While healthcare organizations depend on networked devices to care for patients and improve healthcare delivery, cybercriminals have made them a vital starting point for businesses. attacks and they remain unprepared for the scope of cyber threats.
We asked Tyler Reguly, senior director of security research and development at Fortra, how healthcare IT can improve device management and address device security vulnerabilities. Things, mobile device management approaches and security frameworks, and his advice on leveraging artificial intelligence tools for security.
Secure the entrance of the healthcare facility
Endpoint detection evasion, automated vulnerability information gathering, and sophisticated social engineering are just a few of the newer weapons fueling the growth of cyber threats to healthcare organizations and their vast networks.
Beyond the limits of cyber resources, the readiness challenge for healthcare IT teams lies in keeping up with the evolution of vulnerabilities that cybercriminals will discover as potential attack vectors to gain access. into systems they want to sabotage or protected health data they want to steal, especially with IoT devices.
To stay ahead of the need for patching, organizations must implement a robust vulnerability management program to deny the advantage of patching, said Tyler Reguly, senior director of security research and development at Fortra. larger threat actors – such as nation-states –.
Because medical device software quickly becomes outdated, security experts at the HIMSS24 Healthcare Cybersecurity Forum last month advised patching this type of IoT device during scheduled maintenance.
However, according to Reguly, delays in patching regardless of the reason expose healthcare organizations to the risk that cybercriminals can explore these avenues to find vectors of compromise can happen, making segmentation important, according to Reguly.
He also said that when it comes to healthcare, he is concerned about the connectivity of a complex array of devices – including mobile devices – and widespread access to electronic health records. death.
“Too many people carry around tablets and phones to access a lot of health data,” Reguly, who is also the creator of IoT Hack Lab, said in the following Q&A. Healthcare IT news.
Ask. There are several frameworks that healthcare organizations can use to prepare for and prevent security misconfigurations and cybersecurity risks. What are the most important actions hospitals can take to address improperly configured security settings?
ONE. I find that the number of frameworks, standards and policies for any given industry can be overwhelming. Although there is a lot of valuable advice in these materials, there may still be conflicting or confusing information. Hospitals should focus on the basics.
There may be industry-specific standards to adhere to, but standards like the CIS Benchmark are a great starting point. The CIS benchmark is simple – easy to do. They are also public and built on consensus, so you can watch the process and even participate.
At the end of the process, you may not be compliant with specific industry standards, but you’ll know that you’re on solid ground and that the most dangerous misconfigurations have been resolved. Then you’ll be able to stop and take a breath before tackling the more complex standards your organization is required to implement.
Ask. Every year, the number of network-connected devices facing healthcare systems grows larger, and threat actors are always coming up with new durable weapons to attack them. What are your top concerns today regarding IoT device security vulnerabilities?
ONE. I have two concerns when thinking about the health care system and the interconnections between the systems involved. The first concerns the variety and complexity of the equipment involved.
With more and more medical devices being connected to the network, you will have more lateral movement risks and additional methods for network stability. A lot of this equipment is expensive, specialized, and sometimes even limited when purchased. This means there are not many labs to test this device and not many researchers are exploring this device.
It also means that larger threat actors, like nation-states, have the advantage here.
They could ask their researchers to find new vulnerabilities in this device and take advantage of the fact that not as many people are looking at networked MRIs as there are, for example, working on vulnerabilities. Windows vulnerabilities. This is where network segmentation is important, and large, flat networks can greatly increase risk.
My second concern is electronic health records.
Too many people walk around with tablets and phones that have access to a wealth of health data. If you do not ensure adequate security and protection for these devices, there is a huge possibility of data leakage.
While this software may be easier to obtain than medical hardware, it is still not the easiest or cheapest to get into the hands of researchers, leaving well-funded threat actors to take over as well. have the upper hand with these devices.
Tracking these devices and locking them down is critical in healthcare environments. The thought of someone reading my blood having an effect, then opening an app store and downloading a game to play made me extremely nervous.
Q. After a quieter first quarter, Microsoft’s CVE is on the rise again. How do you see the coming months playing out and what advice can you give organizations to keep up with these patches?
ONE. Microsoft vulnerabilities always seem to appear in waves, with peaks and troughs.
This month saw a spike in the number of vulnerabilities due to some applications having a large number of associated vulnerabilities. It’s hard to prepare for these, but since Microsoft is so kind when it comes to scheduling updates, organizations should keep their calendars clear.
If your security team doesn’t have a second Tuesday of the month to review updates and prioritize them, that’s an important change to make.
Additionally, a robust asset inventory and asset management system is key.
April Patch Tuesday revealed more than 30 CVEs that could be eliminated simply by knowing that there are no Microsoft SQL Server instances deployed in your environment. These two techniques, combined with a robust vulnerability management program, will help organizations overcome the patching crisis we are facing today.
Ask. Healthcare providers are vulnerable to man-in-the-middle attacks, where cyber attackers can exploit real-time chats and other protected data. With the rise of remote work and WiFi network usage, how can vendors that rely on mobile access and BYOD devices detect and eliminate MITM attacks that can lead to breaches? data breach?
ONE. The actual level of protection depends on the provider. I was once in a situation where all my devices, despite being BYOD, were controlled by my employer and they had all the management policies implemented.
I was also given a hardware VPN endpoint and had to plug my devices into it to connect to the internal network. Today, these actions may be frowned upon by employees, but they are actions that can be taken in a safe environment.
I think the important point is to operate from a position of zero trust.
Limit what your remote workers have access to, limit what is shown to externally connected users to only the data they require, and leverage multi-factor authentication everywhere.
I’ve mentioned this before, but network segmentation is actually an important security control that can be useful in many situations.
Ask. Artificial intelligence can enable society to automate tasks and improve performance. How can AI help organizations keep up with evolving vulnerabilities?
ONE. At this time, I don’t think individual organizations should rely on this technology internally.
While a well-equipped and well-funded security team may have investigative capabilities using AI internally, these technologies are still in their infancy. Instead, organizations should continue to leverage cybersecurity vendors and experts to stay current. I suspect those organizations are leveraging AI in various ways to expand their capabilities, but that should be left to your various service providers for now.
Going forward, once technology is further streamlined and simplified, there will be plenty of opportunities for organizations to put it to use. Currently, the occasional question to ChatGPT to provide clarity on a topic is more than enough for employees in most organizations.
Andrea Fox is a senior editor at Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
