Healthcare breaches: how to stop the spread

healthcare breach

Recently another healthcare ransomware attack was reported that resulted in encryption of patient health records. Hospitals, nursing homes, and other healthcare organizations are continuously becoming targets for ransomware attacks and security breaches. This comes as no surprise, as hackers target medical facilities because they lag behind in the introduction of security measures. Banks and financial networks, for example, are heavily protected. This isn’t the case for medical facilities. There are still healthcare organizations that don’t have the resources to introduce the latest safety measures and to make sure that patient information is properly protected.

While credit card information sells for between $6 to $30 on the black market, patient records can sell for up to $1,000 (per patient) on the black market and dark web. This is due to the amount of information found in the documents, including date of birth, credit card information, Social Security number, address and email. If that isn’t scary enough, there’s also data about your past medical history, including every doctor’s visit you’ve made and diagnosis you’ve received.  

Hackers also hijack insecure Electronic Health Records (EHR) systems in order to extort hospitals for money in exchange for returning the access. This type of attack is particularly effective against hospitals who need real-time access to patient data for critical operations and thus have no choice but to pay up.

Having worked with healthcare organizations for two decades, I’ve recently been spending a lot of time with healthcare technology teams discussing their many security challenges. We’ve talked about how they’re trying to prevent the next breach because in healthcare we’ve all come to realize it’s not “if” but “when”.

Here are some of their collective recommendations which may help you in your prevention, investigation, and remediation efforts:

Manage and analyze network access

Many organizations lack a comprehensive view of their multi-vendor, hybrid network and are unable to proactively identify network access policy violations, vulnerable access points, or even vulnerable access flows. An accurate inventory and map of applications, servers, and network objects running in your environment, including network traffic flows, can help you better understand what is deployed where, and what talks to what. You can use this data, for example, to detect risky or non-compliant access or simulate access routes to identify vulnerable access paths that can be exploited. You can even discover ‘lost’ (forgotten) servers that still have access to the network and should be decommissioned as they, too, can potentially be used by attackers. 

Prioritize mitigation efforts

Security admins are often faced with challenges such as worms exploiting various vulnerabilities, which should be mitigated through server patches, as well as locking down the infected network ports between specific networks. In this scenario, you can combine your vulnerable assets list with inboud/outbound communication flows intelligence. This will help determine which applications are vulnerable and the most connected, as they may be the ones you need to patch first. This is usually a good starting point for your remediation efforts.

Restrict inbound and outbound traffic: Lock down infected assets

Once a vulnerable service, for example, is identified as malicious (e.g. due to anomalous rule hits), it can be quickly isolated by blocking access to the infected service or zone. This can be done by detecting which firewall rules allow traffic from/to the vulnerable assets. You want to ensure that only specific risky traffic, originating from the vulnerable service, will be blocked, while all other traffic flows will be accepted by the firewalls.

It’s actually easier said than done, as not only do you need to locate the exact relevant rules in all relevant network devices and infrastructure components, such as firewalls, SDNs, routers, etc., across the hybrid environment, but also very granularly pinpoint which changes in these rules need to be made in order to block potential risky traffic, while allowing only ‘safe’ traffic to flow.

As a preventive measure, you can segment your network to isolate sensitive assets. This can be done proactively by centrally managing network access across vendors and platforms. A central solution can help you analyze risky access even before granting it. If you need help with your network segmentation, download this practical guide.

Restrict third-party vendor access

Often times, we hear about a vendor or partner’s network access that was forgotten and left open, even after a project was completed, which then provided an open backdoor for attackers. As a preventive measure, you can limit access to your network by creating a network rule that enables limited time network access. When the time comes to revoke that access, be sure to set an alert, so you can then decide whether to extend, disable or remove access.

What to learn more? If you’re attending the HIMSS10 Cybersecurity Forum in Orlando, FL in March, stop by Tufin’s booth Hall A, Booth 400, Kiosk 93 to find out more about the impact Tufin is having on healthcare organizations and their cybersecurity initiatives. See live product demos, meet the team, and let us show you how to best secure your networks by starting with your security policies.

See you in Orlando!