The recent DDoS attacks on DNS provider Dyn have highlighted the need for healthcare to turn its focus from 'firefighting' to 'building code upgrades' when it comes to securing IT environments. Credit: Thinkstock Over this past weekend, a major distributed denial-of-service (DDoS) attack — technical speak for a cyberattack — crippled parts of the internet by targeting Dyn, a provider of domain name services (DNS). In simple terms, a DNS provider routes internet traffic like an air traffic controller. By targeting a DNS provider with a flood of junk requests by a “zombie army” of botnets (a standard modus operandi for these types of attacks), major services such as Twitter, Netflix and Spotify were unavailable or were loading slower than normal. The early indications are that the cyber attackers found vulnerabilities in devices connected to these major services — including smart home appliances, wireless-enabled baby monitors, and the like — and unleashed botnets using a malware known as Mirai. In other words, the attackers exploited the internet of things (IoT) by identifying and taking advantage of devices with weak security features. The Mirai malware has infected an estimated 500,000 internet-enabled devices. We also learned that at least two vendors of electronic health record systems (EHR), Athena Health and Allscripts, were impacted by the Mirai malware attack. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe Why healthcare is more vulnerable than other sectors I wrote in a recent column here that IT security in healthcare is no longer about healthcare or medical data. Recent data breaches reported by Banner Health and Bon Secours Health System were attributed to breaches at one of their HIPAA business associates (BA). Healthcare is a particularly attractive sector for cyber attackers because a) healthcare information systems are not up to date compared to other industries, and b) healthcare data fetches a handsome price in the black market for stolen personal information. This is further corroborated by a recent survey indicating that nearly 90% of healthcare lawyers believe that their industry is more vulnerable to cyberattacks than others. So, on the one hand, we have the promise of IoT that can significantly improve healthcare outcomes through remote patient monitoring and connected health programs leveraging “smart” devices. On the other hand, we have the threat of cyberattacks that can cripple an entire system by exploiting vulnerabilities in one tiny corner of the IoT ecosystem. While technology optimists and vendors continue to make the case (rightly) for improving healthcare quality and lowering the overall costs of care through timely interventions and prevention of hospitalizations using connected devices, health systems (equally correctly) are cautious about exposing their infrastructure and networks to malicious attacks from IoT devices. The mandate for healthcare enterprises The good news is that data breaches and IT security, in general, have become CEO-level issues this year, especially in healthcare (over 112 million medical records breached in 2015, and 2016 set to be an even bigger year). Consequently, budgets for IT security have gone up significantly. However, instead of simply throwing money at the problem, especially on technology tools, organizations such as Group Health Cooperative (GHC), a Seattle-based health system, are focusing more on process improvement, automated incident response and early containment. GHC is extremely restrictive about exchanging medical information with other technology providers and IoT devices, thereby insulating itself from technology partners with weak security practices. Other tactics include strengthening internal environments through simulation techniques such as penetration tests and advanced analytics for correlations and geo-locational “hot-spotting,” which has become relevant recently in light of evidence indicating the involvement of nation-states in sophisticated cyberattacks. Healthcare enterprises operate in a rapidly expanding ecosystem of business associates (BA), including medical device manufacturers, known to have weak security features. At the same time, other parts of the system, including cloud services providers such as Amazon Web Services (AWS) and Microsoft Azure arguably have more robust security features in their environments compared to traditional healthcare enterprises. The weakest link in the chain determines the strength of a chain, and healthcare companies need to continually assess their internal environments as well as their relationships with technology providers and other business associates. For their part, federal agencies such as the Food and Drug Administration (FDA) and the Department of Health and Human Services (HHS) have swung into action to protect healthcare by defining security recommendations for device makers and guidelines for cloud service providers — a sort of “building code” update for IT infrastructure in healthcare. In the long term, healthcare will need to be able to turn its focus from “firefighting” to “code upgrades” when it comes to securing IT environments. Related content opinion Healthcare data’s moment of lift The unlocking of patient data is leading us to a future when health care will be a vastly improved experience with superior outcomes. However, there will be guard rails around consumer access to personal health records. By Paddy Padmanabhan Sep 13, 2019 6 mins Electronic Health Records Healthcare Industry Analytics opinion The new innovation model: monetizing healthcare data Healthcare enterprises are launching programs to monetize patient medical data by offering access to researchers and innovators. How these initiatives can benefit all stakeholders (or leave out some). By Paddy Padmanabhan Aug 20, 2019 6 mins Electronic Health Records Healthcare Industry Technology Industry opinion Digital front doors – the new battleground for the healthcare consumer’s attention There is a huge opportunity now for the likes of CVS-Aetna and Walgreens to disrupt the status quo and win over disaffected healthcare consumers. Healthcare providers need a new approach to the primary care experience. By Paddy Padmanabhan Jul 26, 2019 6 mins Healthcare Industry Technology Industry opinion How close are we to platform domination in healthcare’s digital business models? Several technology firms are making attempts to dominate the digital health market. However, healthcare is very different from platform dominated markets in other sectors. By Paddy Padmanabhan Jun 25, 2019 5 mins Healthcare Industry Technology Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe