Telehealth was an unexpected technology bright spot in 2020, as the Office for Civil Rights (OCR) relaxed enforcement of certain aspects of HIPAA, helping to reduce COVID exposure via virtual rounding and virtual visits.
Unfortunately, bad actors have shown a lack of morality in their pursuit of illegal profits and have continued to attack medical organizations. Ransomware attacks, for example, can cripple a hospital’s abilities to provide high-quality patient care by denying access to key computer systems, which would force medical professionals to have to treat patients based on memory and paper-based records.
The following three high-level recommendations provide a basis for defense in depth for healthcare organizations in 2021.
The automatic labeling of unstructured data allows organizations to more readily apply appropriate technical controls, such as encryption, to limit the regulatory risks associated with an accidental or intentional breach. It is very reasonable to expect a medical organization to share PHI internally among care providers working on a team. It is similarly reasonable for organizations to share PHI outside of their organization, but only with trusted third parties. However, it is unreasonable for an employee to send an email to their personal email address with patient records, for example, or to store those PHI on an unapproved cloud storage service.
A well-defined data classification policy coupled with automatic labeling will address the above scenarios by automatically applying encryption to the outbound transfer to a third party and limiting the access to only those trusted third parties. The email sent to a personal email would be blocked outright, as would the upload to an external unsanctioned storage provider. If there were enough instances caused by a single employee, a collaborative team of legal, HR, and IT Security would be notified, and telemetry captured by the data loss prevention solution could be used to inform corrective actions.
This encryption should be bolstered by applying disk-level encryption to all mobile devices that can contain PHI or PII. This control, while not new, is particularly important due in the era of COVID where employees are taking company devices home. Many a data breach and enforcement action under HIPAA could have been prevented if healthcare organizations applied disk encryption to mobile devices.
Finally, to ensure patient privacy, organizations should select a compliant encrypted solution for telehealth. Under the relaxed enforcement model from OCR, end-to-end encryption is not yet mandatory, which has given vendors time to build this capability into their solutions for real-time video and voice communications. Ideally, the telehealth solution would easily integrate into the data loss prevention solution instead of running two parallel platforms, which is a poor use of limited working capital during a pandemic.
The Center for Internet Security’s Critical Security Controls are prescriptive for network hardening.
Control 1, “Inventory and Control of Hardware Assets,” states that organizations should have an inventory of authorized devices. This also helps with patching and data management; organizations cannot hope to patch those devices that they don’t know that they have, and it’s similarly difficult to control the spread of data on devices that are not known.
Control 9, “Limitation and Control of Network Ports, Protocols, and Services,” lays out practical, common sense defenses specific to networks. These include items such as disabling physical network ports that are not in use, such as those in public areas, and defining and monitoring for the expected and normal protocols and services in use on the network. This list of normal and expected protocols and services is an invaluable portion of threat hunting.
Control 11, “Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches,” defines controls for access and permissions to change the configuration of common network devices. These are often enacted as part of a privileged identity management strategy, where users need to request temporary permissions to modify configurations of on-premises and cloud-based network assets. Organizations can also audit their configurations of network infrastructure and compare the state of the configurations over time to identify any changes that were not approved via a change control process.
Control 15, “Wireless Access Control,” provides security controls for wireless networks. Some of these are obvious, such as preventing rogue access points from connecting to or duplicating your organization’s network. Other controls provide additional defense for those organizations willing to take the time to configure them correctly, such as using certificate-based wireless authentication for devices.
Automated Threat Hunting
Cybersecurity is a continuous improvement process, and threat hunting supports that evolutionary process while also validating that defensive controls are working or alerting as expected. To be effective, threat hunting should be based on scenarios composed using the MITRE ATT&CK framework based on visible threat actors potentially engaging with the organization.
For example, threat hunters can compose a scenario based on the known phishing tactics of an Advanced Persistent Threat (APT) and then carry out that scenario to ascertain the efficacy of email controls designed to block phishing-based threats. Alternatively, an organization could choose to simulate a threat based on unique network protocol; in this case, the list of normal and expected protocols from CIS Control 9 would help determine if unapproved protocols are being blocked at the network layer.
To be truly meaningful, however, threat hunting should be expressed as code, and not be a manual process. Creating a threat hunting scenario based on a theory or an investigation is inherently time-consuming, and if done only once, it validates that the threat would have invoked the observed response at that time. Configurations will drift, software will be updated, integrations will change, and employee behavior will vary. The only way that an organization is protected against a given threat scenario is to run that scenario regularly. Thankfully, there are tools that enable senior threat hunters to automate scenarios while showing more junior members of staff how to compose a scenario and to collect data from that scenario.
Organizations should also consider a bi-annual or quarterly tabletop exercise in addition to threat hunting. An effective tabletop exercise will test the organization’s response to an incident, rather than a threat hunt, which seeks to primarily evaluate the technical response to an incident. Comprehensive tabletop exercises can identify communications gaps between technical and business teams that can needlessly make crisis communications even more difficult.
This is not a comprehensive list, and changes made to medical organization’s cybersecurity maturity should be considered carefully against external audit requirements, such as HITRUST. A proactive stance provides the best defense to organizations and to society, as a breach of patient records or the loss of service at a medical facility during a pandemic poses a danger to the health and well-being of people.