In this second in the series of blogs on cybersecurity, Steve Matheson, Product Manager for BridgeHead’s RAPid™ Data Protection solutions, explores what makes healthcare organizations prime targets for cyber intrusions, explains the difference between ‘attack surfaces’ and ‘attack vectors’, and offers some practical tips for cyberattack prevention.
What makes hospitals prone to cyberattacks?
I am asked by many hospital executives across the business and clinical domain, “What makes healthcare providers prone to cyberattacks?”. What they hope is that I will be able to provide them some new insights that the other 30 people in the door before me couldn’t. I can’t. It’s the digital profile of a hospital, clinic, or physician’s practice that makes healthcare, in general, such an attractive target.
One of the main reasons healthcare is a primary focus for cybercriminals is due to the vast amounts of personal information it manages across a mix of old and new clinical and business systems. The persistence of older applications is due to the requirement to retain data that meets compliance and regulatory requirements despite the introduction of newer systems. These legacy applications create a fertile hunting ground for cyberattacks especially given some of the enabling behaviors that are more prevalent in the healthcare sector.
Workforce reductions: a ticking time bomb for cyberattacks
When it comes to cybersecurity, no hospital CFO or CEO wants to hear what I think is the ‘number one’ issue, namely that workforce reductions significantly increase vulnerability to cyberattacks. Cybercriminals are constantly looking for disruptions they can capitalize – so when they get wind of healthcare providers undergoing mergers, workforce reductions, or major IT staff outsourcing, it creates an environment ripe for exploitation. Cyberattacks thrive on chaos, especially when it predates their arrival.
Don’t underestimate the value of staff for cybersecurity. Nursing and in-house IT staff are usually the first to notice any unusual anomalies in digital systems or processes. Their intimate knowledge of daily operations makes them invaluable assets in the fight against cyber threats. So any disruption to staffing can have significant negative impacts.
And then there’s outsourcing. I understand that the business of providing healthcare means generating a profit. Therefore, if you must outsource IT services, ensure your vendors have a proven track record in managing healthcare applications as opposed to just generic tech knowledge. Ultimately, your first line of defense should be a combination of healthcare industry expertise, application-specific knowledge, and predictive and remunerative security technologies.
The double-edged sword of technology upgrades
Another security vulnerability stems from public announcements made about the introduction of new clinical applications in a facility. Cybercriminals are far from naive; they play the long game. When a hospital announces a new electronic patient record system, for example, it signals the replacement of one or more older systems. You can almost see the cybercriminals rubbing their hands together in glee at the prospect of another victim.
Fast forward 18 months and the hospital’s focus is likely on the new system. This shift often leads to older, legacy systems receiving less attention, even though they still require continual upgrades and maintenance for security. I can tell you from experience that one of the myths many hospitals believe is that because the business and clinical staff have essentially cut day-to-day operational ties with the older application, it can now happily sit unattended in the corner.
This belief is costly. While the provider organization and IT department have shifted their focus to the implementation and operation of the new application, in the background cybercriminals are trying to infiltrate the neglected legacy system. According to a recent article I just read, hackers quietly observe activity and processes in US production infrastructure systems for at least five years. This revelation raises the question: how long ago could a bad guy have penetrated your non-production legacy systems?
Decoding cybersecurity: understanding attack surfaces and attack vectors
In the realm of cybersecurity, terms like ‘attack surfaces’ and ‘attack vectors’ often float around. But what do these terms mean to you and your organization?
A ‘threat’ or ‘attack surface’ refers to all of the possible openings in your IT infrastructure that could potentially serve as an entry point for a cyberattack. In contrast, an ‘attack vector’ is a specific path, method, or scenario that can be exploited to compromise an IT system’s security.
Let’s look at a quick example to distinguish between the terms. A legacy application forms part of your ‘attack surface’, while an end-user login acts as an ‘attack vector’. This implies that the more infrastructure (hardware and software) you own, the more significant your attack surface becomes.
However, this doesn’t suggest that you should own less IT infrastructure. Instead, it’s crucial to evaluate and potentially reduce certain attack vectors within your IT environment, such as end-user logins, also known as machine identities.
I read a great report recently: CyberArk’s 2023 Identity Security Threat Landscape Report. It reveals some startling statistics from their global survey. A couple of results that particularly caught my attention were:
- There are 45 machine identities for every human identity
- Organizations use an average of 75 SaaS applications per day.
Wow! These machine identities significantly contribute to your attack surface. They represent the logins for the numerous applications that your staff has access to daily.
If you want to cut down on logins, consider performing an inventory of your legacy application portfolio. It won’t just cut down on logins; the fewer the number in your legacy application portfolio, the smaller the overall attack surface. As you are reading this, you are probably saying, “That sounds easier said than done!”. You are right – it takes work. But it’s work that offers significant benefits.
A practical four-step process to reduce your attack surface
I would advise a relatively straightforward exercise to help you identify and reduce the attack surface in your healthcare organization:
Step #1
Identify all of the ‘in the corner’ legacy applications you have been ignoring
Step #2
For each application, determine who is logging in – your Single Sign-On (SSO) system can provide this information
Step #3
Have a dialogue with these users to understand their reason for logging in and the data they access
Step #4
Evaluate the possibility of consolidating data from these applications into a single, interoperable, secure, Cloud-ready Clinical Data Repository.
By following these steps, you can reduce the number of logins (thereby, reducing the attack vector) and maintain less software and hardware infrastructure (thus, shrinking the attack surface) all while increasing ROI and, ultimately, saving costs. Moreover, this could provide an auxiliary information source during unplanned downtimes for clinical continuity (more about that in my next blog).
So, are you ready to take control over your threat surfaces and attack vectors? Remember, understanding and managing these aspects is not just about maintaining security – it’s about optimizing your systems for efficiency and reliability.
Final thoughts
The business of healthcare is indeed a balance between providing quality services and maintaining profitability. However, in this digital age, we must prioritize data security alongside these objectives. After all, what good is a profitable business if its ‘Achilles Heel’ lies in its vulnerable data management systems?
Steve Matheson is BridgeHead Software’s Product Manager for its RAPid™ Data Protection solutions.
Steve has previously held leadership roles in high profile organizations focused on data management and data protection, with global experience covering both hardware and software. These include Vice President of Channel Sales for CommVault, Vice President of Sales at Cambridge Computer Systems, and Senior Director of Channel Sales at EMC.
To learn more on how you can take control of your ‘attack surface’ and ‘attack vectors’ to help prevent cyberattacks…
