Federal health agencies have adopted innovation as their roadmap to the future – embracing emerging technologies such as Internet of Things-enabled medical devices and interoperable electronic health records.
While these technologies have enabled agencies to accelerate delivery and improve their front-line customer experience, a more connected health IT landscape also increases the cyber threat landscape and introduces new challenges for security professionals.
Stu Solomon, Recorded Future’s chief strategy and corporate development officer, told Federal News Network that health IT systems face a growing number of data security and cybersecurity challenges because of two trends.
Health IT systems, for one, hold a treasure trove of valuable data, whether it’s personal health data, biometrics or intellectual property valuable to the future of medical devices.
Meanwhile, the pace of IT modernization – the second trend — has accelerated faster than what most cybersecurity officials can anticipate.
“They’re in a digital transformation today, moving very rapidly to keep pace with the rest of society’s desires and needs — from paper-based scenarios and unconnected medical devices and techniques — and moving into scenarios whereby the digital transformation of their operations themselves necessitate a completely different view into the attack surface,” Solomon said in an interview.
While government and industry both face a variety of health IT and cybersecurity challenges, Solomon identified three emerging threats:
Data breaches and exposed personally identifiable information (PII)
Malicious actors gaining a foothold into the network for further intrusion.
The rise of ransomware impacts more than just the health IT sector, but Solomon said it’s an industry uniquely vulnerable to this threat. Defending against ransomware, he said, often comes down to workforce-centric challenges such as identifying spear-phishing attempts to prevent malware from entering networks in the first place.
“It’s really important to keep an eye out [and] not just for potentially anomalous activity that would be a deviation from the baseline of what you expect to see,” Solomon said.
While employees often serve as the first line of defense against threats like ransomware, health IT personnel must also take steps to ensure that if malware does enter their networks, the threat has limited opportunities to spread.
“How susceptible are the data stores within the network to being locked out or blocked out? Do you have the ability to rapidly recover or to roll back to a last known good environment? Do you have the ability to unlock data stores from recovery environments to be able to very quickly mitigate, or do you have the ability to stop the infection from spreading across multiple components of your network as quickly as possible?” Solomon said.
In order to defend against phishing attacks and malicious attempts to access PII, Solomon said agencies must also develop insider threat programs that include the scenario of an unintentional breach of data coming from an employee.
“It really does boil down to that first mile, which is the user who is tricked into or in some way coaxed into introducing the malware into the environment in an unwitting fashion,” he said. “Fishing techniques are as old as time in the security industry, but malicious actors will do what works, and they’ll follow the path of least resistance to be able to create the impact that they want.”
In order to prevent malicious actors from acting on vulnerabilities in IoT-connected medical devices, or using a successful phishing attack to burrow deeper into a network, Solomon said agencies should approach the problem from an identity management approach, as they would with any other potential security deficiency.
“When you talk about the IoT components in medical devices in particular, it becomes very scary very quickly, because it’s personal. These are things that are touching our bodies, these are things that are dealing with our health care needs,” Solomon said. “There’s a lot of passion that’s solicited immediately when thinking about these kinds of threats. However, the opportunity lies in treating them in a very normal fashion, the way that any security professional would any other aspect of their network in their overall attack surface.”
That ID management strategy includes getting complete map of devices on a network and better understanding what’s on those devices. That strategy should also include regularly patching and updating the software and firmware devices, as well as changing hard-coded passwords.
Another component to this defense strategy, Solomon said, is identifying how the devices normally behave on the network, in order to detect abnormalities faster.
“What does a normal baseline of activity look like when one device talks to another device? What kind of data should flow from one device to another device? What kind of data is exposed when devices interact with databases?” Solomon said.