind of money, and cybercrime still increases?”

Into the 2020s, healthcare cybersecurity professionals must work faster—and smarter than ever—to prevent, detect, and respond to attacks.

But the shockingly simple truth is that the vast majority of cyberattacks can be prevented. As simple as it may seem, covering the basics puts your institution far ahead of the status quo going into the new decade.

Here are the basic precautions every healthcare institution should ensure they have in place:

• Educate your staff early and often on howto identify and report social engineeringattacks.

• Use multi-factor authentication on allremotely connected systems and anysystems containing sensitive data suchas PHI. Strive to leverage the multi-factorauthentication technology as a single sign-on solution.

• Enforce the use of strong passwordsanywhere you can’t use multi-factorauthentication.

• Implement endpoint controls such asEDR technology to protect users’ systemsagainst the most common attacks.

• Keep systems and applicationscontinuously patched and updated.

• Continuously monitor your network andapplications with advanced tools and dataanalytics technologies.

• Maintain multiple backups of all yourcritical data, PHI, HR records, andimportant files.

• Implement strong networksegmentation or micro-segmentationtechnology to limit the exposure andspread of malware or breaches.

Please remember when implementing all of these precautions, consider the impact on the healthcare practitioners and patient care. Strive for transparency and efficiency.

In 2015, cybercrime was a $3 trillion problem. By 2021, the cost of damages is expected to double to $6 trillion according to Cybersecurity Ventures.


https://cybersecurityventures.com/

About CyberMaxx

CyberMaxx™ provides managed security services designed to help maintain compliance, eliminate talent shortages, and protect an organization’s data. With more than 15 years of experience, CyberMaxx equips its customers with a 24/7/365 security operations center and a team of leading healthcare cybersecurity experts.

CyberMaxx services include endpoint threat detection and response, network-based threat detection and prevention, security information and event management (SIEM) with advanced data analytics, vulnerability risk management, and incident response services.

Contact CyberMaxx for more information about healthcare cybersecurity solutions by visiting CyberMaxx.io.



Acknowledgements

We would like to thank the following experts for their unique contributions:

Scott E. Augenbaum, MBA, Consultant, Speaker and Author / Retired FBI Cyber Division Supervisory Special Agent The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime

Dr. Geri Reeves, PhD, APRN, FNP-BC, Associate Professor of Nursing Vanderbilt University

Dr. James Botsko, MD, Fairvue Family Wellness

Joshua Scales, CLSSGB, Manager, Healthcare Consulting, LBMC Healthcare

Andrew Cooper CISSP, MBS, CHP, CSCS Executive Director of Information Technology NCH Healthcare System

Andy Heins Vice President and CISO LifePoint Hospitals

Charlie Effler CAN, MCITP IT Infrastructure Manager Summit Healthcare

Dan Baxter, CISSP Information Security Officer Florida Cancer Specialists

Jay Adams Director, Information Security Officer Tallahassee Memorial HealthCare

Jericho Simmons Director of Information Security Sound Physicians

Nicholas Dybvig CISSP, MBA Director of Information Security Ardent Health

Robert Banniza Assistant Vice President - Information Security Envision Healthcare

cybermaxx managed security services - at 3:30am on ... › wp-content › uploads › 2020 › 04...

Documents