The following is an interview with Travis Volk, Technical Vice President at Radware. In this interview, we talk about some of the unique challenges hospitals face amidst COVID-19. In particular we talk about security as related to temporary hospitals which seem like are going to be part of our future as COVID-19 continues to rear its ugly head in various regions. Plus, we also ask Travis about how to deal with other security challenges such as vulnerable healthcare staff being exploited by hackers and remote work.
What are the security vulnerabilities unique to temporary hospitals?
Temporary medical units carry a unique set of vulnerabilities due to the fact they are remote and sit outside of a defense in depth architecture. Administrators fight on a daily basis to patch, upgrade and maintain physical systems within pre-defined facilities. These systems are available 24/7, 365 days a year. This means there is a constant routine to maintain security hygiene. Temporary medical units or Cell on Wheels (COWs) are impossible to maintain for the reason they are not often employed. It’s also true that by using wireless connectivity, it opens a localized opportunity for hackers to monitor traffic over the air and increase the odds of identifying legitimate credentials to simplify their access.
How has the rise in security threats due to the pandemic broadened the threat landscape for healthcare facilities?
As reported by the FBI on April 16th, HIPPA advised Health Care Industry employees to beware of scammers attempting to steal money by targeting state agencies looking to buy personal protective equipment and medical supplies. These advanced fee scams are a good example of where automated spam combined with advanced misinformation adds to the level of confusion according to a system’s vulnerabilities. On top, connected device counts have exploded in number since 2015 when during the same period the medical industry has seen a constant increase in data breaches. As hackers target medical devices because of low-security standards, their malware is capable of emulating normal user traffic, making it extremely complicated to differentiate malicious activity leading to data access. Once the hackers have penetrated the system, they focus on ransomware and other forms of fraud crippling any normal or necessary progression.
In terms of cybersecurity defense, how prepared right now are the healthcare organizations establishing these temporary centers?
Like most of the IT industry, they are totally unprepared for advanced penetration techniques. The industry, as well as others, have been fixated on zero trusts, or user access management and encrypted communication while hackers have created techniques to bypass all forms of access management leaving the day-2 anomaly awareness and active threat mitigation to chance.
What will be the most important lessons learned from the COVID-19 pandemic in terms of hospital cybersecurity defense and the way it will be planned in the future?
Modern application security gateway designs combined with end to end network security frameworks have become flexible in both form factor and scale, essentially becoming a pervasive model. Industry leaders are focused on delivering a common set of tools regardless of whether services live on the edge, in the public cloud, or in a medical transport vehicle. This consistency allows for better overall visibility, control, and compliance.
How can you better prepare healthcare staff to not be exploited by a hacker?
- Set strict employee guidelines about how and where to place orders for any emergency resources.
- Constantly educate and frequently remind employees via top down communication not to click links in email or outside documentation often used in phishing campaigns or infecting devices by downloading malware.
- Reward employees for finding malicious emails, reporting application performance issues and application issues that could reveal vulnerabilities.
- Remind employees that handsets and other communication resources (BYOD) when used outside of the corporate security framework are more likely to be infected by normal internet surfing without the support of best of breed defense in depth gateway components filtering virus, spyware and other rootkits.
- Still, it’s proven that with the best corporate security programs, education to employees is only about 4-5% effective.
With many in healthcare working remotely, what are the keys to securing staff working remotely?
- There are technical ways of locking down endpoints and significantly lower risk to employee’s making mistakes and therefore gaining infection. Solutions such as Desktop as a Service, Microsoft managed desktop tools, Mobile device management tools, compliant desktop solutions are all examples of centrally controlled solutions capable of managing governance for software, security rules and application restrictions. This approach can be overly restrictive, expensive and often times forces populations of employees to carry multiple devices.
- Most IT teams will look for middle ground, where endpoint management software is used to help manage global updates but pose fewer restrictions on application access and internet usage. VPNs are often combined with internal application usage to better isolate corporate communication enforcing access rules, encrypted communication and routing traffic through centralized resources with more comprehensive coverage of vulnerabilities for employees. If the right VPN solution is used, this approach can also be used to block software installations on endpoints which are not authorized by IT. It can also enforce the status of antivirus software before allowing access and it provide some level of assurance to ensuring up to date rule engines and general security posture for endpoints.
- Public WIFI in general poses risk to users. If employees are working in public locations they should take extra care in using VPN resources to better harden communication from snooping. However, it will not stop a hacker’s ability to locally masquerade access logins from rogue cells, leading man in the middle techniques that often go undetected by end users. In public locations, suggest that employees never walk away from an unlocked resource.
- IT staff should be sure they have sufficient overhead in VPN concentrator locations. The moment security resources slow the pace of business, they are often bypassed. It’s very important that user experience is top of mind when designing business continuity strategies for any business.
This interview is part of the #HealthIT100in100