Jens Koegler, Healthcare Industry Director EMEA, VMware
‘Trust nobody’ sounds like a line from a Hollywood espionage blockbuster. The reality is however more of a case of art imitating life.
This is particularly true of the healthcare sector where the combination of vast amounts of detailed personal information and its critical role in national infrastructure is too good to resist for the world’s criminal fraternity. An environment that is driving healthcare providers towards a “never trust, always verify” approach, also known as the ‘Zero Trust’ security model, to protect networks and devices – thus, information – against an expanding threat landscape.
A prime target for attack
The last few years have shown the immense cybercriminal appetite for attacking medical targets. The reasons are not hard to decode: hospitals are awash with medical data, which is extremely personal and fetches a high price on the black market. In fact, they sell on the black market 50 times the price of a credit card information.
Hospitals should be open to external health information, open to sharing this data quickly and easily to achieve faster diagnosis and better treatment – either in their own research, with internal and external specialists, within and outside their own network, with insurance companies, pharmacies and general practitioners. This data is created at a sea of different points – handwritten records, electronic forms, hundreds of medical applications and medical devices on campus or off campus on patient transport, and the millions of wearables expected in the coming years. This is hard to beat in terms of complexity and provides attackers with an incredibly large and almost unmanageable attack surface.
Attacks have become popular in recent years. January 2015 was a historically bad month for healthcare data in the US. In the biggest healthcare breach to date (and, hopefully, ever), 78.8 million patient records were stolen from Anthem, Blue Cross. The cyber-attack claimed highly sensitive data, including names, social security numbers, home addresses, and dates of birth.
The WannaCry attack on the UK’s National Health Service was significant. Though only part of a global assault, the attacks managed to shut down 42 separate NHS Trusts. The ransomware forced hospitals to turn away patients, cancel 19,000 appointments and eventually cost the UK government nearly £100 million. The frightening thing is that much of the damage could have been avoided. Why? Because a patch was already in place and many NHS trusts had even installed it but had not rebooted the machines since installing in order to activate it. In other words, automated software patch management could have avoided much of this economic damage.
A 2018 report from the UK Parliament revealed that the 200 medical facilities checked in the wake of the attacks failed their cybersecurity tests.
The net result is that mitigating risk, reducing the threat vector and gaining both better visibility and control of their environment is top-of-mind for many healthcare organisations. And this is where the concept of Zero Trust comes in.
Protect the perimeter
Today there are more devices that are all connected, patients accessing care and treatments remotely and a much more globalised network of professionals, research bodies and other industry protagonists. All of this is creating a vast data set. At the same time, the way we work is changing. At any one-time, patient data, medical records, schedules, email and everything else is flying from one part of an organisation to the other. And in this environment, it matters even more, because the speed at which a medical professional can get access to that information could impinge directly on the health and safety of a patient. To boot, healthcare providers, like most organisations across most sectors, are operating with separate, disparate, often legacy, networks that have to come together, and are connected to more and more devices than ever before – and provide an even greater breach perimeter for online threats.
With more mobile access, movement to the cloud and the need to access information from anywhere at any time, we need to look differently at how to protect healthcare data. The old days of a static, exterior firewall perimeter doesn’t work as well in this new environment. Quite the contrary in fact. To better protect their information, healthcare organisations need to shrink the perimeter, define it with software and apply identity authentication and authorisation to protect micro segments of the network and data so that if one area becomes compromised, it does not serve as an open door to the rest of the estate.
Zero Trust, many challenges
But the path to zero trust is far from straightforward. Scaling a remote workforce tied to traditional models of end user computing is tricky, especially when it comes to enabling access to key applications and services while ensuring performance and security. This becomes even more complex when you consider the exponential growth in devices – a trend that is only going up. Today we have access to incredible devices that make patient care so much easier and more effective, such as Internet-connected insulin pens and catheters. But these single-purpose devices are not built with security in mind. Elsewhere the boom in IoT means medical devices are sharing information with so many other endpoints and can be powerful vectors for damage.
Most hospital networks were built years ago – like all networks across healthcare, banking, retail, you name it – and new technologies are layered on top of older, less integrated and less secured technologies. And while downtime involved in patching and upgrading systems can be serious for any industry, it obviously can be even more significant for medical facilities, where a loss of functionality could have dire consequences. Upgrades and updates to systems and apps are often further complicated due to the use of specialised software that has not been further developed over time, or the fact that older medical devices still run on old operating systems.
According to a recent Forbes Insight study, the greatest challenge healthcare organizations face when it comes to security, is lack of budget putting pressure on staff. Healthcare workers, including doctors, nurses, and IT staff, tend to be some of the most overworked, busiest employees. Medical staff have to contend with pressing and stressful decisions all day; and while they know how to deal with these emergent situations with grace and ease, technology is rarely their forte. Security should not conflict or impact the medical professional’s user experience, and that is why we strongly believe security needs to be inherent – built into everything so that it is ‘enterprise’ secure but user simple.
Enabling compliance with VMware
What is required is for security to not be a silo, bolt-on or afterthought but something built-in intrinsically into the digital environment to optimise the network edge to every employee through context aware access, enabling compliance with Zero Trust security initiatives. This is where we can help.
Data security in a Zero Trust model is intrinsically linked with the data and travels with data across locations and devices, be they in-house or third-party – something critical as patients become more remotely connected to hospitals and care givers. Network designs must change to focus on users, identity and the ability to access resources consistently. VMware leverages intelligent insights to further drive automation, helping improve device hygiene and security posture across all endpoints and apps. Using a secure combination of factors in multi-factor authentication provides teams with sufficient insight into who is making a request, and a well-thought-out policy structure should confirm which resources they can access based on that identification. VMware’s digital foundation enables healthcare organisations to create, run, manage, connect and intrinsically protect apps, across any cloud, to any device, simply and at speed. This ensures security policies are applied granularly at the workload level, thereby creating microsegments that not only ensure tightly controlled access but also that any potential compromises can be contained to the workload. But one of the biggest transformations is in being able to maintain a ‘healthy state’. No-one can truly understand all the threat factors that might impact hundreds of thousands of applications with thousands of data connections. Instead knowing what your application portfolio normally looks like, can help determine in seconds if there is a threat to this ‘known good’ or normal state.
Preserving the patient’s best interest
As the healthcare industry continues to digitise and as it shifts to care without borders, interoperability of data will become even more crucial, but so too will cyber resilience. Patients’ trust and confidence in the healthcare system rely on healthcare organisations being able to safeguard their data and ensure that it is only used legitimately, and this is why Zero Trust is so important. It is about finding a solution that can preserve the sharing and giving of information in a patient’s best interest but that will safeguard the information at the same time.
For more information on our Zero Trust security initiatives, please contact us or visit our Healthcare site here.