Strategies for healthcare’s defense against cyberattacks

Just like fighting against the spread of disease in a clinical environment, healthcare providers must mobilize, coordinate with interconnected partners, and apply sufficient budgetary resources to combat an ever-changing cyberattack landscape.

A new set of safeguards is necessary to protect the confidentiality, integrity, and availability of critical healthcare business operations and data.

It’s no longer a question of if your healthcare facility — will suffer a cyberattack — it’s when. 

Not surprisingly, the healthcare industry, which maintains some of the most sensitive data and has stretched budgetary resources, is the biggest target for cyberattacks and has a high associated response cost, according to the latest report by the Ponemon Institute.

The Ponemon Institute report, made in collaboration with IBM, states the average total cost of a data breach reached an all-time high of USD 4.45 million in 2023. The increase represents a 2.3% increase from the 2022 cost of USD 4.35 million and an 15.3% increase from USD 3.86 million in 2020. The report recommends that the healthcare industry invest in incident response planning, testing, employee training, threat detection, and response technologies.

The statistics on cyberattacks are sobering. According to CISA (Cybersecurity and Infrastructure Security Agency), the United States operational lead for federal cybersecurity, cybercrime is growing exponentially. Furthermore, it is sometimes occurring at the hands of sophisticated government-backed criminals. 

Cybersecurity can no longer be left solely to the IT department. Instead, it is an organization-wide and industry-as-a-whole duty.

Every healthcare facility workforce member, including contractors and volunteers, with access to digital information, electronic health records, or network resources, including the internet, must share the duty to safeguard critical information — because it takes just a single unmitigated incident to put a healthcare facility at risk.

According to The Joint Commission, a US nonprofit that accredits healthcare organizations and programs, just one person can jeopardize an organization’s security efforts if they fall prey to common phishing strategies. The initial attack vector — 16% of the time worldwide — is an internal phishing attack along with stolen credentials, according to the Ponemon Institute.

The current risk landscape in healthcare includes significant regulatory compliance risks and sophisticated, often government-supported cybercriminal networks. The healthcare industry and its caretakers have access to much more comprehensive patient information today due to the push towards interoperability and interconnected healthcare organizations.

However, the regulatory landscape demands heightened security and more accessible patient information. It’s important to note this expansive sharing of healthcare data poses a significant risk to patient privacy and security and a wide variety of regulatory obligations. 

The well-established HIPAA regulations, increasingly new and broad state privacy regulations, and even the European Union’s sweeping General Data Protection Regulation (“GDPR”) all carry the colossal potential for fines and regulatory oversight.

The 21^st Century Cures Act and its implementing regulations require healthcare and certain technology providers to offer much less burdensome access and sharing of electronic patient data and prohibit “information blocking” with massive risks for regulatory fines and exclusions for noncompliance. Availability and assignment of sufficient budgetary resources for such compliance-related safeguards are becoming increasingly complex.

Cybercrime is the other severe risk. Every connected device faces the potential of a cyberattack targeting healthcare data and systems. While some hospital data breaches appear in the news, most don’t reach the public’s attention.

In 2020 alone, one in three healthcare organizations around the globe reported a ransomware attack, according to the American Association of Medical Colleges (AAMC). Why is that? Because healthcare data is ten times more valuable to cybercriminals than credit card information. In addition, sophisticated criminals know about the healthcare industry’s struggle to keep up with the risks they pose.

Healthcare data is precious and increasingly sold on the “dark web,” according to healthcare privacy attorney Sheila Stine, JD, CIPP/US, who helps healthcare clients prepare for and respond to data breaches and teaches about identity theft.

Stine says: “The dark web is the ‘web below the web’ or a part of the internet only available using special tools. It is the bad guy’s sophisticated marketplace. Medical data sets have great value to cybercriminals for medical identity theft.”

“Cybercriminals can sell medical data sets via the dark web in exchange for access to emergency care, access to prescriptions and durable medical equipment and even fraudulent access to commercial health insurance or Medicare/Medicaid. They are smart enough to even know to sit on the data for a year or more after accessing it to avoid detection during the standard one-year period of credit protection that some organizations offer their customers and patients.” 

Healthcare administrators tend to focus stretched resources on patient services. AAMC’s Senior Director of Information Security, Dr. Stephen Lopez, says, “It can be hard to divert resources to information security if it seems to come at the expense of patient services.”

However, healthcare organizations can only defend against ransomware and other cyberattacks with adequate security measures. There should be an appropriate balance between information security defense and patient services. Yet, that balance can be challenging to determine.

Cyberattacks have become so prominent numerous articles have been published surrounding hospitals and clinics in numerous states have been hit by these intrusions, causing emergency rooms to be closed and ambulances diverted to other hospitals.

In an article by Associated Press, the American Hospital Association's National Advisor for Cybersecurity and Risk, John Riggi says: “These are threat-to-life crimes, which risk not only the safety of the patients within the hospital, but also risk the safety of the entire community that depends on the availability of that emergency department to be there.”

In my personal history as a Director of Safety and Security for a major healthcare organization, I’ve seen the extent of damage that can occur from a seemingly careless act.

At a healthcare system in the Midwestern United States, my organization was hit with a malware attack when a healthcare worker found a USB drive in the parking lot. My colleague in a suburban clinic thought she could identify who it belonged to by seeing what files were on it. Once she inserted the drive into a computer, ransomware infected the clinic system against her knowledge.

Thankfully, our team discovered the malware, which only infected the regional clinic. The ransomware asked for over $200,000.00. However, our organization rebuilt the system and had to re-enter the data for the clinical day manually. Immediately after this incident, all USB drives were disabled, along with a host of other protocols.

Every day, this type of incident happens countless times across the healthcare industry and beyond. It’s not worth the cost and effort when workers can train on the appropriate response.

In such an unpredictable and highly regulated landscape, healthcare organizations must leverage their people's power and the strength of their security solutions to defend against cyberattacks. The Joint Commission found that “healthcare organizations must guard against a wide variety of attacks and teach staff to expect the unpredictable as hackers continuously adapt their strategies.”

Attack vectors vary widely from phishing attempts to network penetrations and device attacks. Consequently, video management software (VMS) and connected devices are vulnerable to criminals seeking data access and system control.

Milestone Systems recommends continuous updating of the VMS as one method to secure systems and data against a cyberattack. XProtect^® VMS by Milestone is designed and independently tested to meet the highest security standards, and a security response team supports it.

In addition, Milestone offers a choice of software maintenance packages and professional services to help you protect your security platform product.

• Add strong camera passphrases or long 10+ character passwords following industry recommended standards of a combination of upper case, lower case, numerals, and symbols.
• Whenever possible, isolate your security networks from other PC and workstation networks.
• Secure the network to ensure only installed cameras can communicate.
• Deploy individual logins with role-based permissions appropriate to the operator’s role which, expire or are validated periodically.
• Prohibit sharing/writing down passwords. Individual role-based passwords may help determine the root cause of an incident or attack.
• Fully document suspected incidents and maintain those according to formal incident response and record retention policies.
• Conduct periodic system-wide risk assessments. As they become known:
• Fully document known or reasonably suspected risks.
• Determine how to mitigate such risks within expected completion timeframes.
• Evaluate acceptance of residual risk by authorized management personnel.
• Conduct thorough vendor due diligence. For instance, only purchase cameras and VMS from reputable, sound security companies and avoid organizations with known cybersecurity vulnerabilities.
• Disable USB ports and device cameras that are unnecessary for routine work.
• Carefully design BYOD or “bring your own device” policies to limit authorized use of personal devices.
• Deploy firewall security for your internet connection.
• Insure your organization against various types of cyber liability.
• Teams should frequently backup critical data and then “backup the backup” in a different physical location.
• Periodically train and retrain workforce members on your privacy, security, and escalation of incident requirements.
• Document reasonable sanctions against workforce members who violate organizational policy, contractual, or legal requirements.

Additionally, healthcare organizations can bolster their security measures through “hardening” — continuously identifying and countering evolving security risks.

1. Identify the components that need protection on a written log or other documentation.
2. Harden the surveillance system’s servers, computers, device networks, and cameras on a routine basis.
3. Document, maintain, and periodically update security settings for each system.
4. Deploy security software patches and updates promptly.
5. Train your team to help you identify future threats and implement countermeasures.

Smaller healthcare organizations can also leverage many available resources for small businesses offered by governmental agency resources, such as the National Institute of Standards and Technology (NIST) small business cyber security resource page.

These are just some initial recommended steps toward successful cybersecurity defense. There are still multiple opportunities for cybercriminals to attack both internally and externally. However, healthcare organizations can better protect their vulnerable security infrastructure by automating and strengthening processes in partnership with Milestone Systems.

While many cyberattacks often launch from a distance, some incidents physically take place in the facility. For example, “walk-in attacks” occur when a criminal enters a facility with or without authority and may look for easy targets, such as unsecured laptops to steal, open ethernet ports to hack, unsecured portals, sites “open to the internet,” or weak passwords on Wi-Fi networks.

Most facilities and networks have safeguards to defend against such apparent threats. However, employees must still maintain vigilance and watch for people who don’t belong.

For instance, healthcare facility policy and training should prohibit “piggybacking” or allowing someone to follow an authorized person through a locked door without using their credentials. Using best practices, the security team should train the workforce to watch for those not appropriately picture-badged in restricted areas.

Milestone Systems works with a community of technology providers with integrations for the XProtect platform to alert facility security members of unauthorized people in restricted areas. For example:

• Video analytics determine activity and behaviors captured by cameras, triggering automated processes, and notifying operators of problems, such as unauthorized personnel crossing a virtual perimeter into a restricted area.
  
  
• Access control allows or restricts entry at doors based on credentials. In addition, with integration into the XProtect platform, nearby cameras can be used for video verification when needed.
  
  
• Infrared sensors detect human activity in restricted areas. Alerts can be sent to security operators for immediate action when necessary.

Milestone Systems also has developed a range of security protocols and integrations for our platform, for example: 

• Security through network separation. XProtect uses a tiered system architecture to separate the camera network and the core server/client network, so there is no direct routing between the two. The architecture increases the system’s resilience and lowers a potential attack’s impact on the system.

• Secure camera connection
• Certificate-based HTTPS communication provides secure access for Management Client and Smart Client users and bidirectional communication encryption between all the system’s components, which prevents eavesdropping and tampering.

• Leveraging certificate-based HTTPS communications ensures secure, trusted access for facility administrators while preventing decryption eavesdropping and tampering.

• Secure video storage
• XProtect Corporate can encrypt and password-protect media data, meaning recorded data is protected even if someone accesses the data files on the storage system or network share. XProtect Corporate also supports a digital signature on the recorded media data, proving the video is the original.

• Strict server-side authentication and authorization
• XProtect uses consistent server-side user authentication and authorization for all clients and integration interfaces. This authentication applies to all users and system services accessing the system via the Milestone Integration Platform SDK or Milestone Open Network Bridge. Used together with strict user rights and roles, it provides complete control of access to the system.

• Built on Windows Security Infrastructure
• XProtect supports Windows Active Directory (AD) with both native Windows NTLM and Kerberos authentication, alongside OpenID Connect and OAuth2, for maximum security.

• Secure remote user access
• XProtect uses a dedicated mobile server as a system gateway to shield and protect the core VMS servers when users connect remotely. The Mobile Server, Mobile Client, and Web Client communication support HTTPS to prevent eavesdropping and tampering, providing secure authentication and bidirectional encryption, which includes user credentials, configuration, and media data.

• Protection of evidence material
• To protect exported forensic material, XProtect uses encryption, digital signing, and password protection of the media databases. XProtect’s Smart Client player ensures that exported evidence is original and unaltered by verifying signatures and preventing evidence from re-exporting to control the media once it leaves the VMS.

Milestone Systems supports healthcare facilities and their data by continually updating our platform. As a result, your organization can focus on patient-centric care.

How healthcare facilities face the challenges of tomorrow depends on the planning and choices they make today. With XProtect VMS, healthcare facilities can be ready for what comes next and quickly pivot to improve their business outcomes.

When a large healthcare organization uses the XProtect open platform, the workforce can mitigate risks, maximize existing resources, and stretch budgets further. You can count on Milestone Systems as your collaborative partner, supporting your endeavor to prepare for the current risks and future challenges faced in healthcare.

If you’re ready to learn more about XProtect VMS, a Milestone representative can demonstrate how you can enhance your security system — book a demo today.