Why Healthcare Cybersecurity Should Focus on the Attacker?

At a recent industry event, I got to chatting with the CISO of a major children’s hospital. Over a beer, he shared with me the challenges he faces daily. Our far-reaching conversation covered nation-state actors enticing students to exfiltrate clinical trial test results, to his search for a secure USB port cover for patient-facing devices. Maybe it was the beer, but as he described his tribulations, each to me worse than the next, his enthusiasm and energy grew. Every so often he stopped to shake his head in disbelief at his own story as if to say, “Even I can’t believe how bad this is…”

At some point I asked him why he did it, considering all the other cushier CISO roles he’d be qualified to hold. He paused, smiled and said, “Well, I guess it’s because I love puzzles, and this is the most complex puzzle of my career. I’ve worked in enterprise, it’s tough, sure, but nothing quite like this. And, besides, we simply must crack this puzzle. People’s lives are on the line… Many people’s lives.”

So, what is going on? Why are healthcare systems so challenging to secure? What is driving this complexity. How might we rethink our approach? 

Healthcare systems, like all digital networks today are increasingly inter-connected and consumer-driven. The digital transformation necessary to make them agile, also renders them easy targets for data and identity theft, insurance fraud, and other forms of cybercrime. As the recent spate of ransomware has shown, cyberattacks on healthcare institutions also disrupt vital services and risk patient safety.

A wide variety of guests, students, visitors, patients, maintenance workers and others have direct physical access to healthcare systems and devices. Temporary workers and contractors require access to sensitive systems while employed. External interconnection of these systems with universities, research partners, and other remote services further mitigates the effectiveness of perimeter and access security controls. Higher and thicker security walls will not support the organization’s need to break down barriers, share information, and increase patient access. 

Clearly, a new approach is required. If we cannot stop attacks, then we must stop the attackers. This is not a semantic nuance. The key to protecting healthcare systems in the future will be to transform our thinking – from a focus on defending ourselves from an infinitely expanding phalanx of attacks and attack vectors, to instead focus on disrupting the attack process itself regardless of attack style or source. We must stop the attackers.

As difficult as that might sound at first blush, there is, in fact, a silver bullet that will disrupt virtually any attack process. Malicious actors targeting healthcare systems all share a common trait that makes them vulnerable to disruption and detection. Regardless of how they enter a healthcare network, or what their intent, attackers must move laterally across the healthcare network to access their target applications, devices, systems, and data. To move undetected, they must gather intelligence about the environment and make careful decisions regarding their attack path.

The key then, quite simply, is to disrupt the attacker’s decision-making process – to blind and befuddle them so that they cannot progress their attack. Done well, cyber deception technology disrupts the attacker’s intelligence gathering process, and destroys their ability to make accurate decisions, by flooding the attack plane with false and misleading data. Similar in effect to evasive maneuvers used in aerial combat such as disgorging flak, disrupting radar, and disorienting GPS signals, these new technologies destroy the attacker’s ability to navigate, and ensure they are detected by any movement they do decide to make.

The challenges of securing healthcare systems will continue to grow as attackers, and their tools, methods, and infrastructure, become more sophisticated and diverse. Just as digital transformation is improving efficiency and patient outcomes, the traditional security mindset must be transformed to a modern security mindset. To protect these new system architectures, we must refocus our efforts from defending against attacks to disrupting the attack process itself. Deception offers a promising path forward in this direction. 

I look forward to working with my CISO friend, and many more in the healthcare security, to crack the puzzle.

For more information, check out our whitepaper: Three Use Cases for Deception Technology in Healthcare.

An excerpt of this post was originally posted on the Healthcare Intelligence Network.