Page 15 - Modern Healthcare (January 2020)

P. 15

emerging variants of the software arise
constantly.
Too many threats
“We’re chasing new stuff all the time,”
A 2019 HIMSS survey asked
3.13 Too many emerging
respondents to rate how certain
said Sri Bharadwaj, chief information
and new threats
issues affected their ability to
security officer at UC Irvine Health in
3.12 Lack of personnel with
remediate and mitigate security
Orange, Calif., and co-director of the
appropriate cybersecurity
incidents.
4
leadership in healthcare privacy and
knowledge and expertise
security risk management certificate
2.89 Lack of financial
program at the University of Texas at
resources
Austin’s McCombs School of Business.
on threats, mitigation and
Keeping track of those evolving threats
3
know-how with external parties
can be overwhelming, with healthcare
2.83 Too many application
leaders ranking the emergence of too
vulnerabilities
2.42 Network infrastructure
many new threats as the most chal-
too complex to secure
2.80 Too many endpoints
lenging barrier to mitigating security
(e.g., user devices,
2
incidents, according to a survey the 2.43 Lack of information-sharing 5 5 = Extreme challenge
connected network)
2.37 Lack of
Healthcare Information and Manage- organization will
ment Systems Society released last year. 2.63 Lack of security
“We’re no longer in the era where a sin- 2.33 Too many users awareness training
gle person can humanly read everything for timely and effective
that’s happening,” said Lee Kim, director provisioning and 1
of privacy and security at HIMSS. She de-provisioning of
accounts
noted hospitals will often use security in-
formation management systems, which Source: Healthcare Information
and Management Systems Society 0 = No challenge at all
collect data, to help manage and identify
trends from that influx of information.
One of the latest ransomware variants “CISOs need to be plugged into not about cyberthreats, even if it sounds
to target healthcare is Zeppelin, first spot- just one source, but many sources,” old-fashioned, Kim said, adding that’s
ted in November by Cylance researchers. Hewitt said. He suggested the Health In- how she first learned about a new phish-
Rather than being designed to reach a formation Sharing and Analysis Center, ing technique in which hackers break
wide breadth of possible victims, Zeppe- the Department of Homeland Security’s into real business email addresses and
lin has seemingly “carefully chosen tech U.S. Computer Emergency Readiness insert themselves into existing email
and healthcare companies in Europe Team and InfraGard—a partnership be- conversations.
and the U.S.,” the researchers wrote. tween the FBI and the private sector—as But hospital leaders shouldn’t get
Zeppelin is largely distributed through examples. bogged down by trying to implement
spear-phishing, according to Lemos. UC Irvine Health belongs to multiple fixes to emerging cyberthreats piece-by-
Spear-phishing is a tactic in which cyber- information-sharing groups and works piece. While new variants of ransomware
criminals send malware via email while with outside companies that help to are a concern, getting basic security prac-
posing as a trusted entity, such as the re- manage network security, Bharadwaj tices in place is a necessary first step.
cipient’s employer. said. While that’s proved helpful, he ac- “Every time that healthcare comes up
Lemos declined to share examples knowledged that might not be feasible with a point defense against something,
of the types of healthcare organizations for smaller organizations. these ransomwares get modified and ap-
being targeted by Zeppelin, as Cylance “Not everybody has the dollars to pear as a different variant,” Hewitt said.
only discloses information on industry subscribe to all of the possibilities,” he Rather than focusing on a specific strain
verticals. said. The plurality of healthcare organi- of ransomware, it can be more helpful
While Zeppelin is just one recent ex- zations—25%—dedicated just 3% to 6% for CISOs to think about how to “protect
ample of ransomware in the industry, of their IT budgets to cybersecurity last overall against malware,” he said.
it’s indicative of hackers’ appetite for the year, according to the HIMSS survey. Standard practices for preventing
healthcare sector, noted Clyde Hewitt, malware infections include educating
executive adviser at cybersecurity con- One low-cost way to stay updated staff about how to avoid being tricked
sulting firm CynergisTek. on cybersecurity threats is to develop by a hacker; segmenting sensitive sys-
To stay up-to-date on emerging a “good network of CISOs that you can tems—like those storing patient data—
threats, many hospital chief information connect with” to share information, from the broader internet-connected
security officers, or CISOs, will rely on Bharadwaj said. “It’s good to get that in- network to limit malware’s ability to
alerts from federal agencies, cybersecu- formation on a daily or weekly basis, so spread; and conducting risk assess-
rity companies and information-sharing you know what to do.” ments annually, if not more frequently.
groups, which help to distribute timely Sharing information peer-to-peer is “If you don’t have the basics in place,
information about relevant cyberthreats. “still a very powerful” way of learning you’re a very soft target,” Kim said. l
January 27, 2020 | Modern Healthcare 13

10 11 12 13 14 15 16 17 18 19 20