Maintaining Cyber Hygiene in the Healthcare Sector
Reaching an acceptable level of cyber hygiene is a challenge for all healthcare providers, hospitals, and pharmaceutical companies. Many security breaches occur with legacy systems and redundant processes that often go unpatched and unmanaged, creating exposed vulnerabilities that can lead to future exploits.
Fortunately, with a modern approach to vulnerability patching, organizations in the healthcare sector can put their patching on autopilot, minimize patching-related disruptions, and keep their patients’ sensitive data protected.
But, before we get into that, let’s dive into the modern state of cybersecurity risk in healthcare.
Challenges Healthcare Companies Face in Achieving Adequate Cyber Hygiene
Healthcare, similar to other industries, continues to transform its business and operational models to improve the customer experience while driving costs down. These transformations continue to evolve, and have changed how healthcare operates for providers and patients alike – striving to be more efficient, cost effective, and secure.
While transformation strategies help deliver a change in operations and efficiency, they also introduce new cyber attack vectors. Many healthcare security leaders face challenges with cloud-based applications staying secure and ransomware attacks originating from remote patient machines connecting to telemedicine platforms. Many newer technologies have needed to be introduced to replace previous legacy systems. In many cases, keeping both old and new systems operational created more operational complexity and security risks.
To decrease organizational risk and improve cybersecurity protection, CIOs and CISOs need to reduce complexity and remove duplicate applications, services, and platforms from healthcare IT. By taking executive action to address the growing problem of cybersecurity, organizations can protect their sensitive data while staying compliant.
Cyber Attacks Against Healthcare Organizations
Recent ransomware attacks on healthcare providers in San Diego, Ireland, and New Zealand have demonstrated the damaging effects of such incidents. Unfortunately, many details remain undisclosed. Nevertheless, outdated systems and unprotected medical devices are common security vulnerabilities putting healthcare facilities at risk – as well as their sensitive data.
If security patches and other safeguards fail to be implemented in healthcare facilities, potential security breaches may enable malicious individuals to take control of swaths of sensitive data or even of access to clinical equipment, which could put patients in danger.
Medical device manufacturers are critical in preventing cyberattacks in healthcare IT. Several device companies have suffered breaches in recent years. Stories from other countries have reported fatalities related to cybersecurity incidents, like a situation in Germany where a ransomware incident led to a patient being transferred to a different healthcare facility and, unfortunately, dying during transport. It was later shown that the patient’s condition was so poor that the same outcome would have happened regardless of the ransomware infection. Still, the fact that it was even considered a potential cause makes you rethink the importance of such incidents in the quality and ability of healthcare institutions to deliver timely care to patients.
About 83% of imaging tech needs to be updated, about 75% of infusion pumps have unresolved vulnerabilities, and up to 72% of medical centers have both IT and medical equipment running on the same network. Many healthcare organizations need to get their security strategies under control.
Patching for On-Premise and Cloud-based Medical Applications
Healthcare facilities can reduce the risk of unauthorized access by implementing a number of cybersecurity best practices, including live patching critical systems, even on legacy medical devices.
But not all healthcare facilities are equipped to do so as quickly as they truly need to. Some impediments to patching in modern healthcare IT include:
- Budget Constraints: Healthcare security budgets continue to face cuts, even after COVID-19, which can contribute to the next point.
- Understaffing: Many healthcare providers need more IT staff. Without the additional resources, this will require their SecOps or IT team to do more with fewer resources for patching activities.
- Limited Detection Capabilities: Healthcare IT teams often need more funding and expertise to deploy data loss prevention, email security, and micro-segment to help detect and prevent cyberattacks.
- Alert Fatigue: Alert fatigue from constant cyberattacks continues to affect healthcare providers. Many providers are challenged with hiring and retaining qualified and experienced IT resources to handle the velocity of these attacks. Job burnout and mental stress are rising in cybersecurity teams over managing the volume of messages and attacks.
- Cybersecurity Talent Gap: Healthcare, similar to other industries, continues to need help with hiring and keeping experienced cybersecurity talent in deploying security update patches.
- Challenges with Cloud Security: Many healthcare providers have moved their legacy platforms into HIPAA/HITrust cloud platforms, which can introduce new cybersecurity needs.
HIPAA Patching Requirements and C.F.R 45 Mandate Control Objectives
What about HIPAA compliance? Don’t healthcare providers need to stay patched to maintain compliance? The truth is – not really.
HIPAA compliance doesn’t mandate patching as an element of compliance. However, patching systems are required for compliance with several codes of federal regulations (C.F. R), including 45 C.F.R. § 164.308 (a) (5) (ii) (B), protection from malicious software. HIPAA references several CFRs in its compliance mandates. Patching is also related to other HIPAA requirements, as you need proper system patching to have secure systems and reduce the risk of information leakage/corruption.
Patching for HITrust Compliance Requirements
Founded in 2007, HITrust is renowned globally for managing information security systems and data protection measures. Initially developed for the healthcare realm, HITrust released CSF 9.2 in January 2019. To meet HITrust’s standards, cloud providers have heavily invested in being certified under the CSF framework by becoming compliant with the various control categories, implementing the HITrust compliance process, and meeting all the required certification requirements.
Why is HITrust Certification Important to Health Providers?
Many healthcare providers now need all vendors with access to healthcare information to receive the HITrust CSF Certification within two years to prove adequate security and privacy procedures.
The HITrust CSF requires four controls related to information security risk management:
- Risk Management Program Development
- Performing Risk Assessments
- Risk Mitigation
- Risk Evaluation
Patching systems plays a critical role in HITrust certification by providing a solution for risk mitigation by reducing the attack surface vulnerabilities discovered during the risk assessment phase.
Why Live Patching Can Streamline Healthcare Cybersecurity
Fortunately, there is an affordable, automated solution that enables healthcare providers to put their vulnerability patching on autopilot and completely avoid patching-related outages and downtime. It’s called live patching – which delivers all the latest vulnerability patches, in the background, while systems are running. With live patching, healthcare organizations can stay patched without needing to take systems offline or schedule maintenance windows.
Healthcare, similar to other industries, provides life-saving services requiring nearly 100% update and availability of their critical systems. TuxCare’s automated live patching solution, KernelCare Enterprise, protects your Linux systems by rapidly eliminating vulnerabilities without your IT team needing to schedule any downtime whatsoever.
With KernelCare Enterprise, healthcare IT teams can automate taking new patches through staging, testing, and production on all popular Linux distributions. TuxCare also offers live patching for shared libraries, databases, virtual machine environments, and medical IoT devices – so your entire ecosystem can stay patched without reboots or disruptions.
Schedule a conversation with one of our experts to get a personalized explanation of how TuxCare’s live patching automation works.