Lock down the network
Most devices in a medical environment are networked. Potentially thousands of devices proliferate in a large hospital, each type with different networking needs. While some specialized systems don't need to be on the Internet, many require network access to tap into patient health records, look up drug interactions, or send specific data to appropriate care providers.
But there’s no point to have workstations at nursing stations handle patient records on the same network as the workstations in accounting and payroll, nor should both databases run on the same server. Hospitals need to make it harder for attackers who have compromised a server to locate and access other valuable servers.
Segmenting the network to isolate more vulnerable machines means that even if the attackers successfully compromise them, they are limited in how far they can spread across the network. But that's only the first step.
The next step is privilege management and restricting access to files and systems. Not everyone needs access to all files on the fileserver. Doctors shouldn’t be able to get to the administrator console of the MRI machine. There shouldn't be a way to see a piece of radiology equipment, let alone access the console screen, from an HR workstation. If the doctor has administrator rights, then you can bet malware will be able to get those privileges, too.
Network-connected medical devices must be secured so that an attacker on one side can’t jump to other networks or be able to use as a point of entry from outside. The number of devices -- easily in the tens of thousands in a large hospital -- means paying extra attention to physically securing the devices. It’s unlikely someone can stroll out the door with a CT scanner or an ultrasound machine, but it is easy to steal a laptop and use the remote software to access the network remotely.
Administrators must enable two-factor authentication where possible and make sure employees follow basic password policies -- such as preventing users from sharing passwords across applications or systems.
Health care organizations run a number of specialized, often customized applications. They are also increasingly adopting web, mobile, and cloud-based applications. Imperva’s annual report found that health care applications are likely to suffer 10 times more cross-site scripting attacks than applications in other industries.
Nearly 80 percent of health-care-related applications contain easily avoidable cryptographic issues such as weak algorithms, says Chris Wysopal, CTO and CISO of application security company Veracode. Whether it’s a SQL injection flaw in the web application or an issue in how the application encrypts data, the consequences are equally serious.
Basic application security rules apply here. In-house applications should be tested for vulnerabilities, and many organizations are increasingly spending more on external security assessments and inserting liability clauses into contracts with software vendors, according to a recent HIMSS/Veracode survey. The reason behind these assessments is not due to increased security awareness, but because of liability fears. Regardless, it’s still a good step forward.
Sign up for CIO Asia eNewsletters.