Critical Care, Critical Risks: How to Secure Complex Healthcare Environments – Hospinov-The platform for certified medical innovations

The following is a guest article by Mohammad Waqas, CTO for Healthcare at Armis

When it comes to critical infrastructure protection, there is arguably no sector more vital than healthcare – lives are on the line. Unfortunately, the healthcare industry has been afflicted with a ransomware epidemic that has lasted more than half a decade.

In 2023 alone, healthcare organizations saw a consistent month-over-month increase in attack attempts of 13%. One of the most recent cases was a ransomware attack against national health system Ascension. This interrupted electronic health records (EHR) and other systems so severely that staff had to switch to “manual and paper-based” processes, while emergency room patients had to be sent to other hospitals, and non-emergency appointments were rescheduled.

Incidents such as these illustrate how complex and interconnected healthcare networks can be. Unknown and unmanaged devices are so prolific that many healthcare organizations lack insight into the true scope of their attack surface. Vulnerabilities in legacy systems can be difficult to remediate, and third-party risks can multiply these challenges.

Ransomware attacks, especially in the healthcare industry, exploit low-hanging fruit: unpatched vulnerabilities and unsecured physical or virtual assets. The Cybersecurity and Infrastructure Security Agency (CISA) has provided guidance for mitigating some of these risks. It is essential that healthcare organizations ensure complete visibility and continuous security across all medical devices, clinical assets, and environments to treat the root cause of this ongoing condition.

Symptoms of a Complex Network

Healthcare organizations have a complex attack surface, spanning IT, OT, IoT, IoMT, cloud, and virtual systems.

Many of these devices may be unknown or unmanaged, such as when a patient connects their Xbox to the network or a connected medical device is forgotten in storage. HVAC and other building controls are also often overlooked, but disrupting them could have severe implications – from canceling a surgery to increasing the risk of disease transmission.

Medical devices can be particularly challenging to secure, even in the face of known vulnerabilities, because they rely on legacy operating systems that are unable to support security agents or cannot be patched. Something as simple as a nurse call system can be riddled with vulnerabilities, and replacing a device like an MRI machine is not always feasible, especially for an industry that faces constant budget cuts.

Healthcare systems are also vulnerable to third-party risks, such as site-to-site VPN tunnels with lab testing partners. Sophisticated threat actors may seek to attack these more vulnerable partners as an entry point into healthcare networks. For example, the Change Healthcare breach earlier this year demonstrates how threat actors target hubs that branch into multiple organizations.

Anatomy of an Attack

In May 2024, CISA published a joint #StopRansomware advisory in response to the Black Basta attack on Ascension, which highlights how weaponized tools were used to discover vulnerable devices and exposed accounts.

CISA has recommended several mitigation actions, including:

Installing updates for operating systems, software, and firmware as soon as they are released
Requiring phishing-resistant multi-factor authentication (MFA) for as many services as possible
Securing remote access software

The reality is that these recommendations should be the fundamentals of a cybersecurity program built on proactively identifying and neutralizing potential threats. However, without a comprehensive strategy to protect the entire attack surface, treating these symptoms is like bandaging an infection without prescribing antibiotics.

An Ounce of Prevention, a Pound of Cure

A holistic approach to cyber exposure management must start with a comprehensive asset inventory of hardware, software, and systems across all enterprise assets, including IoT, IoMT, OT, cloud, remote, and virtual.

Contextualizing this inventory, such as differentiating between an infusion pump in an ER vs. one in a day clinic, can help prioritize risk remediation efforts to ensure vulnerabilities that impact critical patient care are addressed first.

Vulnerability assessments and patch management processes should leverage this comprehensive and contextualized asset inventory to identify vulnerable devices and prioritize their remediation. Healthcare organizations must focus on ensuring the reliability of patient care, as well as protecting sensitive data.

Securing accounts from unauthorized access and misuse requires a combination of controls, such as Identity and Access Management (IAM) and MFA, in addition to real-time network scanning to detect suspicious behavior patterns like unauthorized access to EHR.

Network scanning can also detect IoT devices with unencrypted or default credentials and alert security teams to failed authentication attempts, which can be a sign of brute force attacks. Integrating actionable threat intelligence can also prioritize the remediation of vulnerabilities that bad actors are actively exploiting.

Healthcare organizations should ideally be implementing all of these processes to work toward network segmentation, one of the strongest controls an organization can have. Finally, it is important to understand that all of these best practices must not be approached at a fixed point in time or a one-time event, but rather as a continuous process. Proactive risk and vulnerability management is a form of threat prevention, and prevention is the best medicine.

About Mohammad Waqas

Mohammad Waqas is the Chief Technology Officer (CTO) for Healthcare at Armis with over a decade of experience in the healthcare cybersecurity industry. Currently, Mohammad helps healthcare organizations across the globe with medical device security and works on aligning the value of the Armis platform to the specific use cases that exist in healthcare. Mohammad not only looks at the security threats of cyberattacks on healthcare delivery organizations but also has a passion for protecting patient privacy and the implications of the two on clinical risk management.

Get Fresh Healthcare & IT Stories Delivered Daily

Join thousands of your healthcare & HealthIT peers who subscribe to our daily newsletter.

<![CDATA[window.addEventListener("load",function(){if(aoAdBlockDetected){var t=document.createElement("div"),o=document.createElement("div"),e=document.createElement("div"),n=document.createElement("div"),d=document.createElement("button"),i="It looks like you’re using an AdBlocker

Some of the forms and images on this page may not work correctly with this enabled. Please disable your ad blocker for this page.

Instructions

1. Find the ad blocker icon installed on your browser.

This icon is usually located on the upper right side of your screen. You may have more than one ad blocker installed.

2. Click the icon and disable the ad blocker for this website.

3. Refresh this website page, either by following prompts or clicking your browser’s “refresh” or “reload” button.”;t.style.cssText=”position:fixed;top:0;left:0;width:100vw;height:100vh;opacity:z-index:1000;background:red;background: rgba(0,0,0,0.3);”,o.style.cssText=”position: fixed; top: 50%; left: 50%; width: 600px; max-width: 80vw; transform: translate(-50%, -50%) !important; background: #ffffff; border-width: 1px; border-radius: 4px; border-color: #444444; border-style: solid; max-height: 80vh; overflow: auto; padding: 24px 56px 0 56px;”,o.innerHTML=i,n.style.cssText=”margin-top: 36px; margin-bottom: 24px; text-align: center;”,o.appendChild(n),d.innerHTML=”Refresh Page”,d.style.cssText=”cursor: pointer; padding: 12px 24px; background: #FFFFFF; border-width: 1px; color: #444444; border-color: #444444; border-radius: 4px;”,n.appendChild(d),d.addEventListener(“click”,function(){window.location.reload()}),e.style.cssText=”position: absolute; right: 25px; top: 25px; cursor: pointer; font-size: 14px; line-height: 14px; color: #444444″,e.innerHTML=”✕”,e.addEventListener(“click”,function(){o.parentNode.removeChild(o),t.parentNode.removeChild(t)}),document.body.appendChild(t),t.appendChild(o),o.appendChild(e)}});]]>

<![CDATA[!function(o,t,e,a){o._aoForms=o._aoForms||[],o._aoForms.push(a);var n=function(){var o=t.createElement(e);o.src=("https:"==t.location.protocol?"https://":"http://")+"info.healthcareittoday.com/acton/content/form_embed.js",o.async=!0;for(var a=t.getElementsByTagName(e)[0],n=a.parentNode,c=document.getElementsByTagName("script"),r=!1,s=0;s We respect your privacy and will never sell or give out your contact information