The industries and organizations that many perceive to have the highest cybersecurity risk are often the “usual suspects.” They include financial services and technology – industries that have a lot of resources, or proprietary, high-value data that can make a successful breach or cyberattack highly profitable and worth the effort for malicious actors.
However, the threat landscape has shifted significantly over the past few years. Public sector organizations and critical infrastructure have been increasingly targeted as nation-states have become more active in cyberattacks. We’ve also seen ISPs and telecom providers become more frequently attacked in the wake of the COVID-19 pandemic, as attacks to America’s connectivity supply chain have become increasingly disruptive and dangerous.
But there is another industry at particularly high risk for cyberattack that many don’t consider – the healthcare industry. Healthcare organizations have not been excluded from the wave of digital transformation that has swept across the globe. As a part of that digital transformation, they’ve network-enabled their critical equipment and devices and digitized much of their data.
This means that a ransomware attack that compromises their systems could result in the inability to deliver care to a patient, or access essential patient data. It also means that highly personal, incredibly valuable information and data about patients could be accessed as a result of a successful breach. And these factors are making healthcare organizations increasingly attractive targets for cyberattacks.
In a result article on the Red Hat blog, Chris Jenkins, a Principal Solution Architect at Red Hat, laid out some additional reasons why healthcare organizations are being targeted for cyberattacks, and some of the ways in which a DevSecOps approach to application development can help keep their data and systems secure.
Here are four healthcare industry-specific perceived threats and how a DevSecOps approach to application development and application security can help mitigate them, courtesy of Chris:
1. Data leak prevention
Personal Health Information (PHI) is more valuable on the black market than credit card credentials or regular Personally Identifiable Information (PII), so there’s a higher incentive for cybercriminals to target medical databases so they can sell the PHI or use it for their own personal gain. Data leaks can also severely damage an organization’s reputation and decrease trust with customers and other healthcare partners.
Collecting and interpreting sensitive patient data is critical for healthcare organizations. Organizations must also protect that data against cybersecurity threats while also complying with the Health Insurance Portability and Accountability Act (HIPAA) and other standards to reduce the risk of data leaks.
Embedding security controls throughout the full platform and development cycles helps organizations manage sensitive data and ensure that access is only granted to authorized and authenticated users. However, DevSecOps is a complex undertaking, especially as DevSecOps tools grow and change at a fast pace. Containers and Kubernetes add more complexity and open up new attack vectors and security risks.
Development and operations teams must make security—including Kubernetes security—an integral part of the application life cycle to safeguard critical IT infrastructure and protect confidential health data.
2. Cyberattack prevention
The U.S. Department of Health and Human Services produces a report that shows security breaches across the U.S. healthcare industry in the last two years. This report shows that almost 73 percent of security breaches are due to hacking or IT incidents.
To reduce the number of cyberattacks, security should be an integral part of the design, implementation and maintenance of any system containing or processing personal health information. Unifying security across the organization using a DevSecOps approach extends responsibility for security across teams, rather than having a single, disconnected team responsible for setting security policy.
It is worth noting that attackers are less likely to attack infrastructure and they will probably attempt attacks through the user interface or application programming interface (API). For this reason, additional security hardening techniques should be taken into account such as using TLS everywhere – creating a Zero Trust Architecture – and increased access logging to monitor who has accessed sensitive health data. Additional actions such as image vulnerability scanning will also decrease the risk of vulnerabilities within containers.
3. Insider threat reduction
According to a Techjury Study, 66 percent of organizations consider malicious insider attacks or accidental breaches more likely than external cyberattacks. Additionally, the number of insider-originating incidents has increased by 47 percent over the last two years.
An example of an “evil admin” within the healthcare industry is that of Jesse William McGraw, aka “GhostExodus.” McGraw pleaded guilty in 2010 to computer tampering charges for putting malware on a dozen machines at a hospital in Texas, including a nurses’ station that had access to medical records. He was later sentenced to nine years and two months in prison for installing malware on computers.
Technology alone cannot remove this type of attack, but it can be used to mitigate attempts and to limit the attack surface. Privileged user accounts are required for various legitimate purposes, but they should be managed and monitored to stop either intentional or accidental breaches in security.
Adding proper authentication to an application may be cumbersome since correctly implementing standards and interoperable authentication flows, like OpenId Connect (OIDC), can be a challenging task, but these are crucial for increasing security and reducing risk.
For any new application using microservices architecture, it’s possible to delegate all the authentication and authorization concerns to a building block such as Red Hat Single Sign-on.
Regarding authentication and authorization, it is advised to use OIDC, Open Authentication (OAUTH) or Security Assertion Markup Language (SAML) to protect all resources.
4. Preventing software supply chain attacks
The now famous “SolarWinds Hack,” which impacted the National Institutes of Health among other government agencies, is one example of how dangerous software supply chain attacks are. They rely on compromising the software Continuous Integration/Continuous Delivery (CI/CD) process by introducing malicious software into regular software builds, preferably software with a wide reach into “interesting” companies.
To defend against this type of attack, a multitude of changes have to be made to internal processes to ensure a non-compromised software build across the whole build chain.
Building security into your applications is critical for cloud-native deployments. Securing your containerized applications requires that you:
The CI/CD pipeline is at the core of a secure software supply chain and helps prevent supply chain attacks because developers remove the vulnerabilities before the application goes into production. Adding automation to the process allows IT teams to deliver resources faster, supporting rapid proofs of concept, development, testing, and deployment into production.
Ultimately, protecting sensitive data is important in all industries, but is particularly vital in healthcare due to the nature and value of personal health information. A DevSecOps approach to application development can help to mitigate these four high-priority security threats that healthcare IT teams face.