Among the many frustrating aspects of cybercrime is that the nature of the attacks is always shifting. Chief information officers and chief information security officers must work to make their systems more resilient, said Kelly Rozumalski, secure connected health director at Booz Allen Hamilton, in a recent interview.
Booz Allen recently released a report highlighting its cyber threat outlook for 2021, and Rozumalski discussed some of the key healthcare-related points. Obviously, ransomware is top of mind for most CIOs and CISOs now, and in some ways the pandemic is making health systems more vulnerable to attack, she said, with the addition of so much remote work, telehealth and remote patient monitoring devices.
“When we started this journey of looking at the maturity of the healthcare industry in terms of cybersecurity about two years ago, we were trying to make sure healthcare delivery organizations really understood the consequences and the risks, and unfortunately, we have seen from the pandemic and the escalation of ransomware attacks, everyone is now aware of that,” Rozumalski said. “So now we just have to make sure that security continues to have a seat at the table and that we are building security in from the get-go.”
“When a ransomware attack does hit, what we have seen over the last six months is many healthcare organizations are paying the ransom because the consequences are drastic,” she added. “So we need to get to a position where everybody is aware of the consequences and is starting to build security into all these new services such as telehealth. We need to make sure telehealth has security built in from the ground up. Because of the pandemic there has been a push for new platforms to come to the market to help with patient care, and that makes sense. But what we have seen is that in some cases security has been bypassed in the deployment of a lot of these systems, and we need to ensure security is built in from the beginning of the systems development lifecycle.”
Among the recommendations in the Booz Allen report are to institute a patching policy that ensures that critical vulnerabilities and the associated patches are identified and deployed monthly; develop ransomware playbooks and do tabletop exercises to test your response; establish a retainer relationships with an outside incident response firm; and conduct a thorough review of your cyber insurance policy.
The Booz Allen report details some of the ways ransomware threats could evolve. Cybercriminals may experiment with new ransomware business models. “The truly ambitious cybercriminal may spend the additional time to compromise an entire network of companies, strike all of them at once, and demand a single large ransom payment from the originating company to provide the decryption keys,” the report says.
Rozumalski stressed that telehealth is a space to watch. “Many applications involve a user logging in through a simple application on a phone or computer, but behind the log-in there may be several vendors and a complex infrastructure all open to risk,” she explained. “There are a lot more vendors now in this space. Some of them might not be following the best security practices. The attack surface for cyber criminals is expanding and they have many more vendors to go after.”
She added that almost every area of innovation in healthcare brings new cybersecurity concerns. For instance, contact-tracing apps created in a hurry to meet the needs of the pandemic may have vulnerabilities. New 5G networks have great potential, but she said “5G is only going to accelerate the reliance on the internet of medical things and the threats that go along with it. People need to understand cybersecurity considerations.”
As healthcare organizations increasingly turn to cloud infrastructure managed by third-party vendors, they need to be aware that cyber criminals will target cloud providers in an effort to take down several organizations at once, she said. Booz Allen’s report says it expects the types of attacks abusing cloud solutions to continue to evolve, “possibly including the convergence of several known tactics used in software supply chain attacks to target platform-as-a-service (PaaS) solutions used to develop and deploy software applications.”
Interestingly, the report also mentions that machine learning algorithms developed by organizations such as health systems could become the target if intellectual property theft. “In many ways, the secret ingredient to AI services is not the algorithms but rather the data used to build a trained model capable of reliably producing true positive results,” the report said. “Whether this is scouring medical imaging data to identify cancer or processing network logs to detect anomalous behavior indicative of an intrusion, much of the work by researchers is aggregating data and tuning the model….This will likely be a major focus for sophisticated actors seeking to conduct economic espionage and intellectual property theft. Organizations should expect their trained models to become targets for threat actors.”
The bottom line, Rozumalski said, is no matter your budget, you should be working to make your health system more resilient to be able to bounce back from any attack, and in an interconnected environment, CIOs and CISOs need to put effort into evaluating the security policies of third-party vendor partners to build end-to-end security measures and document them.
