-
Industrial
- Healthcare
-
Commercial
- Public Sector
- Threat Research
- Partners
-
Resources
Featured Content
- Company
Blog / 5 min read
In May 2022, the Cybersecurity and Infrastructure Agency (CISA) issued an alert on poor cyber hygiene practices threat actors routinely exploit to gain initial access or use as part of other tactics to compromise a victim’s system. While not specific to the healthcare sector, the notification is a good reminder of the importance of good cyber hygiene for all organizations and the risks incurred when best practices to protect systems are not adhered to.
We’ve previously discussed healthcare risk management and clinical cyber hygiene, but this advisory further emphasizes the common weak security controls, poor configurations, and poor security practices used by hackers. Threat actors don’t discriminate, and maintaining good cyber hygiene is not a “one and done” activity. Like frequent hand washing is for all healthcare professionals, cyber hygiene requires constant care and attention. If neglected, you may find yourself facing unexpected, costly consequences.
According to the World Health Organization, “Hygiene refers to conditions and practices that help to maintain health and prevent the spread of diseases.” Similarly, clinical cyber hygiene refers to the methods and mechanisms that help maintain the privacy and integrity of clinical networks and prevent the spread of attacks. This is predicated based on an organization’s ongoing ability to discover, assess, and manage cybersecurity risks that are proliferating with the increasing reliance on connected devices, a surge in threats, and regularly discovered vulnerabilities.
Cyber hygiene is important across all sectors. If not done well, it can lead to financial losses, or loss of essential services, like power. But in healthcare, patient lives can be at stake. That’s why good cyber hygiene must be driven by security solutions and practices tailored to the uniquely challenging requirements of health systems. Good cyber hygiene enables clinical efficiency and increases the value of operations. Implementation of sound practices reflect a systematic approach to understanding and managing clinical networks. They maximize the resiliency and availability of connected medicine. So, how do you establish and maintain good clinical cyber hygiene? Below are some best practices we’ve seen health systems leverage to their advantage.
As we’ve mentioned, cyber actors regularly exploit poor security configurations that are either misconfigured or left unsecured, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise an organization's system. CISA identifies the following best practices to mitigate these issues:
Make sure you can discover and identify 100% of devices hosted on your clinical networks as well as the Extended Internet of Things (XIoT) devices they are connecting to. A fingerprint means full device attribution and knowledge of their operating requirements — even beyond manufacturer, model, OS, hardware, app versions, and location are essentials including network status, security posture, and utilization intelligence. Every detail is important, and you should be looking for ways to continuously enrich your understanding as the threat landscape evolves. This includes not only the data that defines the device, but maintenance intervals, utilization patterns, and the experience of staff who interact with the device throughout its lifecycle — from acquisition through disposal.
Risk scoring is a dynamic process, and it can’t be adjudicated in a vacuum. Organizations with good cyber clinical hygiene are continuously reassessing device security, at both individual and group level, as security provisioning and asset restaging and maintenance are related processes. The overall assessment context must extend beyond the likelihood of compromise and include both patient safety and business factors.
At a minimum, workflows associated with managing risk across high value assets should be coordinated cross-functionally. Especially when considering the highly mobile nature of connected medical and XIoT devices, and the need for health systems to accelerate their restaging. It is imperative that security-awareness be reflected in cross-department workflows.
Don’t let a weak link negate all your hard work. In golf, they say you’ll never play faster than the slowest person in your foursome. That’s why a programmatic approach to risk management is critical, otherwise, performance deficits are difficult to identify and improvements are impossible to measure. Given the highly mobile nature of assets, and the continuing fragmentation of care delivery, your risk management practice must encompass outpatient facilities, clinical partners, etc. — with the same rigor.
Monitoring device performance allows for the introduction of security metrics to supply chain/procurement managers. As many healthcare delivery organizations (HDOs) employ “spend category managers”, whose responsibilities include negotiating contracts with key suppliers, these metrics should be known to them so they can be incorporated into the procurement process. Involving supply chain/procurement managers as part of clinical cyber hygiene practices helps the organization maintain a security stance with partners that is in line with the organization’s tolerance for risk.
Medigate by Claroty can help your organization implement good clinical cyber hygiene, by supporting workflows across the ecosystem with the data, risk framework, and the insights required to develop a focused, integrated asset management and security program. Specialized modules, including one dedicated to clinical cyber hygiene, can help you jumpstart your efforts by providing a detailed organizational “risk baseline”. This reporting is organized to ensure relevance cross-functionally, with information provided in both aggregated and filterable views (e.g., by location) for maximum flexibility. When combined with the ability to modify frameworks, as conditions change and simulate the effects of potential remediation activities, these insights are game changing.
