Cyber risks of digitizing legacy systems in healthcare environments
The news is full of reports of vulnerabilities discovered in medical devices. Many of them are quite terrifying. Who can forget the first time they heard that a pacemaker could be hacked — or of the data breaches resulting from these vulnerabilities or misconfigurations. Similarly, all processes involving healthcare data digitization are currently in play. Because the hospital is the playing field on which many of these processes come together, it’s the best place to start looking at some of the security implications for our secure medical data.
Some of the more prevalent considerations follow.
Phishing simulations & training
Processes that generate PHI data
Many types of hospital processes generate a large amount of Protected Health Information, or PHI, data. The largest sources that generate and process PHI are Radiology, Patient Monitoring, Medication Management, Surgery, Diagnostics and (Electronic) Medical Records. Each process itself has many steps resulting in different outcomes depending on where the output of one process is used in the one that follows.
Let’s look at this in a security-minded way. Mapping the flow of information between these processes can help us structure the network into compartments, noting the data handover points needed in between, such as IP addresses, ports and protocols. This will help to mitigate an attack propagated across different network sections. It also identifies the needed flows and makes sure that any further attacks can be shut down and prohibited.
Assets and steps within the individual processes
Here’s an example: Radiology uses a few different assets to generate medical images: Ultrasound, X-ray or MRT, and then uses a Picture Archiving and Communication System (PACS) server to store that imagery. Configuration of PACS servers is often the first trap to fall for from a security perspective. That’s because a full and secure configuration is not achieved when the asset is operating according to process requirements! Security is only achieved when all other configuration elements are checked and appropriately secured.
One might think that using the PACS server to allow patients access to their medical imagery via web interface might sound like a good idea and a value-add for patients wanting to see their medical info personally. But when a PACS server connects directly to the public internet without any further configuration checks, the consequences can be severe, as recent cases have shown!
In the same way, integrating an Electronic Medical Record (EMR) into self-service kiosks or websites in which patients input their data prior to a hospital visit often includes many details that are unrelated to the main operation. Also, the EMR system needs to be checked for vulnerabilities and updates regularly!
An EMR can be seen as the central element of all data flows in a hospital, whether the internal flow between PACS and EMR, EMR and Medication Management or the external flow, used for insurance and billing purposes. Any and all of these connections need planning, scrutiny, and intensive monitoring.
Putting things together to build a secure structure
The promised benefits of digitization might benefit a single asset, a process or the hospital as a whole. Still, that promise also comes with an obligation to think through the implications of digitizing and storing health data and consider the entire security strategy and its contingencies. At the same time, we must remember the possible side effects and not stop thinking of these things when the first signs of "mission accomplished" are in sight.
Even though the digitizing process works, that does not necessarily mean it is secured. Mapping out the data flow as well as checking and securing the settings of a device is a vitally important process around any mass digitization effort aimed at securing private and personal medical data. Augmenting that process with the tools needed to further tighten security will build a more secure structure able to be resilient against cyberattacks.
Phishing simulations & training
ChatGPT training
In this Series
- Cyber risks of digitizing legacy systems in healthcare environments
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization