Given the sensitive and critical nature of healthcare activities, the healthcare industry is subject to heavy regulation to protect sensitive data and secure systems and apps against malicious attacks that could interrupt availability. The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) is one of the best-known regulations and is representative of most of the compliance frameworks enacted around the globe.
The HIPAA Security Rule requires that risk-appropriate technical, physical, and administrative measures be taken to safeguard the privacy and security of electronic protected health information (ePHI). Among the technical requirements for HIPAA compliance is a robust patch management process that ensures prompt patching of vulnerable systems and device software.
Compliance with HIPAA and other such frameworks is a challenge for the healthcare industry at any time, with healthcare data being a prime target for cybersecurity attacks. Over the course of 2018 and 2019, healthcare data breaches in the US increased overall by 33%, with breaches caused by malicious insider or external attacks increasing even more (46%) and accounting for 60% of all breaches.
During times of disruption, this challenge is exacerbated even further. The HIPAA-enforcing Office for Civil Rights (OCR) reported in early May that hackers are exploiting the disturbances created by the COVID-19 pandemic, including the increase in remote work, to accelerate attacks targeting the healthcare vertical. In fact, some predict that there will be an even sharper uptick in cybersecurity attacks when the COVID-19 crisis abates as attackers activate agents and software viruses injected during the crisis.
This blog post discusses how healthcare providers must apply best practices for a multi-level IT “disease control” to uphold robust security postures at a time of heightened risk.
Healthcare Security Behavior During Times of Disruption
We’re prone to ignore the basics during times of disruption and uncertainty. When it comes to security postures, however, ignoring the basics of cyber hygiene may prove very costly, both immediately and in the future. In this section, we show how the best practices being used to contain COVID-19 have their parallels in the IT domain.
Keep a Distance
Social distancing has proven effective in containing the chain of COVID-19 transmission. The equivalent in the IT domain is to keep unauthorized users distant from your healthcare data with granular authentication and access controls implemented consistently across all environments.
Basic IT best practices that must be maintained at all times include:
- Strong passwords: Passwords are the first line of defense against unauthorized access. Healthcare organizations must enforce complex passwords and ensure that they are stored securely and changed frequently.
- Minimal permissions: No user should be able to view more ePHI than is absolutely necessary to fulfill their role, and permissions should be reviewed frequently.
- Automated logouts: To ensure that idle sessions cannot be hijacked by attackers, logins should time out automatically after a predefined period of inactivity.
Wearing gloves helps contain the COVID-19 virus so that it cannot penetrate and spread inside the human body. This is similar to the cyber-hygiene layer that’s put in place to catch threats before they can spread through an organization.
Some basic threat-containment best practices include:
- Actionable alerts: Have well-configured scanners that alert intrusion protection and security event management systems to network and application vulnerabilities.
- Good coverage: Enforce tight integration of vulnerability scanners with asset and configuration management systems to ensure that all assets across all environments are covered.
- Risk prioritization: Implement smart analysis of the large and diverse body of vulnerability scanning results to identify and contain the highest risk-threats.
Perhaps the most proactive defensive layer is using a mask to block the path through which the COVID-19 virus can penetrate. In the vulnerability management domain, the active measures that are applied to protect assets at risk may start with configuration changes or compensating controls, but they ultimately culminate in deploying a patch.
Best practices that promote successful patching outcomes include:
- Orchestrated workflows: These should feature clear handoffs from team to team (security, development, operations, lines of business) at each leg.
- Sandboxing: Prior to rollout, patches should be thoroughly tested in environments that are as close as possible to the target production environments.
- Recovery: Systems and data have to have clear failback paths should the patch deployment run into difficulties.
Ongoing Post-Threat Hygiene
Just as COVID-19 is going to have a long-term impact on some daily habits, such as how often we wash our hands, vulnerability management and remediation must be ongoing and pervasive.
Create a checklist of all the layers of best practices and ensure that they are being maintained at all times.
Going Beyond the Basics
Sometimes, the best way to evaluate a system is to see how it operates under stress. Both its strengths and its weaknesses become more apparent as it copes with unusual circumstances. As the COVID-19 crisis wanes, take the opportunity to assess how your vulnerability remediation program performed and seek ways to “vaccinate” it so that it will run even smoother and more securely during the next period of disruption.
We invite you to learn more about the innovative JetPatch vulnerability remediation platform that leverages existing security tools as it automates and governs the entire patching process. JetPatch uses actionable insights based on machine learning to optimize the remediation workflow from end to end. Of particular importance to the healthcare sector, JetPatch accelerates time to remediation while consistently and continuously upholding security and compliance best practices. Read more here about the benefits that JetPatch brings to healthcare companies.