3 Oct 2023

Just like fighting against the spread of disease in a clinical environment, healthcare providers must mobilise, coordinate with interconnected partners, and apply sufficient budgetary resources to combat an ever-changing cyberattack landscape.

A new set of safeguards is necessary to protect the confidentiality, integrity, and availability of critical healthcare business operations and data.

Ponemon Institute report

Not “if,” but “when” healthcare facilities expect a cyberattack - It’s no longer a question of if a healthcare facility–will suffer a cyberattack—it’s when. Plus, the extensive facilities are no longer the only targets. Not surprisingly, the healthcare industry, which maintains some of the most sensitive data and has stretched budgetary resources, is the biggest target for cyberattacks and has a high associated response cost, according to the latest report by the Ponemon Institute. The Ponemon Institute studies the costs of global cybercrime and data breaches year over year.

The Ponemon Institute studies the costs of global cybercrime and data breaches year over year 

The Ponemon Institute report, made in collaboration with IBM, states the average total cost of a data breach reached an all-time high of USD 4.45 million in 2023. The increase represents a 2.3% increase from the 2022 cost of USD 4.35 million. Since 2020, the average cost has risen 15.3% from USD 3.86 million in the 2020 report. The report recommends that the healthcare industry invest in incident response planning, testing, employee training, threat detection, and response technologies.

Safeguard critical information

The statistics on cyberattacks are sobering. According to CISA (Cybersecurity and Infrastructure Security Agency), the United States operational lead for federal cybersecurity, cybercrime is happening exponentially. Furthermore, it is sometimes occurring at the hands of sophisticated government-backed criminals. 

Cybersecurity can no longer be left solely to the IT department. Instead, it is an organisation-wide and industry-as-a-whole duty.

Common phishing strategies

Initial attack vector is an internal phishing attack along with stolen credentials

Every healthcare facility workforce member, including contractors and volunteers, with access to digital information, electronic health records, or network resources, including the internet, must share the duty to safeguard critical information—because it takes just a single unmitigated incident to put a healthcare facility at risk.

According to The Joint Commission, a US nonprofit that accredits healthcare organisations and programmes, just one person can jeopardise an organisation’s security efforts if they fall prey to common phishing strategies. The initial attack vector–16% of the time worldwide–is an internal phishing attack along with stolen credentials, according to the Ponemon Institute.

Current cyber risks in healthcare

The current risk landscape in healthcare includes significant regulatory compliance risks and sophisticated, often government-supported cybercriminal networks. The healthcare industry and its caretakers have access to much more comprehensive patient information due to the push towards interoperability and interconnected healthcare organisations. 

However, the regulatory landscape demands heightened security and more accessible patient information. It’s important to note this expansive sharing of healthcare data poses a significant risk to patient privacy and security and a wide variety of regulatory obligations.

HIPAA regulations

21st Century Cures Act and its implementing regulations require healthcare and certain technology

The well-established HIPAA regulations, increasingly new and broad state privacy regulations, and even the European Union’s sweeping General Data Protection Regulation (“GDPR”) all carry the colossal potential for fines and regulatory oversight. 

The 21st Century Cures Act and its implementing regulations require healthcare and certain technology providers to offer much less burdensome access and sharing of electronic patient data and prohibit “information blocking” with massive risks for regulatory fines and exclusions for noncompliance. Availability and assignment of sufficient budgetary resources for such compliance-related safeguards are becoming increasingly complex.

Cybercrime

Cybercrime is the other severe risk. Every connected device faces the potential of a cyberattack targeting healthcare data and systems. While some hospital data breaches appear in the news, most don’t reach the public’s attention.

In 2020 alone, one in three healthcare organisations around the globe reported a ransomware attack, according to the American Association of Medical Colleges (AAMC). Why is that? Because healthcare data is ten times more valuable to cybercriminals than credit card information. In addition, sophisticated criminals know about the healthcare industry’s struggle to keep up with the risks they pose.

Medical identity theft

Healthcare data is precious and increasingly sold on the “dark web,” according to healthcare privacy attorney Sheila Stine, JD, CIPP/US, who helps healthcare clients prepare for and respond to data breaches and teaches about identity theft. Stine says, “The dark web is the ‘web below the web’ or a part of the internet only available using special tools. It is the bad guy’s sophisticated marketplace. Medical data sets have great value to cybercriminals for medical identity theft."

Cybercriminals can sell medical data sets via the dark web in exchange for access to emergency care"

"Cybercriminals can sell medical data sets via the dark web in exchange for access to emergency care, access to prescriptions and durable medical equipment and even fraudulent access to commercial health insurance or Medicare/Medicaid. They are smart enough to even know to sit on the data for a year or more after accessing it to avoid detection during the standard one-year period of credit protection that some organisations offer their customers and patients.” 

Cyberattacks with adequate security

Healthcare administrators tend to focus stretched resources on patient services. AAMC senior director of information security, Dr. Stephen Lopez, says, “It can be hard to divert resources to information security if it seems to come at the expense of patient services.” However, healthcare organisations can only defend against ransomware and other cyberattacks with adequate security measures. There should be an appropriate balance between information security defense and patient services. Yet, that balance can be challenging to determine.

Cyberattacks have become so prominent numerous articles have been published surrounding hospitals and clinics in numerous states that have been hit by these intrusions, causing emergency rooms to be closed and ambulances diverted to other hospitals. In an article by ABC News, the American Hospital Association's National Advisor for Cybersecurity and Risk, John Riggi says, “These are threat-to-life crimes, which risk not only the safety of the patients within the hospital, but also risk the safety of the entire community that depends on the availability of that emergency department to be there,”

Malware attack

Immediately after this incident, all USB drives were disabled, along with a host of other protocols

In personal history as a director of safety and security for a major healthcare organisation, seen the extent of damage that can occur from a seemingly careless act. At a healthcare system in the Midwest, organisation was hit with a malware attack when a healthcare worker found a USB drive in the parking lot. Colleague in a suburban clinic thought she could identify who it belonged to by seeing what files were on it. Once she inserted the drive into a computer, ransomware infected the clinic system against her knowledge. Thankfully, the team discovered the malware, which only infected the regional clinic. 

The ransomware asked for over $200,000.00. However, organisation rebuilt the system and had to re-enter the data for the clinical day manually. Immediately after this incident, all USB drives were disabled, along with a host of other protocols. Every day, this type of incident happens countless times across the healthcare industry and beyond. It’s not worth the cost and effort when workers can train on the appropriate response.

How Milestone can help

In such an unpredictable and highly regulated landscape, healthcare organisations must leverage their people's power and the strength of their security solutions to defend against cyberattacks. The Joint Commission found that 'healthcare organisations must guard against a wide variety of attacks and teach staff to expect the unpredictable as hackers continuously adapt their strategies.'

Attack vectors vary widely from phishing attempts to network penetrations and device attacks. Consequently, video management software (VMS) and connected devices are vulnerable to criminals seeking data access and system control.

Pro security platform products

XProtect® VMS by Milestone is designed and alone tested to meet the highest security standards

Milestone Systems recommends continuous updating of the VMS as one method to secure systems and data against a cyberattack. XProtect® VMS by Milestone is designed and independently tested to meet the highest security standards, and a security response team supports it. In addition, Milestone offers a choice of software maintenance packages and professional services to help pro security platform products. Also, consider the following methods to strengthen the security network against cyberattacks:

  • Add strong camera passphrases or long 10+ character passwords following industry-recommended standards of a combination of upper case, lower case, numerals, and symbols.
  • Whenever possible, isolate security networks from other PC and workstation networks.
  • Secure the network to ensure only installed cameras can communicate.
  • Deploy individual logins with role-based permissions appropriate to the operator’s role which, expire or are validated periodically.
  • Prohibit sharing and writing down passwords. Individual role-based passwords may help determine the root cause of an incident or attack.
  • Fully document suspected incidents and maintain those according to formal incident response and record retention policies.
  • Conduct periodic systemwide risk assessments. As they become known:
    •  Fully document known or reasonably suspected risks.
    • Determine how to mitigate such risks within expected completion timeframes.
    • Evaluate acceptance of residual risk by authorised management personnel.
  • Conduct thorough vendor due diligence. For instance, only purchase cameras and VMS from reputable, sound security companies and avoid organisations with known cybersecurity vulnerabilities.
  • Disable USB ports and device cameras that are unnecessary for routine work.
  • Carefully design BYOD or “bring your own device” policies to limit authorised use of personal devices.
  • Deploy firewall security for internet connection.
  • Insure organisation against various types of cyber liability.
  • Teams should frequently backup critical data and then “backup the backup” in a different physical location.
  • Periodically train and retrain workforce members on privacy, security, and escalation of incident requirements.
  • Document reasonable sanctions against workforce members who violate organisational policy, contractual, or legal requirements.

Security measures and risks

Additionally, healthcare organisations can bolster their security measures through “hardening” — continuously identifying and countering evolving security risks. To harden video technology, enact several actionable steps:

  • Identify the components that need protection on a written log or other documentation;
  • Harden the surveillance system’s servers, computers, device networks, and cameras on a routine basis;
  • Document, maintain, and periodically update security settings for each system;
  • Deploy security software patches and updates reasonably promptly; and
  • Train the team to help identify future threats and implement countermeasures.

Smaller healthcare organisations can also leverage many available resources for small businesses offered by governmental agency resources, such as the National Institute of Standards and Technology (NIST) small business cyber security resource page.

These are just some initial recommended steps toward a successful defensive security posture. There are still multiple opportunities for cybercriminals to attack both internally and externally. However, healthcare organisations can better protect their vulnerable security infrastructure by automating and strengthening processes in partnership with Milestone Systems.

Defend against “walk-in attacks”

While many cyberattacks often launch from a distance, some incidents physically grab a place

While many cyberattacks often launch from a distance, some incidents physically take place in the facility. For example, “walk-in attacks” occur when a criminal enters a facility with or without authority and may look for easy targets, such as unsecured laptops to steal, open ethernet ports to hack, unsecured portals, sites “open to the internet,” or weak passwords on Wi-Fi networks. 

Most facilities and networks have safeguards to defend against such apparent threats. However, employees must still maintain vigilance and watch for people who don’t belong. For instance, healthcare facility policy and training should prohibit “piggybacking” or allowing someone to follow an authorised person through a locked door without using their credentials. Using best practices, the security team should train the workforce to watch for those not appropriately picture-badged in restricted areas.

Integrations for the XProtect platform

Milestone Systems works with a community of technology providers with integrations for the XProtect platform to alert facility security members of unauthorised people in restricted areas. For example:

  • Video analytics determine activity and behaviours captured by cameras, triggering automated processes and notifying operators of problems, such as unauthorised personnel crossing a virtual perimeter into a restricted area.
  • Access control allows or restricts entry at doors based on credentials. In addition, with integration into the XProtect platform, nearby cameras can be used for video verification when needed.
  • Infrared sensors detect human activity in restricted areas. Alerts can be sent to security operators for immediate action when necessary.

Range of security protocols

Milestone Systems also has developed a range of security protocols and integrations for the platform, for example: 

  • Security through network separation
    • XProtect uses a tiered system architecture to separate the camera network and the core server/client network, so there is no direct routeing between the two. The architecture increases the system’s resilience and lowers a potential attack’s impact on the system.
  • Secure camera connection
    • Certificate-based HTTPS communication provides secure access for management client and smart client users and bidirectional communication encryption between all the system’s components, which prevents eavesdropping and tampering.
    • Leveraging certificate-based HTTPS communications ensures secure, trusted access for facility administrators while preventing decryption eavesdropping and tampering.
  • Secure video storage
    • XProtect corporate can encrypt and password-protect media data, meaning recorded data is protected even if someone accesses the data files on the storage system or network share. XProtect corporate also supports a digital signature on the recorded media data, proving the video is the original.
  • Strict server-side authentication and authorisation
    • XProtect uses consistent server-side user authentication and authorisation for all clients and integration interfaces. This authentication applies to all users and system services accessing the system via the Milestone Integration Platform SDK or Milestone Open Network Bridge. Used together with strict user rights and roles, it provides complete control of access to the system.
  • Built on Windows security infrastructure
    • XProtect supports Windows active directory (AD) with both native Windows NTLM and Kerberos authentication, alongside OpenID Connect and OAuth2, for maximum security.
  • Secure remote user access
    • XProtect uses a dedicated mobile server as a system gateway to shield and protect the core VMS servers when users connect remotely. The mobile server, mobile client, and web client communication support HTTPS to prevent eavesdropping and tampering, providing secure authentication and bidirectional encryption, which includes user credentials, configuration, and media data.
  • Protection of evidence material
    • To protect exported forensic material, XProtect uses encryption, digital signing, and password protection of the media databases. XProtect’s smart client player ensures that exported evidence is original and unaltered by verifying signatures and preventing evidence from re-exporting to control the media once it leaves the VMS.

Milestone Systems supports healthcare facilities and their data by continually updating the platform. As a result, organisations can focus on patient-centric care.

Working towards what’s next

How healthcare facilities face the challenges of tomorrow depends on the planning and choices they make. With an adaptable, scalable, and open platform such as XProtect VMS, healthcare facilities can be ready for what comes next and quickly pivot to improve their business outcomes.

When a large healthcare organisation uses the XProtect open platform, the workforce can mitigate risks, maximise existing resources, and stretch budgets further. Count on Milestone Systems as a collaborative partner, supporting endeavour to prepare for the current risks and future challenges faced in healthcare.