Posts

Why An MDR Service Provider for Healthcare Organizations Makes Sense

Healthcare organizations collect and process a lot of sensitive data, making them a prime target for opportunistic cybercriminals. Managing security in-house is a complex undertaking, which is why many healthcare organizations look to outsource some or all of their security needs. Here are our top three reasons partnering with a managed detection and response (MDR) service provider for healthcare organizations makes sense.

#1: Security Expertise

According to ISACA’s State of Cybersecurity 2021 report, over half of surveyed organizations still have unfilled cybersecurity positions, indicating the cybersecurity skills shortage shows no sign of slowing down. By partnering with an MDR service provider, healthcare organizations can take advantage of expert 24/7 security monitoring, threat detection, alerting, and response services that they need to deal with constant threats like ransomware, without having to build an in-house security operations center (SOC).

Partnering with an MDR service provider for your healthcare organization is a more cost-effective way to have 24/7 monitoring of your networks and continuous access to security professionals. And a provider with extensive healthcare security experience will be able provide recommendations on how to quickly improve your security posture, incorporating practices such as setting up business context modelling, creating segmentation with trusted network zones and controlling access to critical medical devices and infrastructure.

By outsourcing your security monitoring, you don’t have to worry about these staffing challenges; you only have to focus on the actionable alerts sent by your provider and can spend the rest of your time on other priorities.

#2: Advanced Threat Discovery and Response

Due to the sensitivity of healthcare files and the critical nature of their services, cybercriminals use a wide range of techniques, including ransomware, phishing and web application attacks to target healthcare organizations. Compounding the problem is that healthcare organizations have complex IT infrastructures, often with multiple locations, diverse departmental applications and legacy systems, plus patient and physician web portals.

Choosing an MDR service provider for healthcare organizations can provide advanced threat discovery by combining expertise with industry best practices such as the NIST cybersecurity framework to ensure your data is protected.

Threat Detection Use Cases

An MDR service provider for healthcare organizations means you get access to their expansive industry knowledge as well as their already built large library of threat detection use cases. This library typically includes support for a range of security tools and vendors and looks for specific indicators of attack or suspicious behavior to better detect threats. A good security team will send you actionable alerts for any critical threats and provide you with recommended next steps and have more confidence you’re keeping your networks secure.

In addition, an MDR service provider’s use case library is constantly changing, with new content being added to keep up with the ever-evolving threat landscape. Best practices also suggest that outdated content gets removed or updated, to make sure logs are only being run through relevant and useful use cases.

It would be highly challenging for an individual organization, starting from scratch, to build up a matching use case library – and unless there’s a dedicated team working on adding and updating the content, there’s still a high probability of missing new threats. Modern MDR service providers have a team specializing on keeping their fingers on the pulse as new threats constantly emerge.

Threat Hunting

Many MDR service providers also have a dedicated team for threat hunting, so they can be quick to react to any new threats in the wild. A team that operates globally provides additional benefits as the teams in each region can communicate information about threats local to their environment that may help hunt down new threats before they gain a foothold in another region. This is an added benefit of an MDR service provider for healthcare organizations that wouldn’t be feasible with a small local team.

For example, the local team in Asia may find a healthcare organization in their region is the target of a specific ransomware attack. The team can communicate information about this attack to other regional teams who can proactively, and extensively, search their clients’ network for any sign of the same threat.

Automated Response

For quick containment of credible threats, MDR service providers may offer a Security Orchestration and Automated Response (SOAR) solution that provides further protection of your critical assets. Automated response solutions are created to look for high-fidelity threats and can stop attacks before they expose sensitive patient information or bring down critical IT systems, mitigating a potentially devastating data breach.

The MDR service provider continually tunes and refines their rules to make sure they can detect the most relevant threats. Automated actions may include blocking an IP address or a compromised device from outbound communication, forcing a password reset on a compromised account, quarantining a device from your network, or proactively blocking newly detected attackers found in other networks via threat hunting.

#3: Compliance

For healthcare organizations, ensuring continued compliance with relevant industry regulations like HIPAA creates additional challenges and workload for internal teams. Failure to pass a compliance audit can result in hefty fines and data breaches invariably lead to high legal costs, patient harm, and reputational damage. Research indicates that healthcare organizations incur the highest breach costs of all industries at $499 million per record breach.

A compelling reason to consider an MDR service provider for healthcare is that you can partner with a company that fully understands these specific data protection regulations and requirements. For many, the HIPAA requirements for data storage and paper trails are numerous and ambiguous; partnering with an expert can provide your healthcare organization with best practice guidance and audit preparation for HIPAA compliance so you’re better prepared.

In addition, many MDR service providers for healthcare organizations will also follow industry standard compliance practices, like SOC 2, that demonstrate that they follow strict information security policies and procedures. Partnering with a certified MDR service provider gives you added confidence your data is protected.

Conclusion

Choosing an MDR service provider for healthcare organizations may not be an easy choice for everyone. But in a world of ceaseless attacks, sophisticated threats, and high data breach costs, outsourcing your security monitoring to a dedicated team of professionals who can protect your patient information 24/7 often makes sense. By finding the right partner, you can find a cost-effective security option that will reduce your information security risks and strengthen your cybersecurity posture.

See how Proficio can help secure your healthcare organization.

Lessons Learned: Ransomware Attacks in 2021

While ransomware attacks in 2021 never cease to stop, several high-profile occurrences in the first half of the year gained swift notoriety for either the scale of damage they inflicted or the targets they focused on. Here are four of the biggest attacks, and the lesson that can be learned from each.

Colonial Pipeline

A natural place to begin is with the most severe cyber-attack to ever target critical infrastructure in the United States. Instigated by the DarkSide ransomware group, this has been one of the most newsworthy ransomware attacks in 2021, targeting the IT environment tied to a pipeline system that extends from Texas to New York.

Hackers used a VPN account and a leaked password to gain access to the Colonial Pipeline network. The attack was noticed on May 7, 2021, when an employee saw a message on a computer screen in the control room, demanding a cryptocurrency payment. An operations supervisor decided to respond to the attack by taking the unprecedented step of shutting the entire pipeline down.

Colonial Pipeline decided to make the ransom payment of $4.4 million in bitcoin – and as a positive turn, with the help of the FBI, part of the payment has been recovered. The disruption to the pipeline lasted five days before normal operations resumed.

Takeaway: Use multi-factor authentication so that even if a password becomes compromised, hackers need to provide an additional category of evidence to access a resource on your network.

Acer

Taiwanese computer manufacturer Acer became the victim of another notable ransomware attack in March 2021. It’s believed a Microsoft Exchange vulnerability provided an entry route into Acer’s network.

The REvil ransomware group demanded a $50 million payment to return stolen data, releasing samples on the dark web. It’s not publicly known whether Acer paid the ransom.

 Takeaway: Hacking groups don’t keep a 9-5 schedule. It’s critical for organizations to use 24-7 monitoring solutions that constantly seek out new types of attacks, critical vulnerabilities, and suspicious behavior on your network. A dedicated security operations team can provide 24-7 incident monitoring, detection, and response.

Sierra Wireless

Among several high-profile technology companies hit by ransomware attacks in 2021 was the wireless communications equipment designer and manufacturer, Sierra Wireless. The attack targeted both the company’s internal IT systems and corporate website.

Production at the company’s manufacturing locations was temporarily halted while the company quickly initiated measures to counter and contain the damage. While the internal network and corporate website remained affected for a few days, any customer-facing products and services weren’t impacted.

Takeaway: The swift response during the Sierra Wireless attack is critical for rapid threat containment. Fast action can make the difference between an attempted hack and a devastating breach, which is why automated response solutions are essential for modern organizations.

Scripps Healthcare

Finishing things off is one of the most targeted industries – healthcare. In May 2021, a hospital in our own backyard was taken offline for almost a month due to a sophisticated ransomware attack.

While not much is currently known about this attack, during the same timeframe, we saw a similar attack take down Ireland’s Health Service Executive. This attack was due to an employee that unknowingly clicked a malicious link, and the cybercriminals demanded almost €15 million to return 700 gigabytes of confidential patient data.

Takeaway: Opportunistic hackers don’t take ethical or moral considerations into account when looking for targets to exploit. Knowing the signs of a ransomware attack in its early stages is key to stopping cybercriminals before they get into your networks.

 

Conclusion

While the ransomware attacks in 2021 that make media headlines often involve public infrastructure, health services, and large corporations, these incidents can happen just as easily on small to medium businesses. As we often say – it’s not a matter of if you’ll be attacked, but when – so regardless of the size of your company, preparation is vital to staying safe.

Healthcare organizations and the cloud: Benefits, risks, and security best practices

Healthcare organizations are moving their business-critical applications and workloads to the cloud, and while there are many benefits (lower costs, added flexibility and greater scalability), there are also inherent risks that cannot be overlooked.

Ensuring organizations’ sensitive data is being monitored and protected (24/7) is key and having analysts who clearly understand security in the cloud is critical. Hiring and staffing these roles can be quite difficult because of the skillset required. Outsourcing cybersecurity to a managed security service provider (MSSP) is one viable solution for healthcare organizations that are in the process of migrating to the cloud and are concerned with protecting patient information, sensitive data, and applications.

Why healthcare organizations are moving to the cloud

HIMSS Analytics conducted a survey of healthcare IT professionals about their views of cloud usage, with nearly two-thirds of respondents saying they are currently using the cloud or cloud services.

Why are healthcare organizations finally making the move? Many have started to look at the cloud as a disaster recovery and backup option in the event of a ransomware attack, which affected the healthcare sector in 2017. The cloud also enables increased operational and storage flexibility as more healthcare companies use applications like precision medicine and population health.

Who’s responsible for keeping the cloud secured?

With so much critical information being accessed and stored in the cloud, it’s important to know who is responsible for monitoring authentication, communication, and client access to devices as well as how they’re securing it. Cloud application vendors are motivated to secure their infrastructure against denial of service attacks, disruption to service delivery, and large backend infrastructure breaches to protect their business. However, control over data access, user credentials (in some cases the application servers themselves), and regulatory compliance rests on the user organization’s IT team – not the cloud vendor. In short, cloud infrastructure providers are responsible for protecting their service, while IT teams must ensure their organization’s private data and critical applications are protected.

Whether you are using cloud providers (such as AWS or Microsoft Azure) to host your sensitive applications and data, taking advantage of Microsoft Office 365, or leveraging the scalability of a cloud-based electronic health record (EHR) application, security is a shared responsibility between the IT security team and cloud provider. As more healthcare organizations turn to cloud services, it is becoming critical for IT and security teams to understand the delineation of responsibility.

Taking the right security measures in cloud infrastructures

Most of the same security risks that apply to data and applications residing within a traditional data center also apply to virtualized assets in cloud infrastructures like AWS, Azure, and others. Virtual servers can be infected with malware or ransomware, credentials can be stolen, and cyber criminals can extract data which makes cyber protection even more important.

Web applications are one of the most significant sources of enterprise data breaches, and public-facing web applications are often hosted on cloud platforms. Because cloud platforms are designed for easy sharing, data runs the risk of becoming unintentionally shared or exposed. Misconfigured cloud-based data stores have resulted in many vulnerabilities and threats.

To address these risks, IT security teams are adopting security tools such as virtualized firewalls, web application firewalls, intrusion detection systems, and vulnerability scanning tools developed for cloud infrastructures. These technologies are integrated using service provider application programming interfaces (APIs) that are designed to address the virtualized and dynamic nature of these environments.

Protecting SaaS applications in the cloud

Software as a service (SaaS) applications like EHR software, Office360, and Salesforce often store sensitive patient data and confidential business and operational information. A breach or inadvertent exposure of this data can result in compliance violations, revenue loss, significant recovery expense, and can damage irreparably the organization’s reputation.

MSSPs and cloud access security brokers (CASBs) can collect and analyze authentication, access control, and cloud application transaction logs to identify suspicious behavior. Such logs include downloads, logins, usage, and application specific behaviors that may be analyzed by an MSSP to determine indicators of compromise.

Importance of Maintaining HIPAA compliance

For healthcare organizations, the Health Insurance Portability and Accountability Act (HIPAA) is an omnipresent reality. HIPAA requires patient data to be properly protected, no matter where it is being stored. Those who fail to protect patient data face fines and other regulatory penalties.

To meet HIPAA requirements, IT security teams should apply the same level of vigor to safeguarding their cloud-based data and applications as they would to on-premise applications and data. This can include deploying virtualized firewalls, scanning virtual servers for vulnerabilities, and monitoring and retaining log events from the public cloud.

How MSSPs can help implement stringent security in the cloud

When cloud migration, many healthcare organizations consider implementing in-house security solutions. This means hiring security experts and around-the-clock staff to manage and respond to alerts. With the current cybersecurity skills shortage, finding and building the right team is not always easy.

How can a healthcare organization maximize the rewards of cloud-based data and applications while minimizing the security risks? One approach is to outsource the security monitoring, investigations, and incident response to an MSSP.

MSSPs have a service model that is well-suited for healthcare organizations with limited resources and strict compliance requirements. MSSPs can act as an extension of a healthcare organization’s IT security team at a fraction of the cost associated with hiring additional employees and operating a 24/7 security operations center (SOC).

When choosing an MSSP, it is important that healthcare organizations thoroughly evaluate providers and cross-reference their healthcare expertise to ensure a smooth transition to the cloud. Key questions organizations should ask an MSSP include:

    • Are you experienced with helping healthcare organizations protect their data and applications in the cloud?
    • Does your mix of security services include 24/7 monitoring, breach detection, and incident response?
    • Can you monitor log events from my preferred cloud provider and cloud-based application vendor?
    • How do you ensure we will receive accurate and relevant actionable alerts?
    • Can you manage or co-manage vulnerability management tools, virtualized firewalls, and endpoint security in cloud environments?
    • Do you have a single portal where we drill into security events and understand our security posture for both cloud-based and on-premise assets?
    • Do you offer HIPAA reporting and services to prepare us in the event of an HHS audit?

By asking these questions, healthcare organizations should be able to determine if the MSSP is equipped to handle security needs. Especially for healthcare organizations with limited budgets and small IT teams, a qualified MSSP can serve as an extension of their team, help improve cybersecurity posture, and make the most of moving to the cloud.

2017 Security Threats for Healthcare

From the Bon Secours Health System data breach impacting nearly 700,000 individuals to the $17,000 in ransom that Hollywood Presbyterian Medical Center paid hackers, 2016 wasn’t the best year for healthcare security. So what’s in store for 2017?

The healthcare industry is always going to be a target for hackers, yet security continues to be a challenge due to the overwhelming volume of security alerts generated each day, many of which are false positives, combined with a lack of internal resources. Even with the right technology, many IT teams simply don’t have enough hours in the day to investigate each threat thoroughly. This is why on average it takes over 200 days to identify a breach.

The industry is making great strides to improve their security measures and better protect their patients; yet each year, while some areas show steady improvement, there are new threats emerging that put hospitals at risk. The sheer volume of attacks that occurred in 2016 has elevated cybersecurity to the top of the priority list. An appropriate security solution has become an “absolute necessity” – especially given the lack of in-house resources and skilled security personnel that many organizations face.

Here are some things healthcare organizations should be on the lookout for in 2017:

1.     Money Money Money

Cyber criminals are profit motivated, and will always be drawn to the easy money. With lower ROI on stolen patient records thanks to a surplus on the black market, hackers will seek out more profitable channels of attack, such as ransomware, that allows hackers to block access to key systems or data until the victim pays a ransom. If 2016 is any indication, we will see more of these types of attacks in 2017.

2.     Hospitals Keep Paying  

Hospitals are perfect ransomware targets. Patient care is highly dependent on information technology and they cannot risk the liability of negative outcomes as the result of critical systems being unavailable. So, there’s a high likelihood that a hospital will pay the ransom, despite the fact there’s no guarantee they’ll gain access back to their systems. Although the industry is making progress on preventing ransomware attacks, as long as hospitals continue to pay, hackers will keep attempting it.

3.     The Real Stakes

The risk posed by medical device vulnerabilities is unsettling. Thankfully, there has not been any reports of patient harm due to hackers altering dosage parameters or masking medical alerts – but the threat is real and it only takes one successful attempt to endanger a life (or many). Given the risk and the abundance of malevolent actors, this is more likely to happen in 2017.

4.     On Cloud Nine

Healthcare organizations, like many other industries, are beginning to adopt cloud-based infrastructures. Unfortunately, storing data in the cloud is not secure by itself. Similar to traditional data centers, security systems and policies need to be put in place to protect cloud-based data and applications. Since cyber criminals focus on opportunity and profit, we can expect to hear more data thefts involving the cloud and the $3.73 billion in 2016 healthcare spending on cloud services to keep increasing.

5.     Data Encryption Matters

Today, there are still healthcare providers that allow unencrypted patient data to be stored on laptops and mobile devices. In 2017, we expect more healthcare organizations will adopt stricter data encryption policies based on PHI disclosures and fear from what could happen with a stolen laptop. The Ponemon Institute found “identity management” as the number one security strategy deemed most effective in 2016, but until all organizations adopt these policies, these types of disclosers and breaches coming from a stolen laptop or mobile device are inevitable.

Healthcare organizations continue to be a prime target for hackers; if they’re not prepared, they could be very susceptible to attacks. Hospitals and healthcare organizations must remain vigilant and be aware of the threats to their environment.

If you don’t have the internal resources to manage this and are looking for a partner who can help you keep your networks and patients safe, contact us to learn how we can help address these issues.

 

 

Medical devices growing concern in healthcare IT security

Practically every hospital and healthcare institution invariably depend upon medical devices.  These devices produce a sizable amount of data and despite the fact that very little of this data is retained for any longitudinal patient benefit, the data must be safeguarded per federal requirements.  Proficio’s security engineers have worked with a number of healthcare IT security teams and have on several occasions discovered malicious software within medical devices exposing the network to international threats.

Medical devices are driving significant advances in medical research, clinical diagnostics and operational efficiencies, however, they remain particularly vulnerable because of the unique hardware and software systems they depend on.  Medical devices cannot simply be individually firewalled or easily monitored yet they remain vital components in our healthcare system.

A recent security risk assessments of a mid-size research hospital discovered  more than 5,000  devices, most of which required network connectivity to transmit imaging and diagnostic results to a downstream piece of software.  Proficio has found an incredible variety of device types, most of which are susceptible to malware.  Most concerning are the life-support devices not simply monitoring patient health but actually providing vital respiratory, circulatory and pulmonary  life support.

For IT security practitioners, medical devices can be a challenge. Unclear regulatory governance and unique technological requirements have led to the use of outdated operating systems that run applications with little or no software security which has made them easy targets for malware or even proxies for advanced threats. Clearly these devices are connected to the hospital’s network and core IT infrastructure yet most hospitals we have assessed do not believe they are a threat.  In reality, these devices can and do contain malware capable of crippling a hospitals network. Security holes such as poorly secured wireless access points, unprotected staff consoles or publicly available network ports could all be easily exploited by an amateur attacker with simple rudimentary pen testing tools.  Considering the ramifications of even a minor breach, hospitals cannot continue to ignore the threats posed by outdated or unpatched medical devices.  Information has always been the backbone of the medical industry and the sad truth is that it is only a matter of time before a cyber-attack leads directly to human casualties.

In our next blog, well discuss some key steps hospitals can take to protect themselves and their patients from malicious actors.

Anthem Inc. Data Breach – Healthcare Increasingly Target of Hackers

On January 27th, Anthem discovered that the login information for database administrators had been compromised. The investigation is ongoing, but the data breach could affect up to 80 million Anthem customers.

Information stolen includes member names, member health ID numbers/Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information, plus some income data. The attack also affected Anthem’s subsidiary companies such as Amerigroup, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.

This attack may be the largest cyber attack in the healthcare industry. Last year’s intrusion at Community Health Systems (CHS) involved the records of 4.5 million consumers. According to statistics maintained by the federal government’s Office for Civil Rights at the Department of Human Services, there have been 740 major healthcare breaches over the last five years.

Why are Hackers Increasingly Targeting Healthcare?

Explanations for the increase in the size and magnitude of cyber attacks in the healthcare industry include the following:

1. Medical records are more valuable to cyber criminals. Experts say medical records are 10X more valuable then credit cards because they can be used for medical fraud, identity theft and false tax return filings.

2. Healthcare organizations lack the resources and systems to defend their data from attackers. Compared to financial services and energy companies, healthcare organizations are considered soft targets.

3. Chinese state sponsored cyber terrorists may behind recent security breaches. The goal of these groups is broader than financial benefit and may include stealing medical research or using the data for espionage.

Anatomy of Targeted Attacks

Hackers have hundreds of ways to create and execute data-stealing attacks. Advanced Persistent Threats are commonly classified in multiple stages or kill chains. These usually start with planning and reconnaissance include techniques like spear phishing, credential dumping, and the use of remote administration tools to move laterally through the network, and and end with data exfiltration.

Questions to Test Your Readiness to Respond to a Targeted Attack

1. Are you monitoring critical and suspicious security events on a 24×7 basis?

It may be obvious, but US business hours are the least likely time zone for Chinese hackers to work. Many organizations have invested in
advanced security products such as database firewalls or next-generation malware detection software, but unless the alerts from
these systems are monitored, correlated, investigated and quickly remediated, the risk of a data breach is much higher.

2. Have you developed advanced SIEM Use Cases to identify hacking approaches like credential dumping and lateral propagation?

If your SIEM system or service provider relies on base content and rules are not being constantly updated, the chance of identifying a targeted attack is low.

3. Are you using advanced cross-device correlation and pattern discovery techniques in conjunction with threat intelligence data to identify suspicious behavior?

Accurate prioritization of alerts helps identify real threats and minimizes time wasted chasing false positives.

4. Do high priority security alerts trigger automated responses like blocking traffic to or from an IP address?

24×7 active defense can block known abusive attackers and off-load operations teams to focus on critical issues.

5. Are you retaining your security logs for 12 months?

Effective forensic analysis often requires more than 90 days of log data.

Proficio provides advanced cloud-based cyber security services and data breach prevention solutions to many healthcare organizations.

Pharmacy Quality Solutions Shares Why Their Business Chose Proficio

Pharmacy Quality Solutions, the leading provider of performance management services, talks about why they partnered with Proficio to strengthen their security posture.