COVID-19 vaccine: Six recommendations to improve cybersecurity
Recent cyber-attacks against COVID-19 vaccine development facilities highlight a broader issue with healthcare security globally. In July 2020, an espionage group known as APT29 targeted several healthcare organizations which are involved in COVID-19 vaccine development in Great Britain, Canada, and the United States. It is believed that the hacker group aimed to steal information related to vaccines and treatments for the coronavirus.
But the issue is not limited to COVID-19. A recent study in the JAMA Network estimated that, on average, it takes nine years and nearly US$1 billion to bring a new drug to market. Clearly a tempting target for cybercriminals and nation-state hacking groups. But it’s not just drug formulas, the confidential personal data stored by healthcare organisations is also of significant value. And it can cause significant disruption. It’s estimated that the cost of a healthcare breach amounts to US$6.45 million.
The challenge is that the industry is often an easier target than it should be. Certainly, big pharma companies have the resources to put up a strong defense. But hospitals, research labs, clinics, and doctors’ offices often lag behind in their cybersecurity. Security flaws can range from outdated software, to employees’ lack of basic cybersecurity knowledge.
This situation is further exacerbated by fragmented care delivery and the segregation of financial systems, which makes comprehensive reforms extremely difficult. Failure can mean the exposure of patients’ personal information or risks to connected lifesaving devices.
Indeed, the COVID-19 pandemic has expanded the risk profile of healthcare organizations, with a greater threat surface exposed due to the rise of remote transmission of data through telehealth technologies. The current pandemic has accelerated the use of video technology between healthcare professionals and patients: for meetings, education, therapy sessions, and doctor’s visits.
Six recommendations to improve cybersecurity
In this rush online, healthcare organizations have done well to support patients during lockdowns. But now, leaders of these organizations need to step back for a moment and decide how to create a highly adaptive security ecosystem.
1. Create a robust infrastructure and hardening guidelines. Companies should quickly create standardized processes to ensure that security updates are immediately installed. This also applies to remote connected devices, which should be replaced if sufficiently outdated. If replacing or upgrading those systems are not possible, firms need to build new security controls to compensate.
2. Embrace a zero trust model. Existing systems should be augmented using zero trust principles, ones that do not assume anything and verify everything. To prevent unauthorized access, firms need to implement 100% multifactor authentication rather than requiring employees to connect to the corporate network. With this approach, only certain remote access applications are exposed and all users are verified. This can be accomplished through secure web gateways instead of traditional VPNs. To prevent the spread of malware and limit an attacker’s access, hospitals should use network segmentation to segregate life support systems from the less critical ones. And to reduce the attack surface, companies need to manage identity access by implementing the principle of least privilege. This way, only those users, processes or programs who have legitimate rights to access certain information will be able to get the job done.
3. Have laser focus on data security. Organizations should automate processes such as data identification, classification, encryption, and masking. To monitor data loss in real time, companies should use data loss prevention systems for email, network, and endpoints. Firms can also conduct periodic reviews to ensure only authorized users gain access to each system.
4. Build security into system design. Security must become a part of all programs and thought through across the entire business, applications, infrastructure, cloud, and data. It is crucial to create the end-to-end visibility of security metrics, which can be leveraged to continuously enhance security. Secure coding guidelines, using DevSecOps, will help to design code faster and more cheaply. Also, companies should improve cybersecurity literacy among employees through awareness campaigns, mandatory quizzes, and certifications.
5. Create compliance and risk management programs to evaluate partners. Organizations should use risk-based partner segmentation to ensure third-parties have the appropriate level of access. The use of zero trust principles — along with questionnaires and industry-standard security posture assessments — will help evaluate each partner’s access. It is also necessary to establish an integrated governance and escalation framework with clear ownership and integrated workflows.
6. Use managed detection and response tools. These tools help quickly identify and remediate risks by using endpoint detection and response solution. The use of artificial intelligence and automation reduces false positives and allows organizations to hunt threats. To reduce costs, increase visibility, and protect against data breaches, healthcare organizations can hire managed detection and response services providers. Not everything must be done in-house.
Cybersecurity risks are increasing due to digitalization, remote work, and telemedicine. Healthcare providers need to prioritize security, before it is too late. Now it’s time to design an integrated approach to cyberdefence that will be in line with company’s goals and priorities.