The digital and physical worlds are not just intersecting—they are merging. And it seems clear that there are few places where the implications of such convergence pose a greater risk than in the healthcare industry, where lives are literally on the line.
To better understand the risks and concerns of this latest trend, Fortinet recently surveyed members of the College of Healthcare Information Management Executives (CHIME). The survey reveals two noteworthy trends regarding the state of security in healthcare as well as what care providers need to do next.
Physical and cyber security are converging
Three-quarters of survey respondents ranked the integrating of physical controls and cybersecurity as “critical” or “important.” Physical security is used to lock down sensitive hospital areas, as well as to protect electronic patient data stored in medical devices, computers and data centers—as well as to secure access to stored paper documents. But currently, most of the physical access controls to data-sensitive areas (e.g., key card readers and number pads) in place do not collect or analyze access data or share that data with other security systems.
Of course, correlating data from physical systems with an organization’s broader cybersecurity architecture can help reduce risks and better identify compromised patient data from sources inside the organization. Last year, 56% of healthcare cyber-incidents (PDF) came from insider threats. Sharing data between physical access controls and cybersecurity solutions—such as identity and access management, network access control, or user and entity behavior analytics solutions—can help organizations more effectively detect suspicious user or device activities.
However, according to Fortinet’s recent research, six of the top 12 exploits identified in Q4 2018 were Internet of Things (IoT)-related—and four of those 12 were related to IP-enabled cameras.
IoT devices are notoriously vulnerable to attacks, and access to these security devices represents a serious threat for healthcare institutions. Compromised cameras could not only be used to obscure malicious onsite activities or prevent healthcare providers from monitoring patients, but they could also open an entry point into connected cybersystems from which cybercriminals could launch DDoS (distributed denial of service) attacks, steal personally identifiable information, initiate a ransomware attack, and more.
The risk of IoMT remains high
While the Internet of Medical Things (IoMT) keeps growing, most healthcare organizations are still unprepared to address the security concerns they are introducing. In rating security priorities for 2019, survey respondents listed IoMT device protection at the top—60% ranked this as a “critical” or “high.” However, almost three-quarters (71%) of survey respondents also admitted that they are still in the process of segmenting their networks to protect these devices and the patients who rely on them from compromise.
Like traditional IoT, most IoMT devices lack built-in security capabilities. Not only can they not defend themselves, but many also cannot even be patched up updated.
Cybercriminals in search of electronic medical records (EMR) or opportunities to disrupt broader institutional services are increasingly targeting IoMT devices. Of course, network segmentation gives healthcare IT and security teams a more comprehensive view of internal traffic, allowing them to detect anomalous activities associated with compromised IoMT devices.
And at a minimum, medical devices and sensitive patient data should have their own dedicated network segments to ensure threats are detected and mitigated faster than with edge protection alone.
However, traditional network segmentation alone isn’t enough to defend against today’s advanced threats. Instead, intent-based segmentation needs to be implemented due to its ability to efficiently and dynamically translate business intent into the “where,” “how,” and “what” of network segmentation. As part of an integrated security architecture, intent-based segmentation is essential for effectively improving an organization’s defensive posture, mitigating risks, supporting compliance and boosting operational efficiency.
Start by involving the C-suite
At more than half of surveyed organizations, physical security is overseen by building and maintenance teams, with virtually no interaction with the security team. In fact, fewer than one-third of organizations track and measure physical security at the CEO level at all—and only 17% of organizations involve their boards of directors in decisions related to physical security policy.
In the era of digital transformation, however, where physical and cyber security solutions are being converged, executives now need to be able to measure risk and track it on a regular basis. As a result, security now needs to be elevated to a line-of-business concern for C-suite executives and boards of directors.
Without an effective and comprehensive security strategy in place that addresses both physical and cybersecurity concerns, the costs of a major data breach that compromises this new attack vector could cripple or even kill an organization.
Sonia Arista is the national healthcare lead at Fortinet