Cyber security threats in Healthcare: API-First meets Protection-First

The Federal Bureau of Investigation (FBI), Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) are warning the healthcare community about an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. The threat is related to compromised credentials resulting in malware and ransomware.

Not again! Yes, again! It really is a jungle out there.

Not only are we fighting a foe that is evolving (thankfully slower than other dangerous virus-borne diseases). It’s an ever-evolving “cyber-virus” that requires Corporate Protection Equipment, not just PPE (Personal Protection Equipment).

Criminal enterprises fully understand the economic opportunity to disrupt service delivery and they are continually looking for new ways to defeat our protective gear. Now it looks like they have developed revised tools to do just that.

The timing couldn’t be worse

The global pandemic is heading for another peak period, stressing hospitals and caregivers in many regions. The weather is changing, and we are all headed indoors as the season progresses.

It’s not just our front-line healthcare staff at risk; many technology teams and business units are still working primarily from home, using potentially less secure internet access points.

Moreover, the security deployed and enforced at the enterprise level has now become highly distributed, stretched 10-20x broader than intended with internal systems seeing more connections from outsiders (at-home workers), and hence the model has flipped in protecting the enterprise and determining what behaviors are expected and allowed.

I suspect many of you have already received warnings from your Security Office or Chief Information Security Officer (CISO) asking you to be vigilant for phishing attacks (report/ignore requests to share your credentials).

Like me, you are probably fatigued by this year and yet another request to adopt new habits to protect yourself and others. Keep your guard up and your protection close at hand Axway’s Chief Technology Officer, Vince Padua, is warning us that threats abound.

Through lockdowns, school closures, and remote working, we are all spending more time online. Some are experiencing telehealth for the first time; whether it is for mental support, request for medical supplies and medications, or reviewing diagnostic results. The overall surface area for ransomware attacks has grown significantly in 2020 with more online time and activity. And these applications or APIs have shown to be a key attack vector given their high number of vulnerabilities. With telehealth and our increasing time online, the opportunity for phishing attacks via email, text, and web applications have increased significantly.

Compromised credentials

With so many opportunities for a breach, malware, and ransomware, what can we do? It helps to remember that most reported breaches are rooted in human error. As part of my role as a healthcare subject matter expert, I have followed the data breach lists on the OCR Breach portal (Office of Civil Rights), the agency responsible for investigating and reporting HIPAA Security breaches.

Reducing human error is key to reducing breaches and ransomware. HIPAA regulations require regular training and well-defined process, procedure, and practices to ensure that health records are protected.

What else can be done? We also need to automate processes and adopt technology that provides protection. Simple measures can be taken to give us all greater confidence —automated backups and automated restore (to a last safe version) and policy engines that enforce best practices are critical.

Technology automation provides a valuable level of oversight and monitoring that we all need in these fatiguing times. Automated backups also provide additional options to your organization if the worst does happen.

Axway advises that securing user data, file shares, and even replicating entire systems are a critical part of securing enterprise data from ransomware attacks. Having helped healthcare providers safely restore data files, we know this is a critical function that is best automated.

Compromised Interfaces

With the 21st Century Cures Act, healthcare organizations are publishing Open APIs to streamline and speed up data sharing. These APIs have the potential to be abused and co-opted exposing protected health care.

All healthcare organizations need to invest not only in API Management solutions that offer automated enforcement of organizational security policy but also traffic monitoring.

API-First meets Protection-First

Industry-leading platforms have analytics that can look for anomalous traffic — potentially flagging expired or oddly sequenced user or administrative credentials —allowing technology teams to identify compromised credentials. Axway’s CTIO Vince Padua advises.

Both consumers and providers need to focus on authorization and authentication on the front end. And as a healthcare provider, recognize that all your applications are built on APIs (Application Programming Interfaces). These APIs should be protected by the latest security protocols and standards.

Don’t let distractions, competing priorities, and just plain fatigue weaken your team’s security focus. Put on that Corporate Protection Equipment that protects the user and file shares with both automated policy and backup recovery.

Ensure that data is not leaking through Open APIs with API Management solutions that enforce an organization’s security practices and monitor traffic for the unexpected.