Take a cursory look at the U.S. Department of Health and Human Services’ (HHS) wall of data breach shame and you might be scratching your head: Why does the healthcare sector seem so disproportionately victimized by hackers and cybercriminals? Why do its defenses seem so much weaker than those of other industries?
For the most part, the healthcare industry has misdiagnosed the cybersecurity problem.
Most senior leadership in healthcare is medically trained with a clinical background in an industry built on such noble concepts as “do no harm” and forward-thinking practices like evidence-based medicine. Through this lens, healthcare organizations regularly misinterpret the nature of the cybersecurity problem and consequently, how to treat it.
This misdiagnosis has led to countless breaches over the past several years at healthcare organizations around the world as well as significant, often paralyzing ransomware attacks, including the WannaCry outbreak that crippled dozens of hospitals in the U.K., effectively disabling the most basic of patient care.
Not only is IT subordinate to patient care in terms of attention, budgets and priorities, but cybersecurity is perceived as a problem that can be “fixed” rather than one best managed by means of a regular and ongoing health regime.
Acute care vs. sound overall health
When a patient arrives at the emergency room with a broken arm, there is a clear process: triage, treatment, discharge. This acute care model focuses on fixing problems as they occur. Preventing the broken arm, for example, is not a factor in the process, decision-making or treatment planning. In acute care, it’s all about dealing efficiently and correctly with whatever problems walk through the ER door. However, unlike a broken arm, which can quickly heal with few lasting side effects, a ransomware attack like WannaCry can be interminable and even fatal to a healthcare organization.
Applying acute care to cyberattacks and security breaches doesn’t work because it’s entirely reactive in nature. No matter how well you define and refine the treatment process or in this case, mitigation and remediation, the outcome will never change. Simply put, more and more arms will continue to get broken regardless of how well the organization fixes them.
However, with cyberattacks and breaches, healthcare organizations do have the opportunity to change the outcome – if only they start to think differently about the problem.
Rx: A new security model that mimics the human immune system
To turn the corner and improve defenses, senior healthcare leadership must not think about cybersecurity in terms of patching problems and reacting to emergencies. By contrast, they need to look at the overall health of their networks and defenses, find ways to improve basic resiliency and apply a new security model – one that is based on pervasive visibility and mimics the human immune system, which:
1. Works proactively from within to prevent health problems from occurring or worsening.
2. Covers the entire body, not simply reactively focusing on problem areas.
3. Learns, adapts and remembers so it can fight off future infections more efficiently.
4. Responds immediately, independently and automatically.
In addition to pervasive visibility into all data flows – the lifeblood of all healthcare organizations – a new security model would include good hygiene (prevention), detection, prediction and action (containment).
The benefits of good hygiene practices are clear in a healthcare setting. Simple measures, such as vigilance in adhering to handwashing, can drastically decrease the chances of contamination, spread of disease and hospital-acquired infection rates. A similar approach to cybersecurity can yield comparable results.
Examples of good security hygiene include patching, privileged credential protection, network segmentation, asset isolation and perimeter protection. These all help ensure that attackers cannot break in and infect organizations – or at least, limit an attacker’s success. With good hygiene, organizations can protect themselves from being a target of opportunity by forcing attackers to take additional or unnatural steps to gain access and spread the threat.
Good security hygiene can help eliminate basic threats and prevent untargeted attacks, such as WannaCry, but it is unlikely enough to stop a focused attack by an experienced and determined adversary. In this case, forcing the attacker to take unnatural steps provides the organization an opportunity to detect anomalies – which are relative to normal behavior and consequently, their detection requires a baseline of what “good health” looks like.
This is the basis of many machine learning solutions in development today. With a baseline established, organizations can compare all activity and quickly detect anomalies. Machine learning technologies resemble the human immune system’s ability to learn, remember and combat viruses and bacteria based on adaptation.
Prediction and action
Once anomalies are detected, the next step in a security immune system is to understand intent. For example, is what we’re seeing normal or intentionally bad behavior? With intent uncovered, organizations can act to contain, remediate or even, allow contained detonation of the threat to better learn and understand the intent. While much of this now happens manually and straddles organizational boundaries, there are many solutions, including artificial intelligence (AI) and security workflow orchestration, that can help automate the process.