Healthcare has consistently been one of the top targets for cybercriminals, with the trove of personal and confidential data it holds. Digital tools are now being used in almost every aspect of healthcare operations, presenting more potential vulnerabilities and opportunities for cyber criminals, if the right protective measures are not put in place.
Besides invasion of privacy, abuse or alteration of healthcare data by attackers can lead to serious consequences, potentially causing negative patient outcomes and patient harm. The severity of this threat is not lost on the authorities. For example, in August 2021, Singapore’s Ministry of Health issued the “Healthcare Cybersecurity Essentials” circular, which lists basic security measures for providers to adopt so as to protect their IT assets, systems and patient data. The ministry noted its aim to “sensitise healthcare providers to and signal the importance of cybersecurity as a critical part of clinical operations.”
There is a heightened sense of urgency amongst stakeholders with regards to cybersecurity in healthcare, with more action and investments made by healthcare providers to combat cyber threats in recent years, said Mr Sumit Sehgal, Strategic Product Marketing Director at technology security firm ARMIS.
“This is partly because of the successful attacks that led to ransomware events,” he said. “But more importantly, the reliance of clinical care delivery that is tied to electronic health record (EHR) systems – or digital clinical decision support – has increased dramatically in the last five to six years, in addition to integrated medical devices then becoming a part of that threat landscape. As a result, we see increases in investment in information security.”
Encouraging progress in healthcare cybersecurity
Key facets of that increased focus include education, and ‘baselining’ – or bringing up to standards – of basic cybersecurity processes, such as cyber hygiene, endpoint protection, and vulnerability assessments. Organisations have also worked on building up their security incident response plans, Mr Sumit noted.
“I’m seeing a convergence happening between response and recovery, when it comes to incident response from a security perspective, versus recovering from it and working together with the operations or business continuity teams,” he said.
The growth is reflected in the average time taken to respond to security incidents – he recalled that just four to five years ago, the industry used to take one to three days to respond; whereas now it is down to mere minutes.
In addition, he sees “a lot of good progress” notched in the areas of endpoint and network security, data protection in cloud environments and in application of “realistic” security architectures.
Role of threat modelling
Looking ahead, security of non-traditional IT assets (such as wearables and remote devices, that are part of the patient care delivery process) is an area that can be further strengthened, said Mr Sumit. Hospitals will need to take a closer look at how risk and vulnerabilities of these assets and devices apply to the security architectures that they have already deployed.
There may also be organisations that are not fully aware of the types of attacks or threats they are facing.
“Just because you don’t have security solutions that tell you where or when you are getting attacked, doesn’t mean that that’s not happening in your environment. A lot of times, information security attacks manifest themselves as network or application errors,” he noted.
For any organisation using EHR applications, it is recommended that they have robust tracking and monitoring capabilities to ensure compliance with security requirements and regulations of the country or state.
“More importantly, (providers should) understand what the risk is for them from a clinical specialty perspective, and what’s important for them from a business continuity aspect, and leverage that context as drivers for doing exercises with regards to vulnerability assessment, asset visibility and risk management.”
With that in mind, healthcare organisations can benefit by conducting threat modelling as an intrinsic part of their overall security programme.
“Threat modelling sounds complicated, but it’s really not,” said Mr Sumit. “It’s just a process of taking what you understand and have identified as risks to your operations, risks to the way you deliver care, risks to the way you maintain your IT processes as well as risk to data protection – and you simply apply that with vulnerabilities that you’ve discovered during your scanning process in your environment.”
Similar to the guidance within MOH’s circular, Mr Sumit’s advice to healthcare providers is to start by “knowing what their assets are” – through creating and maintaining an updated inventory of all IT and operational assets, including their security levels.
“Then you can analyse what truly is going to be the attack vectors. What would be the intrusion criteria? What would be the impact of those assessments and how likely those attacks are going to happen? And then what is the operational impact and what is the response and recovery that you’re going to plan for?”
He emphasised that threat modelling is tied to enterprise risk or emergency management as a larger organisational function. For organisations that don’t have the capability to conduct such exercises, they should look to linking up with a partner who can help.
Beyond just an IT issue
To effectively address cybersecurity, organisations need to understand that it is not just an IT problem – it is a whole-of-organisation initiative that deserves attention on that level.
“Prioritisation of a realistic scope, prioritisation of a realistic timeframe on how you address cybersecurity from a strategy perspective – it has to be done in a cross functional team, and has to be led at the highest levels of organisations,” said Mr Sumit.
With limited financials and human resources, hospital leadership need to carefully consider the risks and direct focus toward the most critical areas.
“The biggest insight some organisations can take is: when you are planning for a security strategy that is dealing with overall enterprise risk, try and build some data flows that allow you to integrate enterprise risk with clinical risk… When you have information on the devices and their security risks, and align that with clinical risk – that helps you identify what is the purpose of those devices in context of clinical care. This helps guide where investments need to be made, because like any business, you cannot solve all the risks.”
Click here to read an Armis healthcare blog article by Mr Sumit, in which he shares more about threat modelling and implementing an information security strategy that balances risk management and operations continuity.