Rohan Vaidya, Regional Director of Sales – India, CyberArk, gives his views on how healthcare organisations are prime targets for attacks because they possess a plethora of sensitive and potentially valuable information—much of it located in the Cloud
Patients today experience medical services that go far beyond that of the generations before them. Telemedicine, virtual care, medical devices enabled by the Internet of Things (IoT), and patient communication portals are helping to improve clinical outcomes and provide new models of care in a rapidly changing healthcare industry.
While these developments will likely lead to better treatment and more convenience for patients, they also create a complex care delivery network – one that could be an attractive target for attackers.
In fact, according to CyberArk’s Global Advanced Threat Landscape 2019 report, 50 per cent of healthcare organisations reported that a cyber attack impacted their business within the last three years. The study, based on a survey of 1,000 IT security decision makers and C-level executives in seven countries, found that greatest healthcare cybersecurity risks are external attacks such as phishing (cited by 61 per cent of the respondents), ransomware/malware (57 per cent), management of the cloud (43 per cent) and insider threats (41 per cent). Further, nearly 20 per cent of healthcare organisations identified privileged insiders as their number one security threat.
As hospitals and healthcare ecosystems continue to grow and embrace digital transformation, providers need to put an emphasis on protecting highly targeted electronic personal health information (ePHI) within expanding, interoperable care delivery networks.
Moving to the Cloud
Healthcare organisations are prime targets for attacks because they possess a plethora of sensitive and potentially valuable information—much of it located in the Cloud. As more and more functions are moved from to cloud and hybrid cloud environments, the security risks increase.
Forty-three percent of healthcare organisations surveyed are deploying or storing patient data, including data subject to regulatory oversight, in the Cloud. Nearly half (46 per cent) are deploying or storing Cloud-based business critical applications, including revenue-generating, customer-facing applications in the Cloud. Furthermore, 45 per cent of healthcare organisations are deploying critical business applications on software-as-a-service (SaaS) offerings – including customer facing applications, enterprise resource planning (ERP), customer relationship management (CRM), and financial management software.
To be clear, the use of the cloud is not problematic in and of itself; rather, the report uncovered some troubling Cloud-related habits which may be to blame. For example, 35 per cent of healthcare organisations are fully depending on their cloud provider’s built-in security, despite not believing it is sufficient. Even more disturbing – a good number of healthcare organisations admit that they didn’t notify their customers when their sensitive data had been compromised as a result of a cyber attack, and 37 per cent said they would prefer to pay a penalty or fine for non-compliance with regulations instead of substantially changing their security strategy.
In fact, complying with data privacy regulations appears to be a major challenge for healthcare companies, with only 40 per cent saying they were prepared for a potential General Data Protection Regulation (GDPR) breach investigation.
As healthcare organisations continue to embrace digital transformation, they need to modernise their security programmes to suit this new landscape.
Securing privileged access
Another key security concern for the healthcare industry is privileged access management. A large majority of organisations (86 per cent) think IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured. Yet, 38 per cent of healthcare organisations do not have a privileged access management strategy in place for cloud infrastructure and workloads, and 44 per cent do not have a privileged access management strategy in place for business-critical applications — including customer-facing applications.
Why such a big oversight when it comes to privileged access? It’s likely due to a limited understanding in the healthcare sector of where privileged accounts, credentials and secrets can exist within an IT environment. Only 24 per cent of organisations said that privileged accounts and credentials exist within containers and 30 per cent said they exist within continuous integration/continuous delivery (CI/CD) tools. That being said, more than one quarter (28 per cent) of all planned security spending in the healthcare sector in the next 24 months will go toward preventing privilege escalation and/or lateral movement, according to the study.
Looking to 2020 and beyond
As healthcare organisations continue to modernise how they deliver care to patients everywhere, security teams need to better understand how these efforts impact security strategies, and then adapt accordingly and holistically. Every employee, application and technology impacts their risk profile.
To successfully adjust to the threat landscape they currently face, healthcare organisations will thus need to redefine how they asses risk and understand that this new definition may require new skill sets and tools to best arm against innovative and motivated attackers. Managing access to privileged accounts and credentials is an effective way to minimise the moves a threat actor can make after they establish a foothold on the network, and it’s also a critical piece of the bigger cybersecurity puzzle in an environment with so much at stake.