How to break the cyber breach cycle


By Matt Bunker*
Monday, 10 June, 2019



How to break the cyber breach cycle

The dilemma

Developments in technology continually improve the way business is conducted. Improvements to bandwidth, connectivity, remote devices and mobile accessibility have enabled the transfer and management of information.

One such sector that has experienced significant reform through technology is health care. National databases have enhanced the transfer of patient information between treating physicians, hospitals and clinics, and the treatment of patients has been improved through portable medical device inventions.

There’s no question that our healthcare professionals perform an amazing and strenuous job, providing care and lifesaving capabilities to the community. While the healthcare sector has been enabled by improvements to technology, there is the risk that their efforts can be harmed by technology too.

In February this year, the Cabrini Hospital in Melbourne had 15,000 medical files encrypted with ransomware. The hospital paid the ransom, but many patient files were unrecoverable.1

Criminals are also heavily targeting medical devices. It is so widespread it has been given a name — MEDJACK, or medical device hijack. In these scenarios, criminals utilise medical devices, connected to the internet or internal network, as a means of stealing sensitive information. More concerning, however, these types of attacks may also endanger the lives of patients, by hacking into life support equipment or pacemakers.2

So, with multiple attack vectors and threats, it becomes challenging for healthcare employees to mitigate these threats.

A cost-effective solution

Implementing the latest technical controls can be time-consuming and expensive, and requires a clear strategy. Furthermore, it requires resident subject matter expertise to facilitate. When there is no strategy and a lack of understanding as to why a technical control is implemented, it becomes little more than a standalone procedure open to exploitation.

It is critical that organisations take a proactive approach to protecting their critical assets. The Economist Intelligence Unit highlights that a proactive security strategy reduces the likelihood of a breach by 53%. But being proactive doesn’t mean applying expensive technical controls in a scattered ‘catch-all’ approach. By following some simple, cost-effective steps, healthcare organisations can significantly improve their resilience to cyber threats. Here are ARX Risk’s top 10 tips:

1. Benchmarking

Many security and risk management companies provide this as a free service. It will identify where existing vulnerabilities are, and the current state of cybersecurity maturity within the organisation. Without a benchmark, it is difficult to measure improvements.

2. Understanding

Conduct a working group to determine what information is most critical to the organisation. Then identify where that critical data is located, who has access to it and how it is accessed.

3. Culture

The executive team must implement a security strategy, communicate that strategy and then empower the workforce to manage and drive it.

4. Encryption

All critical data should be encrypted. There are numerous free encryption tools available.

5. Multi-factor authentication (MFA)

More often than not breaches occur through weak password policies. MFA is an absolute must.

6. Device hardening

Develop an inventory of all devices connected to the internet, configure those connections by implementing application whitelisting, secure browsing, virtual private networks, password management tools and restrictions to Wi-Fi and Bluetooth.

7. Privileged access management

Not everyone needs privileged access. Control the access tightly and actively monitor who has accessed what data and when ie, monitoring and logging.

8. You are only as secure as your weakest link

Third parties such as managed service providers (MSPs) need to be held accountable. The Australian Cyber Security Centre has a list of questions on their website that organisations can ask of their MSPs. If they can’t or won’t answer them, then it’s time to find a new provider.

9. Staff awareness training

A cyber breach is more likely to be caused by human error than by a technical issue. A comprehensive training program will significantly mitigate both the chances and impact of a breach.

10. Rehearse, rehearse, rehearse

Having a regularly tested plan in place is critical to limiting the effects of a breach such as regulatory fines, damage to reputation and financial losses.

Moving forward

The healthcare sector is under constant attack from criminals and insiders looking to exploit valuable, sensitive information. It is not a matter of IF a breach is going to occur but rather WHEN. Therefore, the healthcare sector must enact more robust measures that proactively secure critical data, mitigating identified risk with a clear strategy, which is supported by an educated workforce and security controls that have been implemented in the areas that matter most to the organisation.

*Matt Bunker is Managing Director at ARX Risk.

References
  1. https://www.theage.com.au/national/victoria/crime-syndicate-hacks-15-000-medical-files-at-cabrini-hospital-demands-ransom-20190220-p50z3c.html
  2. https://koddos.net/blog/hundreds-of-thousands-of-medtronic-devices-susceptible-to-hacking/

Image credit: ©stock.adobe.com/au/Sergey Nivens

Related Articles

Visualising mHealth in 2019

Mobile devices are becoming an increasingly important part of modern healthcare delivery.

Ransomware attack on Vic hospitals exposes vulnerabilities

Recent ransomware attacks serve as critical reminders of the fragmentation of health services in...

The security imperative for automation in health care

With health care being heavy in high-volume, basic, rules-based manual process activity, it is an...


  • All content Copyright © 2019 Westwick-Farrow Pty Ltd