Why healthcare in the cloud must move to zero trust cybersecurity
The healthcare industry has to take cybersecurity very seriously to protect patient data, comply with a mountain of regulations, and mitigate the risk of disruptions to care. Unfortunately, healthcare providers also have a tendency to be vulnerable to attack. This article from VentureBeat discusses the need for the healthcare sector to transition to a zero trust cloud security model.
Healthcare providers must look beyond the cloud and adopt zero-trust security to succeed in fighting back against the onslaught of breaches their industry is experiencing.
Attackers often prey on gaps in network servers, incorrectly configured cloud configurations, unprotected endpoints, and weak to non-existent identity management and privileged access security. Stealing medical records, identities and privileged access credentials is a high priority for healthcare cyberattackers. On average, it takes a healthcare provider $10.1 million to recover from an attack. A quarter of healthcare providers say a ransomware attack has forced them to stop operations completely.
Healthcare must build on cloud security with zero trust
Forrester’s recent report, The State of Cloud in Healthcare, 2023, provides an insightful look at how healthcare providers are fast-tracking their cloud adoption with the hope of getting cybersecurity under control. Eighty-eight percent of global healthcare decision-makers have adopted public cloud platforms, and 59% are adopting Kubernetes to ensure higher availability for their core enterprise systems. On average, healthcare providers spend $9.5 million annually across all public cloud platforms they’ve integrated into their tech stacks. It’s proving effective — to a point.
What’s needed is for healthcare providers to double down on zero trust, first going all-in on identity access management (IAM) and endpoint security. The most insightful part of the Forrester report is the evidence it provides that continuing developments from Amazon Web Services, Google Cloud Platform, Microsoft Azure and IBM Cloud are hitting the mark with healthcare providers. Their combined efforts to prove cloud platforms are more secure than legacy network servers are resonating.
That’s excellent news for the industry, as the latest data from the U.S. Department of Health and Human Services (HHS) Breach Portal shows that in the last 18 months alone, 458 healthcare providers have been breached through network servers, exposing over 69 million patient identities.
The HHS portal shows that this digital pandemic has compromised 39.9 million patient identities in the first six months of 2023, harvested from 298 breaches. Of those, 229 resulted from successful hacking, 61 from unauthorized access/disclosure, and the remainder from theft of medical records. Business email compromise (BEC) and pretexting are responsible for 54 breaches since January, compromising 838,241 patients’ identities.
Considered best-sellers on the Dark Web, patient medical records provide a wealth of data for attackers. Cybercrime gangs and globally organized advanced persistent threat (APT) groups steal, sell and use patient identities to create synthetic fraudulent identities. Attackers are getting up to $1,000 per record depending on how detailed the identity and medical data are.
Lessons from the 2023 Telesign Trust Index, which showed the increasing fragility of digital trust, must also be applied to healthcare.
Turning weaknesses into strengths with zero trust
Forrester concludes that healthcare providers are prime targets for attackers because they use outdated legacy technologies, especially when storing sensitive patient data. That weakness is magnified by the urgency of getting critical care to patients.
“Threat actors are increasingly targeting flaws in cyber-hygiene, including legacy vulnerability management processes,” Srinivas Mukkamala, chief product officer at Ivanti, told VentureBeat.
In fact, Ivanti’s Press Reset: A 2023 Cybersecurity Status Report found that all organizations are behind in protecting against ransomware, software vulnerabilities, API-related attacks and software supply chain attacks. Ivanti’s research results underscore why zero trust needs to become an urgent priority in all healthcare organizations, given that many lag behind peers in other industries on these core dimensions.
Forrester observed that “CISOs may be reluctant to trust the public cloud, but outsourcing to a multitenant platform can benefit healthcare providers with military-grade AES 256 data encryption that helps prevent data exposure and theft. Global hyperscalers offer compliant instances and consulting services to help meet regulatory compliance. Similarly, EHR systems such as Oracle Cerner and Epic Systems are now offering cloud-based offerings/partnerships.”
Every healthcare provider needs a zero-trust roadmap tailored to its greatest threats
The goal is to become more resilient over time without breaking budgets or asking for major investments from the board. An excellent place to start is with a zero-trust roadmap. There are a few standard documents CISOs and CIOs running healthcare IT and cybersecurity should use to tailor zero-trust security to their unique business challenges.
The first is from the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE). The NIST Cybersecurity White Paper (CSWP), Planning for a Zero Trust Architecture: A Guide for Federal Administrators, describes processes for migrating to a zero-trust architecture using the NIST Risk Management Framework (RMF).
Second, John Kindervag, who created zero trust while at Forrester and currently serves as senior vice president, cybersecurity strategy and ON2IT group fellow at ON2IT Cybersecurity, and Dr. Chase Cunningham were among several industry leaders who wrote the useful President’s National Security Telecommunications Advisory Committee (NSTAC) Draft on Zero Trust and Trusted Identity Management. The document defines zero-trust architecture as “an architecture that treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized.”
The Cybersecurity and Infrastructure Security Agency (CISA) publishes a hub of the President’s NSTAC Publications, providing a valuable index of the committee’s body of work.
Proliferating ransomware attacks underscore the need to enforce least privileged access across every threat surface
“We know that bad guys, once they’re in the network and compromise [it], the first [breached] machine can move laterally to the next machine, and then the next machine, and the next machine. So once they’ve figured that out, the chances of you having a ransomware breach and having data exfiltrated from your environment increase,” Drex DeFord, executive strategist and healthcare CIO at CrowdStrike, told VentureBeat during an interview.
The U.S. Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) provides a series of Threat Briefs that healthcare CISOs and CIOs should consider subscribing to and staying current with. The depth of analysis and insight the HCS puts into these briefs is noteworthy.
To understand the scale of healthcare providers’ challenges with ransomware, VentureBeat also recommends reading the June 8, 2023 presentation, Types of Threat Actors That Threaten Healthcare.
Another brief reveals how nation-state attacks are among the most sophisticated and challenging to stop: the November 3, 2022 Threat Brief titled “Iranian Threat Actors and Healthcare.”
Two high priorities, according to CISOs: a compromise assessment, and a subscription to an incident response retainer service
Healthcare providers and supporting organizations need a clear baseline across all systems to verify that their existing IT environments and tech stacks are clean. “When you have a compromise assessment done, [getting] a comprehensive look at the entire environment and [making] sure that you’re not owned, and you just don’t know it yet, is incredibly important,” DeFord told VentureBeat during an interview.
DeFord and other CISOs interviewed for this article also advise healthcare CISOs to get an incident response retainer service if they don’t already have one. “That makes sure that should something happen, and you do have a security incident, you can call someone, and they will come immediately,” DeFord advises.
IoT, edge computing and connected medical devices make endpoint security a constant battle
Most legacy IoT sensors, the machines attached to them, and medical devices aren’t designed with security as a primary goal. That’s why attackers love these devices. Dr. Srinivas Mukkamala, chief product officer at cybersecurity company Ivanti, says business leaders must realize the cost of managing endpoints, IoT and medical devices by continually improving security. “Organizations must continue moving toward a zero-trust model of endpoint management to see around corners and bolster their security posture,” Mukkamala told VentureBeat.
Absolute Software’s 2023 Resilience Index shows that the average endpoint has 11 different security agents installed, each degrading at a different rate and creating memory conflicts. This leaves the endpoint unprotected and vulnerable to a breach. Overloading endpoints with too many agents is just as bad as having none installed. CISOs and CIOs in healthcare need to audit every endpoint agent installed and find out if and how they conflict with each other.
A core part of the audit is knowing which identities have access rights for each endpoint, including third-party contractors and suppliers. Captured audit data is invaluable in setting least privileged access policies that strengthen zero trust on every endpoint.
Protecting patient identities requires making zero trust a priority
Healthcare CISOs are under pressure to ensure their IT and cybersecurity investments deliver business value. One of the most valuable assets any healthcare provider has is patient trust. More healthcare providers need to consider how to create secure customer experiences with zero trust.
Telesign CEO Joe Burton told VentureBeat that while customer experiences vary significantly depending on their digital transformation goals, it is essential to design cybersecurity and zero trust into customer workflows. That’s excellent advice for healthcare providers under siege by attackers today.
“Customers don’t mind friction if they understand that it’s there to keep them safe,” Burton said, adding that machine learning is an effective technology for streamlining the user experience while balancing friction. He told VentureBeat that customers could gain reassurance from friction that a brand, company or healthcare provider has an advanced understanding of cybersecurity and, most importantly, of the importance of protecting patient data and privacy.
This article was written by Louis Columbus from VentureBeat and was legally licensed through the Industry Dive Content Marketplace. Please direct all licensing questions to legal@industrydive.com.
