Close this search box.

Federal Advisory Urges Health Providers To Enhance Cyber Defenses – Renal And Urology News –

A recent federal cybersecurity advisory is urging health care providers to immediately adopt phishing-resistant multi-factor authentication (MFA) for all administrative access. Providers should put systems in place that verify implementation of new sign-in procedures, implement network segregation controls, and change and remove or deactivate all default credentials.

The advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), which conducted a Risk and Vulnerability Assessment (RVA) last year to identify vulnerabilities and areas for improvement. An RVA is a 2-week penetration test of an entire organization, with 1 week spent on external testing and 1 week spent assessing the internal network. As part of the RVA, the CISA assessment team conducted web application, phishing, penetration, database, and wireless assessments. The team assessed a large organization deploying on-premises software.

During the 1-week external assessment, the team did not identify any significant or exploitable conditions in externally available systems. The assessment team was unable to gain initial access to the assessed organization through phishing. During internal penetration testing, however, the team exploited misconfigurations, weak passwords, and other issues through multiple attack paths to compromise the organization’s domain.

In coordination with the assessed organizations, CISA is releasing a new Cybersecurity Advisory (CSA) detailing the RVA team’s activities and key findings to provide network defenders and software manufacturers with recommendations to improve organizations’ and customers’ cyber posture.

“The threat is greater than ever,” said Tamer Baker, a specialist in cybersecurity and the Healthcare Chief Technology Officer at Zscaler, which has its headquarters in San Jose, California. More than 100 million people and 500 hospitals in the United States alone have been impacted by breaches just in 2023, he said.

Related Content

IT security equals patient security, Baker said. The average financial impact of a health care breach is now $11 million, which far exceeds the spending required to get proper security, according to Baker. “The advisory is long overdue; however, it is still not enough,” he said. “What’s needed is going to be more along the lines of what the state of New York has been leading the charge with. They are not only going to be putting in more regulations and requirements with some enforcement, but are also providing funding to help health systems achieve these goals.”

Impact on Patient Care

Cyberattacks adversely impact patient care in a serious way, and have been associated with extended hospital stays and increased mortality. “According to a national study conducted by Ponemon Institute, these cyberattacks have led to 56% longer hospital lengths of stay and 53% increase in mortality rate,” said Baker, who assists health care organizations, state and local governments, and educational institutions in their digital transformation efforts. Cyberattacks in just the last 12 months have caused thousands of patients to be transferred or diverted to other facilities. The attacks were associated with delays in procedures and tests, increased complications and poor outcomes.

From a user credential perspective, MFA is a good first step, but not enough, according to Baker. Bad actors have found several ways to get through MFA using vectors like MFA-bombing as an example. This is a social engineering cyberattack strategy whereby attackers repeatedly push second-factor authentication requests to the target victim’s email, phone, or registered devices. “We need to stop users from ever reaching phishing sites to begin with,” he said. “A big step will be to have security in place which blocks phishing attempts no matter if the user is on-network or off-network (working from anywhere).”

CISA encourages health care providers who are deploying on-premises software, as well as software manufacturers, to apply the recommendations in the mitigations section of the CSA in the new advisory. It is hoped that these recommendations can harden networks against malicious activity and reduce the likelihood of domain compromise.

Offline Security Systems

“A way to stop attacks directly on applications and infrastructure is to just remove them from the internet,” Baker said. “Hide these applications and infrastructure behind a security cloud so the bad actors can’t even find them on the internet. This same security cloud can connect your users to the applications securely.”

In addition to applying the newly listed mitigations, CISA recommends exercising, testing, and validating an organization’s security program against the threat behaviors mapped out in the advisory.

Frank Nydam, the CEO of Tausight, health care’s first AI-powered data security company, said health care providers remain a prime target of cybercriminals, and there is no sign of this trend abating. In the first 6-months of 2023 alone, he said, 325 covered entities reported data breaches to the US Department of Health and Human Services Office for Civil Rights (OCR). This represents an 86% increase from the same period in 2022. “Not only have cyberattacks become more frequent, but they have also become more costly, both from a financial perspective and a patient outcome perspective,” Nydam said.

Mostly Basic Cyber Hygiene

Many health care providers may think they need multiple layers of advanced tools, but Nydam said most of the time all about the fundamentals: “Basic cyber hygiene and understanding where your data are. That’s critical and often overlooked.” These strategies include regular patch updates for vulnerabilities, basic device encryption, monitoring business associates for their access to your data, and following strict access management practices like MFA. Common mistakes include failing to put a cyber response playbook in place,” Nydam said.

Other common oversights include not encrypting and patching machines, and not having proper data recovery systems in place. The most important items on a to-do list can be summarized simply. “Start cleaning up your house,” he said. This includes a data assessment to understand where your sensitive data lives, Nydam said. “House-cleaning steps like this can significantly reduce the attack surface, so that when a cyberattack does occur, it impacts far fewer patients.”