Healthcare cybersecurity investment critical to national security, says CISA official

Securing the healthcare sector is a crucial part of national security. Particularly as the spread of COVID-19 wanes and is replaced by heightened geopolitical tensions, advocating for and investing in critical cybersecurity defenses will protect patients, and the country, from harm.

Given the potential impacts to patient safety and infrastructure risks, Lauren Boas Hayes, senior advisor for technology and innovation for Cybersecurity and Infrastructure Security Agency, opened her ViVE presentation Tuesday by advocating for better communication and threat sharing with CISA to improve the healthcare sector’s overall cyber posture and investments.

“In our digitally interconnected world, we know that in times of tension, it is imperative that all of our critical industries be on high alert for cyber threats,” said Boas Hayes. “That's the thing about cybersecurity: We're in an industry where we cannot rely on luck.”

“We must raise the cost of attacking the American healthcare system for the bad guys by investing in the cybersecurity defense of each and every organization who is delivering critical care in our country,” she continued.

Ransomware continues to remain a top threat to all sectors, some groups more nefarious than others. CISA recently updated the Conti resource with indicators of compromise, reflecting the continued threat the group poses to critical infrastructure.

Healthcare, in particular, has remained a key target for the threat group. Boas Hayes noted that Conti has targeted more than 400 healthcare organizations and first responder organizations worldwide, 290 of which in the U.S. Ransom demands have more than doubled in the last year, furthering the need to prioritize securing longstanding risks.

As such, all leaders with the ability to direct investments in cybersecurity must advocate for funds that provide technologies and teams needed to secure the tech architecture through appropriate network segmentation, device inventories, and exhaustive backups, which are proven to prevent catastrophic loss in the event of a successful attack. 

Although many organizations are continuing to struggle with budget fallouts brought on by the pandemic, cybersecurity needs can’t fall to the wayside.

“Implementing a secure architecture may feel like a tough line item to justify today. But it can mean the difference between only having a few devices quarantined due to infection, or having the whole organization knocked offline for days, or weeks at a time,” she explained.

Those investments should be directed toward the four key areas creating the biggest challenges to the healthcare sector: reliance on end-of-life devices, lack of investments in vulnerability management, failure to implement multi-factor authentication on all applicable endpoints, and poor password hygiene.

For Boas Hayes, healthcare’s vulnerability challenges hold the greatest need for improvement, which has continued to worsen with the expansion of internet connected devices, vulnerable medical electronics, and remote operations. Every piece of technology is ripe for exploit from attackers and targeted malware infections through possible, inadvertent vulnerabilities.

As healthcare continues the rapid adoption of these technologies, healthcare leaders must make “commensurate investments in cybersecurity” to reduce the attack surface, she explained. These investments should target defense measures, coupled with resilient tech ecosystems.

In that way, even when an entity inevitably falls victim to an attack, they can readily “minimize the impact, contain the damage, and reduce the disruption and risk of real world harm to patients.” It also means healthcare entities must be faster in applying the patches provided by vendors to secure known vulnerabilities.

CISA resources available for healthcare organizations

Healthcare’s patch challenges and reliance on legacy tech are well documented, but failure to act in some mechanism should not be the norm. Many technologies remain vulnerable for days, weeks, and years, prompting Boas Hayes to call on better investments in vulnerability management and for provider organizations to leverage the free resources provided by CISA.

CISA maintains a catalog of known exploited vulnerabilities, which security professionals should be leveraging to prioritize patching. She added: “If you are a business leader, please ask your security team if your organization is operating with any of these vulnerabilities in your environment, and then empower them to go and patch them.” 

The agency has also provided a no-cost cyber hygiene service that provides vulnerability scanning for critical infrastructure entities, explained Boas Hays. Entities provide the network address range, and CISA provides a weekly report on any discovered vulnerabilities in need of a fix.

“There is no reason not to sign up and to be aware of your public facing vulnerability profile,” she added.

Perhaps most important, providers are encouraged to report all cyber incidents to CISA. When quickly provided, CISA can “render assistance and provide warning to prevent other organizations and entities from falling victim to a similar attack.”

“CISA was designed to build bridges between the public and private sectors,” said Boas Hays. “Collaboration and innovation are key to this process: that's where all of you come in: We can help each other to fight the scourge of ransomware that has targeted healthcare.” This can lead to the proper investment in technologies and teams able to protect against disruptive attacks.

“The past two years of the pandemic has already strained our health care system in unprecedented ways,” she added. “The last thing we need is a ransomware attack to throw additional payoffs into an already taxed system.”

Lastly, healthcare entities should work with CISA headquarters or its field personnel offices, which can provide needed support and connect healthcare leaders to available services. CISA’s Shields Up campaign also offers recommendations to increase resilience as a first line of defense against cyber threats.