Page 21 - Cyber Warnings
P. 21
someone within the organization or whom the employee knows. Sometimes, attackers
disguise email as coming from trusted managers in the healthcare organization. The
training required for HIPAA compliance provides a good opportunity to make it very clear
to employees that the information technology within the hospital environment is not for
personal use at any time, under any circumstances.
2. Hire a cybersecurity contractor to perform penetration testing and assessment, which
can help hospitals discover and root out cyberattackers. Attackers are probably already
within your hospital network, although they may not have been able to steal data yet;
they may only be in the early stages of an attack. Experts can find and document many
of the vulnerabilities that your current information technology and security operations
team can begin to address. Most hospitals have not budgeted for these tests, and they
have certainly not budgeted for the costs of a major data breach. This testing is relatively
low-cost insurance that can help you understand the risks already inherent within your
network.
3. Review and assess medical devices and put an action plan for remediation in place now.
Most medical devices cannot be scanned by endpoint cybersecurity and are relatively
safe havens for cyberattackers. A remediation plan would note which devices have older
embedded operating systems such as Windows® XP or Windows® 7 that are highly
vulnerable to attackers and their malware tools.
4. Implement a plan to integrate and deploy the software fixes provided by the
manufacturers of your medical devices. Monitor this plan and report on it quarterly to
ensure you are making rapid progress towards your goal.
5. Procure medical devices from vendors that focus on cybersecurity processes, encrypt
data internally and use other advanced techniques such as white-listing to ensure that
files within the system are authorized.
6. Eliminate medical devices that have older architectures, no modern cyber defenses and
no viable strategy for dealing with advanced malware such as MEDJACK. Many medical
devices have been in service for years, often well beyond their expected life-cycle.
Replace outdated devices and acquire new devices with the protection you need from
manufacturers that can comply with your requirements.
7. Review existing contracts with medical device vendors, amend them to include support
and maintenance, and specifically address the details of malware remediation. Make
sure vendors can provide the support you need to investigate the presence of
cyberattackers, remediate the problem rapidly and return the device to normal
operations status. Medical-device manufacturers should have a documented test
process to determine if their devices are infected and a documented standard process to
remediate devices when malware and cyberattackers are using them.
21 Cyber Warnings E-Magazine – May 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
