When it comes to industries at risk from cyber attack, the healthcare industry is rapidly rising to the top of the adversaries’ most wanted list. With the street value of personal healthcare information (PHI) at an all-time high, healthcare companies need to be more diligent than ever about protecting their data and systems.
Our recent CrowdCast focused on how one healthcare organization, Cardinal Innovations Healthcare Solutions, overhauled their cyber security posture with the help of CrowdStrike’s experts and Falcon tools. If you missed the CrowdCast, you can watch the recording here.
The Adversary Manifesto had the pleasure of sitting down with Cardinal Innovations Healthcare Solutions’ CIO, Pete Murphy, to get his take on the cyber security challenges facing the healthcare industry and his suggestions on how healthcare organizations can best protect their systems.
TAM: Can you briefly explain why the managed behavioral healthcare industry is particularly vulnerable to cyber attacks? Is this threat specific to behavioral healthcare, or the healthcare industry as a whole?
Murphy: The healthcare industry as a whole is in the position of being both at increased risk of cyber attacks but also behind other sectors in terms of cyber security, which is not a good position to be in. Protected healthcare information (PHI) has a high street value, so hackers are eager to access and sell it. Generally, healthcare as an industry is slower to respond to threats than other, more regulated industries, such as financial services, and unfortunately cyber security is one area where this lag in responsiveness puts both healthcare organizations and individuals at high risk. Wearables and connected medical devices are another cyber security vulnerability that is unique to the healthcare industry—the potential for hackers to access and tamper with medical devices, puts individuals’ health and potentially even lives at stake.
Managed behavioral healthcare faces the same threats as the healthcare industry as a whole, although currently wearables and connected medical devices are not as widely used in mental health fields. But the threat of attacks targeting PHI is definitely a concern in our sector, which is what led us to reach out to CrowdStrike to reinforce our cyber security posture.
Aside from the healthcare industry in particular, what are your thoughts on the general state of cyber security today?
The thing about the current state of cyber security is that we still face the traditional sources of cyber attacks, but the risks are now compounded by new vulnerabilities and attack vectors. For instance, the number of devices that are internet enabled has grown exponentially, which creates more attack surface and potentially greater vulnerability for both individuals and companies. The increase in the number of mobile devices, the growth of the Internet of Things and the increasing use of wearable technology—each of these device types represents yet another potential source of attack. Take medical devices—not only is information at stake, but lives. If an internet-enabled device is compromised or controlled, the device could be used to manipulate a person’s health—including termination of a life. That’s a big threat. So now organizations need to worry not only about protecting themselves against traditional attacks, but also new and emerging threats—a daunting task.
It seems like a week didn’t go by in 2014 when there wasn’t a breaking story about yet another security breach at a major company or government organization. Did Cardinal Innovations face any particular threats in 2014 and how did the company defend against them?
Generally, Cardinal Innovations saw an increase in all electronic vectors, from resurgence in old-school tactics like spear-phishing emails to new tactics. While Cardinal Innovations had the traditional layered security tools in place —firewalls, malware protection, etc.—we didn’t have a way to detect what threats were making it past these controls or the intel to guard against future sophisticated attacks. Now that we’ve installed CrowdStrike technology, we can see everything and modify our security posture accordingly. We have the intelligence we need to work with users on behavior and are able to deploy additional technology around specific attacks. We’re also able to respond much more quickly because CrowdStrike is watching out for us 24/7 and their response time is vastly faster than ours alone could ever be.
What best practices would you recommend to CIOs grappling with today’s continually evolving cyber threat landscape?
The first thing I’d caution is not to take your eye off the basics–servers, network, and applications. You need to be vigilant with regard to protecting your basic information systems just as you always have. The second thing I’d stress is that you should not be wary of non-traditional technology and big data analysis for security purposes—the kinds of tools that CrowdStrike offers. Even if in the past you’ve been resistant to these tactics because they weren’t yet mainstream, the time has come to realize that these are now the tools you must rely on to protect your organization and your customers in today’s advanced threat landscape.
At healthcare organizations, we have a duty to protect assets and PHI. The 2014 Verizon Data Breach Investigation Report shows that, across all industry sectors, we aren’t doing this well enough. Adversaries aren’t changing their tactics dramatically, just the volume and frequency; we’re just not keeping up. CIOs across all industries—but especially the healthcare sector—need to do better.
As you know, CrowdStrike’s focus is on understanding the adversaries to best defend against them. What would you say are the most dangerous adversaries from a healthcare industry point of view?
The core asset in the healthcare industry is PHI, and it’s continually increasing in value to hackers, which makes us an ever-larger target. Unlike other industries where individual hackers or nation-state actors are the main threats, organized groups looking to steal and sell PHI primarily orchestrate healthcare breaches. At present, the cyber security threats we face are more about sophisticated thievery looking to profit than geopolitically-motivated actors.
What is your biggest security concern as we move into 2015? How are you planning to prevent company breaches and what role do you see CrowdStrike playing in preventing damage from targeted attacks?
Even though the advanced threat landscape we face today presents huge challenges, the human factor is still the weakest link in the security chain, so that remains my number one concern. There are so many ways people unwittingly make networks vulnerable, from weak passwords to accessing company networks on unsecure connections to misplacing printed information. We need to be constantly vigilant about educating employees and users about good cyber hygiene.
My second biggest concern is the constantly evolving tactics used by adversaries and the frequency of attack. It seems that each week they have a new method that traditional tools are unable to prevent or detect. Continuing to manage through data analytics and using supplemental tools from CrowdStrike is helping us better understand their tactics, which enables us to better protect ourselves. There is a security product company currently using the phrase “you can’t hack what you can’t see”. I would tell you that you can’t defend against what you can’t see and an adversary that is unknown. Crowdstrike has given us visibility into both. I hope others in the healthcare space follow our lead and take their security game to a new level because the adversaries are smart and tireless.