How to Systematically Manage Risks in Healthcare Cybersecurity
Frost & Sullivan forecasts the Internet of Medical Things (IoMT) will grow from an estimated 4.5 billion devices in 2015 to as many as 30 billion by 2020. For medical providers, these devices are the answer to more efficient and reliable healthcare delivery. But for cybercriminals, weak medical device security is practically a godsend.
A consistent and systematic approach is imperative for protecting against risks posed by medical devices. To that end, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework offers a roadmap for developing a comprehensive risk-management strategy. While the NIST Cybersecurity Framework is voluntary, its standards, guidelines, and best practices enable your healthcare organization to minimize threats systematically.
The framework outlines five steps — identify, protect, detect, respond, and recover— and helps you prioritize risks and improve infrastructure resilience. It’s a flexible approach that you can fully adapt to your organization’s needs.
Start with Asset Discovery
Protecting what you can’t see is like prescribing medication without a patient diagnosis. It doesn’t work — and it’s dangerous.
Yet the 2019 HIMSS Cybersecurity Survey found that only 47 percent of surveyed organizations included medical devices in their security risk assessments. The challenge is the lack of visibility. To solve it, you must identify all network assets. Once you’ve discovered the assets and understand the attack surface, you can implement effective remediation.
Assess, Prioritize, Patch
The next NIST framework step—protect—puts the focus on prevention by assessing risks and prioritizing vulnerabilities.
Recommended best practices for assessing vulnerabilities include the use of the:
- Common Vulnerability and Exposures (CVE)—a comprehensive catalog of software and firmware vulnerabilities submitted by the international cybersecurity community.
- Common Vulnerability Scoring System (CVSS)—an open framework for scoring the CVEs to prioritize remediation.
After you’ve assessed and prioritized vulnerabilities, it’s time to implement patching policies.
Compliance frameworks often have strict patching requirements—for example, the latest PCI-DSS version (3.2) recommends installing a security patch within one month of release. But the reality is that reaching a 100-percent patch level is extremely difficult for healthcare organizations.
Even with consistent patching, threats slip through. A strong patching policy isn’t fool-proof because of the gap between the discovery of a vulnerability and the patch release. In the case of WannaCrypt0r (or WannaCry), the infamous ransomware took advantage of a vulnerability that had been known publicly for two months before Microsoft released a patch.
Detect and Respond with 24/7 Monitoring
In complex healthcare IT environments, detecting and responding to anomalous events is an ongoing priority. Establishing a security operations center (SOC) allows you to consistently monitor the OT and IT networks for those threats.
A typical healthcare organization lacks both the expertise and the technology for a SOC —as well as the financial resources to invest in both. That’s why a SOC-as-service partner can take the pressure off your IT team while lowering the costs of running a SOC.
To learn more about best practices for systematically managing healthcare security risks, download our free white paper.