Vulnerability management, patch management
Exposure and vulnerability management involves the identification, evaluation, and mitigation of IT vulnerabilities. It relies heavily on threat-monitoring processes but also entails all the identification steps: risk assessment, remediation or mitigation steps, and reevaluation [50]. In handling and investigating attacks and post-infection remediation, Endpoint Detection and Response (EDR) solutions should be used. In most cases, this risk assessment is highly complex. Among the steps towards remediation or mitigation, there is also patch management that can become complicated by a health facility’s need to operate 24/7/365. Risk analysis is at the core of patch processes: weighing the sensitivity of data on the server and an enterprise’s critical functions or assets vulnerable to an attack [26].
Organizations should actively search out vulnerabilities in their systems and maintain ongoing vulnerability management with penetration testing [28]. Early detection can help reduce exposure to a security risk. The identification of vulnerabilities should also be followed with configuration hardening or patch processes without an overemphasis on zero-day vulnerabilities. Gartner analysts recently found that 99% of exploits are based on vulnerabilities that were known to security and IT professionals for over six months [51]. In prioritizing the remediation of different vulnerabilities, organizations should consider such findings.
As for the importance of maintaining quality IT infrastructure, configuration management has the benefit of increasing ease in assessing vulnerabilities because of a broader understanding of the facilities’ IT infrastructure and in running risk assessments, as well as analyses required for patch processes. Patching should be applied to all systems in the configuration (this includes the operating system and third-party applications) and changes should be noted by change management [50].
Administrative privileges and administrative multifactorial authentication
The risks associated with granting administrative privileges to users in health facilities are immense. According to CyberSheath’s APT Privileged Account Exploitation report, the vast majority of large-scale attacks that caused significant damage and expenses were initiated through the compromise of a privileged account such as that of a third-party provider [52]. This was the case for the attack that took place at Hancock Regional Hospital in January 2018, when the login credentials to a vendor’s account were compromised [23].
Health entities should grant administrative privileges in a controlled and restrictive manner, in order to minimize the number of such accounts to an enterprise-dependent manageable sum [28, 53]. These accounts should be inventoried, monitored for abnormal use, and evaluated for log entries. To avoid malicious insider threats, the health entity should also enforce local password policy and revisit their criteria for privileged access in addition to the vetting of users. A study revealed that disgruntled employees account for 70% of computer-related criminal activity [54]. Organizations should address the risk of such threats by closely monitoring the lifecycle of user accounts and revoking client and user certificates when no longer in use. Additionally, end users requiring administrative privileges should have two accounts: one that has privileges limited to local machines and another with no administrative privileges to be used for routine tasks such as browsing the internet or checking emails [28, 47, 55]. When necessary, direct web-access on critical devices should be denied or the use of encapsulated browsers should be enforced.
It is important to provide users who are granted administrative or privileged accounts with additional training on the risks brought on by their privileges, as it is important to equip them with the proper security measures. Among the most important measures is the use of multifactorial authentication for all administrative and privileged users—preferably for all users. The Center for Internet Security’s (CIS’s) Critical Security Controls for Effective Cyber Defense lists the use of smart cards, One Time Passwords, or biometrics, among the techniques to implement this vital step [28].
Incident response plan
As cyberattacks have become increasingly frequent and consequential in recent years, health facilities should prepare an incident response and business continuity plan. These plans should be regularly tested, exercised, and stored offline [55]. Plans should involve an agreed upon process with the appropriate stakeholders identified. It is important to have a designated team and a cybersecurity leader, or simply a designated person in cases where the organization does not have a CISO [56, 57]. The roles and responsibilities should be clearly divided within the team. The organizations should also have an agreement on what constitutes as a reportable incident and when to escalate [58, 59]. Ideally, plans should embed prevention training as well.
Incident response plans should also endorse post-incident steps. This can involve enforcing organization-wide password resets after an attack, factory resetting, and replacing compromised hardware and software as necessary. However, there needs to be an internal plan for regrouping and implementing changes [40]. The IT and cybersecurity system and its management should then be adapted to the new needs and requirements that were revealed by the incident (i.e., patching and beyond).
A notification system should be established between the health facility and the manufacturers [60]. A process can be built for those in the enterprise (e.g., clinicians, business administrators, and IT staff) to report incidents directly to the manufacturers. In fact, this type of sharing is also being mandated in the most recent FDA 510(k) pre-market submission guidelines [34].
Information sharing
The exchange of potential threats, indicators of compromise, best practices, vulnerabilities, lessons learned, and of mitigation strategies between stakeholders across public and private sectors is an essential step in building the cybersecurity of healthcare systems [61, 62]. Information sharing facilitates situational awareness and a solid understanding of threats and threat actors, their motivations, campaigns, tactics, and techniques. Consequently, it better equips decision makers to understand organizational exposure and to employ enterprise risk management policies. Information sharing should include all stakeholders: providers, manufacturers, suppliers, payers, and electronic record providers, as well as government(s) where applicable.
There are organizations that exist specifically to facilitate collaboration between institutions, for example, the National Health Information Sharing and Analysis Center (NH-ISAC), a global, member-driven non-profit providing a forum for trusted sharing amongst healthcare organizations. The EU adopted the Network and Information System (NIS) Directive in 2016—the first EU law specifically focused on cybersecurity—to be transposed by member states by 2018. The directive requires member states, most notably, to adopt national cybersecurity strategies, to designate national competent authorities, and to develop one or more computer security incident response teams (CSIRTs). It also establishes security and incident notification requirements for “operators of essential services,” such as healthcare organizations, even requiring incidents of certain magnitudes to be reported to national authorities. To promote swift and effective operational cooperation regarding threats and incidents, the directive emphasizes coordination among member states, setting up a CSIRT network (also to include CERT-EU), and a strategic NIS “cooperation group” to support and facilitate cooperation and information exchange among member states [63].
Privacy-conscious data sharing and processing
The sharing of medical and genomic data, across departments and institutions, is necessary for both effective patient care and for meaningful research that advances the state-of-the-art in personalized medicine. In fact, the recent increasing trend towards P4 (Predictive, Preventive, Personalized and Participatory) medicine is called to revolutionize healthcare by providing better diagnoses and targeted preventive and therapeutic measures. However, clinical and research data on large numbers of individuals must be efficiently shared among all stakeholders. In this context, cybersecurity is as relevant as it is in regular hospital operations, but the privacy risks that stem from disclosing medical and genomic data play a prominent role and have become a barrier in the advancements of P4 medicine [64]. This is further reflected in the evolution of stricter regulations (e.g. HIPAA in US and GDPR in the EU [9, 11]).
The challenges of privacy-conscious data sharing and processing can be addressed through the use of advanced cryptographic mechanisms (such as homomorphic encryption [65, 66], trusted hardware [67], secure multiparty computation [68, 69]), and strong trust distribution techniques (such as distributed ledger technologies [70]). The use of these technologies provides security guarantees beyond those implemented by traditional approaches against cyberattacks [71], with the following four direct advantages: (a) achieving a more fine-grained control on access permissions, hence reducing or avoiding the need of privileged accounts to third parties, (b) implementing minimization principles on the released data for the agreed usage, in line with the latest and stricter data protection regulations and minimizing the risk of breaches and intentional or unintentional data misuse, (c) keeping individual and identifiable data within the confines of the security perimeter of the medical institution that governs them, and (d) enabling distributed logging and access control management, hence avoiding single points of failure and greatly reducing the effect of a breach and the risk of a successful attack, while allowing for more advanced implementations of auditability, accountability and incident recovery. Consequently, privacy-conscious data sharing and processing approaches are aligned with the aforementioned risk-based cybersecurity strategies, provide guarantees that go beyond the latter, yet enables operations across medical institutions that would otherwise be impossible.