Your personal info might be as sick as you

Top ways healthcare can strengthen security policy

2 not sick

Sick as a dog

Since the beginning of 2016, several hospitals and healthcare institutions have fallen victim to ransomware attacks, including MedStar Health, Kansas Heart Hospital and Hollywood Presbyterian Hospital. Personally identifiable information and medical records holds a value between 10 to 20 times more than credit card data.

Cybersecurity firm Dell Secure Works notes that cyber criminals were getting paid $20 to $40 for health insurance credentials, compared with $1 to $2 for U.S. credit card numbers prior to the Target breach.

Moshe Ben-Simon, co-founder and vice president of TrapX Security, runs through how hospitals can shore up your data so that cybercriminals can’t get at it. Also read the full story of TrapX's examination of three hospitals hit by malware.


Be strategic

Implement a strategy to rapidly integrate and deploy software fixes and/or hardware fixes provided by the manufacturer to your medical devices. These need to be tracked and monitored by senior management and quality assurance teams. 

Implement a strategy to procure medical devices from any vendor only after a review with the manufacturer that focuses on the cyber security processes and protections. Conduct quarterly reviews with all of your medical device manufacturers.

medical device
TrapX Security

Review and remediate

Implement a strategy to review and remediate your existing devices now. We estimate informally that many of these are likely infected and creating additional unknown risk for your institution and your patients. 

Implement a strategy for medical device end-of-life. Many medical devices have been in service for many years often against a long depreciated lifecycle. End of life cycle these devices as soon as possible if they exhibit older architectures and have no viable strategy for dealing with advanced malware. Then acquire new devices with the necessary protections from manufacturers that can comply with your requirements. 

cloud contracts thinkstock

Update vendor contracts

Implement a strategy to update your existing medical device vendor contracts for support and maintenance and specifically address malware remediation. Medical device manufacturers should include specific language about the detection, remediation and refurbishment of the medical devices sold to the hospitals which are infected by malware. They must have a documented test process to determine if they are infected, and a documented standard process to remediate them when malware and cyberattackers are using the devices.

hipaa compliance intro

Prepare for HIPAA violations

Major healthcare institutions should prepare for significant HIPAA violations. If you are a healthcare entity within the U.S., it is very possible you will find exfiltration of patient data (more than 500 patients affected) within the public notification trigger of HIPAA. Compliance and information technology must work together to document these incidents, provide the notice and follow-up as required by law. 

Major healthcare institutions should seek the advice of HIPAA consultants. Hospitals in the U.S. are very likely primary targets over time for HIPAA compliance audit. Given the high risk of data breach that hospitals face, we recommend bringing in outside consultants to review your HIPAA compliance program in 2015. 

RELATED: 6 things software vendors need to know about HIPAA compliance

lock keyboard

Limit access

Manage access to medical devices, especially through USB ports. Avoid allowing any of these medical devices to provide USB ports for staff use without additional protections. Consider the one-way use of new memory sticks only to preserve the air gap. Otherwise one medical device can infect similar devices. 



Encrypt passwords

Evaluate and favor medical device vendors that utilize techniques such as digitally signed software and encrypt all internal data with passwords you can modify and reset. Software signing is a mathematical technique used to validate the authenticity of the software. Recently manufactured medical devices sometimes use this technique to help prevent execution of unauthorized code. Encryption provides a safety margin in the event of data exfiltration or device compromise, at least for a window of time. 


7 test

Test and evaluate

Improve your own ability, even when a device is selected, to allow your information security teams to test and evaluate vendors independent of the acquiring department. Allow your IT teams to run more stringent security tests to discover vulnerabilities and help with the management of your medical device manufacturers. Allow them to object to the procurement of a medical device that provides an easy and unprotected target for the MEDJACK attack vector. 


goal keeper stop stopping prevention


Isolate your medical devices inside a secure network zone and protect this zone with an internal firewall that will allow access to specific services and IP addresses. Utilize a technology designed to identify malware and persistent attack vectors that have already bypassed your primary defenses. Deception technology can provide this advantage for your security operations center (SOC) team. 

Copyright © 2017 IDG Communications, Inc.

Related Slideshows