Cybersecurity in the medical world has been a hot topic since 2019 when “URGENT/11” was released. This was a list of almost a dozen zero-day events that had been discovered in some of the most widely used operating systems in American healthcare. Subsequent investigation found that medical devices and networks were very poorly protected and at significant risk. Since that point, discussions about how to bring the healthcare world up to speed with virtual security have been common.
The risk was that these systems and devices could be hacked from the outside, compromising not only personal, medical and financial data, but even potentially going so far as affecting the devices entrusted with patient treatment. While the cost of the average data breach is more than $3.5 million, the price tag associated with a life being lost due to a security breach is incalculable.
The Current Medical Cybersecurity Approach
Traditionally, IT systems and networks have been designed according to a “castle and moat” system, where the network (the castle) is placed behind a firewall (the moat). In this approach, everything inside is trusted, while every device and user outside the firewall must authenticate and prove their identity before gaining access.
This process was developed years ago when the most common IT construct revolved around on-premise data centers that served a contained network of various systems. Entry from the outside world was the exception. After successfully passing the firewall, users who gained entry had virtually unlimited internal access, encountering very few security protocols.
The Zero-Trust Model
Remote network access is no longer the exception. It’s the rule — particularly in the COVID-19 days of working from home. The vast majority of companies use either a cloud-based system or a hybrid model that combines the cloud and an on-prem data center to maximize computing power and efficiency. The security model IT professionals use has evolved as well, and the current recommended approach is called the “zero-trust model.”
No user or device is automatically trusted in this environment, inside or outside of the network. Authentication must occur before access is granted, effectively creating a series of siloes within an organization that a hacker must individually breach; this is referred to as “microsegmentation.” At worst case, this can slow an attacker down long enough for him to be detected and evicted; at best case, the sheer amount of time it would take to break in deters would-be hackers from even starting.
The model is based on several principles, and combining them effectively can create a robust security stance. One of the most foundational aspects is an approach known as “least-privilege access,” where each user is only given access to the areas they need. For example, in a castle and moat system, a doctor might access patient records and be able to see the details for every individual treated in a hospital network. With least-privilege access, cardiology doctors wouldn’t see orthopedics patients unless they were treating them.
Another core aspect of the zero-trust model is multi-factor authentication. Traditional access is granted with a username and password, but these can be stolen or compromised. A second layer of authentication requires identity verification with a separate system. You encounter one of the most common applications of this technology when you log into your email from a new computer; before you log in, your provider texts a code to your phone, and you must enter it to get into your email.
Implementing Zero Trust
One of the challenges with IT in a healthcare setting is the overwhelming number of legacy systems not designed for modern network security requirements. Many devices are designed to be simple and robust, which also means they aren’t easy to reprogram or update.
Putting a zero-trust model in place requires a top-down strategic approach, usually involving the CIO or CISO and others in the executive suite. A comprehensive system overhaul should be designed and then implemented in stages to ensure that each attack surface is well-protected. Legacy systems can be effectively segmented and secured with the right plans in place.
This would also include outlining security specifications for devices that will be designed or procured in the future. If an engineer knows the security requirements his equipment will have to meet, he can develop those from the beginning, creating a safer environment with each successive generation.
Medical facilities face an inherent trade-off between efficiency and security. There’s no easy answer: more barriers enhance security but can also slow down patient care. Addressing these issues requires a top-down approach that incorporates input from each functional area. This is the only way to implement 21st-century cybersecurity effectively in healthcare networks.