How to go beyond check-the-boxes approaches to strengthen vendor security
Cybersecurity has become a top concern for healthcare organizations (HCOs) due to the explosion in electronic information and more frequent and costly cyberattacks. A recent report found that nearly all (96%) of executives consider cybersecurity resilience a top priority, while nearly two thirds (62%) have had a data security event in the past 24 months that impacted operations. The healthcare industry is one of the top targets of ransomware attacks and the average cost of a healthcare cybersecurity breach is $10.1 million.
Four cyber security threats pose the greatest risk to patient information and healthcare data security today: Phishing, ransomware attacks, data breaches, and DDoS (distributed denial-of-service) attacks, in which a server or network is flooded with internet traffic to disrupt its normal function.
As cyber security threats have become more frequent and costly, forward-thinking HCOs must create multiple layers of cyber protection. Nathan Riske, Harris Computer’s VP of Research and Development, compares cybersecurity to keeping your house secure. “The key to a good security strategy is adding different layers to protect yourself from multiple angles. Closing and locking all the doors and windows is a great first step, but then you may want to have a dog or a security system alarm or perhaps even a weapon in the nightstand.”
“Our environment—the worldwide web, the security landscape—is changing far more quickly than it has in the past,” Riske adds. “We’ve got more bad actors with more sophisticated strategies. The news is filled with reports of ransomware attacks and people’s data being held hostage and this potentially impacts patient safety.”
Healthcare organizations are especially vulnerable thanks to sensitive patient data and large numbers of employed and contract staff. Their reliance on a host of outside vendors also increases their risk. Ingenious Med recommends ensuring that all healthcare vendors take these four steps to protect the cybersecurity of your health system, hospital, or medical practice.
Step 1: Implement rigorous healthcare cybersecurity education and training programs
Given that about 9 in 10 cyberattacks start with a phishing email, take the essential first step of ensuring that both your healthcare organization and your healthcare vendor have robust training programs for all staff.
As Riske notes, “A lot of unwanted access comes through someone in the organization who clicked a bad link; I strongly recommend you start with education and training for your entire staff as well as ensuring your vendors are conducting similarly rigorous cybersecurity training programs. Ingenious Med has very specific training for programmers to avoid potential missteps as we develop our software, but our company also has rigorous security and awareness training for all staff, which is essential for any organization.”
He adds, “Bad actors are getting more and more adept at making their phishing emails look legitimate by using social engineering to research members of your team on social media sites. Having a good security awareness program is essential to prevent them from accessing your computer and ultimately the network.”
Gary Locke, Security Architect at Ingenious Med, recommends checking with your vendor to make sure they’re complying with standards established by the Open Web Application Security Project (OWASP), a nonprofit foundation that seeks to improve software security.
He explains, “Not only does Ingenious Med have technical controls in place as a defense-in-depth type of posture, but we also have intensive training in place. Our development team and our app team are fully compliant with OWASP standards, which has developed best practices for securely developing software.”
Step 2: Ensure your healthcare vendor employs both static and dynamic analysis tools
Your healthcare vendors should employ both static and dynamic analysis tools when developing and updating their software. Static analysis tools examine contents of specific files as they exist on a disk, so problems can be detected proactively. This rapid, cost-effective approach can be applied to any file type, enabling organizations to identify issues within coding logic and techniques to debug a program before it’s executed.
Dynamic analysis tools are used once the code is running—to detect any vulnerabilities to potential threats. These tools analyze rather than test the software. While they are more expensive and time-consuming, they are critical to detecting configuration issues such as servers that use weak ciphers or other unknown threats outside the scope of the software itself.
Locke explains, “Ensure that your vendor is taking both preventive and reactive steps to prevent cyberattacks. Our development team and our app team do a great job of ensuring our software is developed securely. They seek to prevent pitfalls such as an SQL injection, a common hacking technique in which malicious code is inserted to gain access to private or sensitive information, and other ways that bad actors attempt to penetrate and impact the system.”
Riske adds, “Ingenious Med runs static analysis tools 24/7/365 to continually examine our code for any potential openings. We also use dynamic tools, which are tools that hit our website on a regular basis and look for holes in a real run-time scenario.”
Step 3: Ensure healthcare vendors use sophisticated intrusion prevention and detection systems
Ingenious Med uses, and recommends that all your healthcare vendors use, advanced intrusion detection and intrusion prevention systems (IDS and IPS). These systems use sophisticated technology to detect unusual and potentially malicious behavior—such as a piece of software that seeks to access credentials in a main directory or that is communicating with a suspect IP address.
Ingenious Med uses unified threat management (UTM) at the firewall level. Locke explains, “In addition to running rule-based security, so server A can talk to server B on a specific port, we’re also doing IDS/IPS over that and application tracking. If someone tries to create an attack on port 1433 and it’s not using SQL, we’ll know they’re not using the actual application, and, for example, are instead trying to open an encrypted shell through that port. We can then do application blocking at that point.”
Also check to see if your vendor uses IAM—identity and access management. Locke explains, “As you start talking about role-based access, make sure your organization is adhering to the ‘principal of least privilege’ to avoid access creep. That means that employees get the minimal amount of access or permissions needed to do their job. “
Locke adds, “So, you can utilize the firewall in many ways and because it’s on the perimeter, it gives you a first layer of defense. The firewall is a very integral part of our security at Ingenious Med.”
“Ultimately these types of tools inspect all web traffic before it hits our servers—to check it for any obvious issues,” Riske contributes. “For example, we use locale blockers (geoblocking) to prevent all traffic from certain countries, such as Russia, China, or Iran. That serves as our first line of defense, preventing this traffic from even getting to our server.”
Step 4. Ensure your healthcare vendors have appropriate security certifications
Finally, Riske and Locke recommend that potential buyers seek out solutions that have been through some kind of third-party audit review process such as a manual penetration test or HITRUST/ISO certification to validate that all of the security measures described above are in place and working as designed.
Riske explains, “You can’t get those certifications without having strong tools and processes in place. Many companies have only a ‘check-the-box’ type of security program to make sure that they can pass a basic internal assessment. That’s not how we approach security at Ingenious Med, where we have carefully built layers and layers of security protection to minimize any risk of a cybersecurity attack for ourselves and our customers.”