In a recent report from our friends at Ponemon (sponsored by Barkly), endpoint attacks for the healthcare industry are not only prevalent but costly as well. Specifically, healthcare “endpoint” attacks cost the industry $1.3B annually, with over half of organizations saying they experienced a successful endpoint attack. Let’s take a look at some of the basics of what’s at risk and what the scope and cost of an attack is, including how it relates to just about every industry and business you can think of.
Let’s face it, today’s modern endpoint has changed drastically from the IT days of yore, especially in healthcare. Everyone and everything has become an endpoint. In healthcare, from associates, doctors and administrators, to patients in portals and their embedded devices such as pacemakers, and diagnostic instruments like MRI machines— all are processing healthcare information in completely new ways. IT consumerization and mobility make it even more omnipresent. The question is, where’s the data stored? If you’ve got data stored on an endpoint today, it’s time to rethink that strategy.
The FDA – Death and Today’s Modern, Data-Less Endpoints
In its past guidance, the FDA said it "recognizes that medical device cybersecurity is a shared responsibility among stakeholders including healthcare facilities, patients, providers and manufacturers of medical devices. Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury or death."
Death? Yeah, that should grab your attention. Nothing like the fear of death to get an organization to sit up and take notice and maybe implement a few security changes. The evolution of the healthcare environment, (and the related scare of DEATH?) never ends. Take for instance how the endpoint has evolved to simplify security. How we are today delivering workloads and applications much more efficiently. And more specifically, how virtualization and the IoT have created the next-generation endpoint environment.
According to Wibu-Systems, a security software licensing company, they summarize: “in working with some of the country’s largest healthcare providers – we’ve seen a new trend evolve. IT and security directors are looking at desktop and application virtualization from a new perspective. We’re going from virtual desktop delivery – to virtual “workload” delivery. The difference? The desktop doesn’t really matter.”
As HealthITsecurity explained a typical use case: These days you’ve got an employee workstation with a nurse who just signed in. They are using a tablet where they have direct access to:
- web applications,
- legacy applications,
- cloud storage and data,
- Windows desktops and
- Windows applications.
…All done without a single client launch, as newer technologies (Citrix, VMware, etc), have enabled the use of HTML5 solutions. Entire applications and even desktops are delivered through a browser web portal, with specific tabs opening the needed resources as requested. The security factors? They are included in policy controls and other factors to ensure no data is stored at the endpoint, confirming proactive endpoint loss control by making sure all information is secured within the data center.
This naturally trickles over to mobile and remote users, devices and applications as well. Any device can connect through a central, web-based user portal to access apps, desktops and other resources. Again, even when remote, nothing need be stored at the endpoint – allowing the healthcare security administrator to have constant control over resources and data located within the data center (not the endpoint). Many healthcare companies have embraced public key infrastructure (PKI) as a secure, scalable, flexible and cost?effective method to securely authenticate digital identities, ensure integrity of transmitted data, and encrypt communications within these virtual workloads.
Virtual Endpoint-To-Data Center Security and PKI Infrastructure Management
The healthcare industry, much like the power grid or utility infrastructure, has recently been deemed part of the Critical Infrastructure or CI. In fact, PKI management is now a central theme in most businesses that are part of, interact with, or relate to any nation’s CI. Ransomware and other cybersecurity attacks are more serious and more prevalent than even a year ago and not just within the healthcare industry, which has further driven CI companies to beef up cybersecurity efforts in general and PKI adoption specifically.
Here in the US, the Presidential Policy Directive #21 has been updated to identify 16 critical infrastructure sectors or industries where datacenter cybersecurity protection and in particular PKI security, is of paramount concern, including:
- Chemical Sector: includes all petrochemicals, industrial and other hazardous chemicals.
- Commercial Facilities Sector: which includes a diverse range of sites that draw large crowds of people for shopping, business, entertainment, or lodging.
- Communications Sector: underlying the operations of all businesses, public safety organizations and government.
- Critical Manufacturing Sector: including metals, machinery, automotive/transportation, engine and turbine, power transmission equipment, earth moving, mining, agricultural, electrical and construction equipment.
- Dams Sector: comprising dam projects, navigation locks, levees, hurricane barriers, mine tailings impoundments and other similar water retention and/or control facilities.
- Defense Industrial Base Sector: including research, development, design, production, delivery, and maintenance of military weapons systems, subsystems and components or parts to meet US military requirements.
- Emergency Services Sector: providing a wide range of prevention, preparedness, response, and recovery services during both day-to-day operations and incident response.
The six other sectors of the CI should be self-explanatory and can be researched specifically in the PPD#21 at your leisure, and they include:
- the energy sector,
- the financial services sector,
- the food and agriculture sector,
- the healthcare and public health sector,
- the information technology sector,
- the nuclear reactors, materials and waste sector,
- the transportation systems sector and
- the water and wastewater systems sector.
Suffice it to say, just about every type of business in every industry can be arguably placed into one of these 16 sectors. What does that mean? It means that you had better get cracking on managing your PKI infrastructure within your data centers. Apparently, it’s not only expensive when attacked…but our lives are depending on it!
GlobalSign has got a good whitepaper that discusses why PKI infrastructure management is important to any Critical Infrastructure (CI) and should be required reading for all CISO’s worldwide. Want to discuss PKI management in depth as it relates to your business? We’d love to hear from you.