When it comes to protecting patients from the impacts of ransomware, the time has come for the healthcare sector to rethink the way it approaches cyber resilience — starting with Zero Trust strategies.
The unprecedented wave of ransomware attacks on the healthcare sector has upended long-held assumptions about network security. Confidence in traditional methods alone and the philosophies behind them, have been undermined. The ransomware era has become a time of reckoning – particularly for healthcare organizations.
It’s time to rethink the way we approach modern cybersecurity, in order to meet today’s evolving ransomware threats and safeguard the nation’s hospitals. Already, decision-makers from the highest levels of business and government have reached the same conclusion as they search for more effective and innovative solutions that provide the resilience healthcare organizations need.
Last year, President Biden signed an Executive Order laying out timelines for federal agencies to develop plans for implementing a Zero Trust Architecture – a cybersecurity best practice predicated on minimizing implicit trust. Many chief information security officers (CISOs) received the government’s message loud and clear and are now following its lead. At the HIMSS Global Health Conference & Exhibition held in Orlando last April, the Zero Trust presentations were standing-room only. Research from ESG validates that security professionals are turning to Zero Trust en masse – 90 percent of survey respondents stated that advancing Zero Trust strategies is one of their top three security priorities this year.
The rallying cry in security now is to find solutions that effectively limit the impact of ransomware attacks. Zero Trust has become a marquee name in healthcare because it achieves exactly that, and because many healthcare facilities have found that the security status quo is no longer a viable option.
Healthcare Needs a Better Approach to Security
Rising ransomware attacks have challenged the industry’s traditional approach to secure critical infrastructure. It’s hard to understate the potential impact of a breach on the healthcare industry – an unstopped attack can leave lives hanging in the balance.
At a high level, ransomware is malware that blocks access to either a computer system or to stored data via encryption — enabling criminals to take control of sensitive and critical information and even block access to important equipment. Then, criminals typically demand large sums of money to unlock or decrypt trapped information. If they don’t receive payment, they’ll often destroy or disclose the data to the public (sometimes both).
According to some estimates, victims paid $600 million in ransom last year alone. Reuters recently reported the number of ransomware attacks nearly doubled in 2021 from the prior year. Breaches in healthcare organizations are the most expensive out of any industry and have been for over a decade – with the average breach costing more than $10 million this year, up 41.6 percent from last year. Scores of attacks have resulted in hospitals and other care facilities losing control over network-connected equipment, putting healthcare operations and patient well-being at risk. In a lawsuit filed last year, a woman alleges that a 2019 cyber-attack on a mobile, Alabama-based hospital prevented her doctors from accessing fetal heartbeat monitors for three weeks, including the day the woman gave birth.
In the most recent setback for those healthcare organizations dependent on traditional security methods, Bloomberg reported that “several cybersecurity experts have noted a decline in attacks” during the second quarter of the year. On the surface that may sound like something to celebrate, but the experts interviewed by Bloomberg attributed the slowdown in attacks to ongoing efforts by law enforcement to curb the ransomware epidemic, a general wish by the criminals to lower their profile and evade detection, and the splintering of some of the larger and more successful ransomware gangs due to infighting.
What’s most pertinent about the Bloomberg piece is this: Although we may be witnessing a ransomware slowdown for the time being, nowhere in the story is there any suggestion that the latest wave of ransomware attacks is over. These attacks are sure to continue.
Zero Trust and Zero Trust Segmentation are the Way Forward
In the past five years, the attack surface has grown dramatically. The connection of an increasing number of medical devices to EHR systems has removed the isolation of individual functions and made the rapid movement of ransomware a threat. While traditional security models were largely based on identifying what is bad and keeping it out, Zero Trust takes a more modern, pragmatic approach. It assumes that a breach is inevitable or has already occurred. This shifts the mindset to be more proactive and focus on only letting in what is allowed. With Zero Trust, all network traffic is viewed as untrustworthy by default, and continuous authorization and verification are required, thereby, shrinking an organization’s given attack surface.
This is where Zero Trust Segmentation comes into play. Traditional security is like a castle, with moats and walls, whereas Zero Trust Segmentation is more like a hotel with electronic key cards. The system works seamlessly because workers and guests only receive access to the precise areas where they need to go: their rooms, the gym, etc.
One of the first steps in applying Zero Trust Segmentation is to identify the most critical areas and functions within your organization and the potential risk. For hospitals, those frequently include intensive care units, PACS, and operating rooms. Identifying the most vulnerable functions that would have the greatest impact if compromised and then mapping the communications with those systems will provide visibility into where policies should be applied for the greatest protection.
By separating high-value assets like these away from the larger network, hospitals can ensure that should one area come under attack, the threat is contained to that device or network segment. Other departments are unaffected and can continue to provide patient care.
Additionally, by restricting bad actors’ ability to move unchecked across an organization, a hospital has more time to employ other tools — such as endpoint detection, antivirus, or whatever it uses to ferret out ransomware code and remove it. For example, research from Bishop Fox that examined the effectiveness of Zero Trust Segmentation found that Zero Trust Segmentation stops attacks from spreading nearly four times faster than detection and response capabilities alone. Zero Trust Segmentation helps cover endpoint detection and response (EDR) blind spots – illustrating the importance of using both technologies in tandem. In short, Zero Trust Segmentation is designed to help organizations “assume breach”, control impact when a breach does occur, and boost organizational resilience.
Bracing for Fires, Floods and Breaches
While putting an end to ransomware is not feasible, there are steps that healthcare organizations can take to bolster their operational resilience – to ensure that even in the event of an attack, damage and downtime is limited, and patient care remains unfettered.
Particularly as attacks on the healthcare sector increase, there’s no denying the gravity of their impact — detracting from patient care, modernization efforts, and undermining the well-being of healthcare organizations overall.
When I talk to CISOs working in the sector, too many say they don’t have a seat at the table. But in order to properly prioritize patient care, healthcare organizations must also prioritize cybersecurity at the highest levels.
My advice: Focus on protecting your high-value assets first. Ring fence them, so even if part of your organization is compromised during an attack, essential patient services can continue unencumbered. By shifting to a resilience-based security approach, one that proactively accounts for breaches and prioritizes Zero Trust practices, the healthcare sector will be better prepared to manage the onslaught of breaches to come – ensuring that even during the worst of times, patient care can remain their top priority.
About Trevor Dearing
Trevor Dearing is the Director of Critical Infrastructure Solutions at Illumio. Trevor is an experienced technology expert, who has been at the forefront of new technologies for nearly 40 years. From the first PCs through the development of multi-protocol to SNA gateways, initiating the deployment of resilient token ring in DC networks and some of the earliest use of firewalls. Working for companies like Bay Networks, Juniper and Palo Alto Networks he has led the evangelization of new technology. At Illumio he is working on the simplification of segmentation in Zero Trust and highly regulated environments.