A recent Federal Cybersecurity recently advised the health service providers to apply the phishing-resistant multi-factor authentication (MFA) immediately for all administrative access. The providers should set up systems that check the implementation of new registration procedures, implement network segregation controls and change and remove all standard registration information.
The consultant was published by Cybersecurity and Infrastructure Security Agency (CISA), which last year carried out a risk and weakness evaluation (RVA) to identify vulnerabilities and areas of improvement. An RVA is a 2-week penetration test of an entire organization. A week for external tests and 1 week spent her to evaluate the internal network. As part of the RVA, the CISA evaluation team carried out web applications, phishing, penetration, database and wireless reviews. The team assessed a large organization that provides local software.
During the 1-week external assessment, the team did not identify any significant or usable conditions in external systems. The evaluation team was not able to get first access to the evaluated organization through Phishing. During the internal penetration tests, however, the team used false configurations, weak passwords and other problems with several attack paths to impair the domain of the organization.
In coordination with the evaluated organizations, CISA publishes a new cybersecurity Advisory (CSA), in which the activities of the RVA team and the most important findings are described in order to offer network defenders and software manufacturers with recommendations to improve the cyber maintenance of the organizations and customers.
“The threat is greater than ever,” said Tamer Baker, specialist for cyber security and Chief Technology Officer of the healthcare system at ZSCALER, which has its headquarters in San Jose, California. More than 100 million people and 500 hospitals in the United States alone are only affected by violations in 2023, he said.
IT security corresponds to patient safety, said Baker. The average financial effect of a violation of health care is now 11 million US dollars, which, according to Baker, far exceeds expenses for proper security. “The council is long overdue; it is still not enough,” he said. “What is needed is raised more with regard to what the state of New York has given.
Effects on patient care
Cyber attacks have a serious effect on patient care and were associated with extended hospital stays and increased mortality. “According to a national study carried out by the Ponemon Institute, these cyber attacks have led 56% longer hospital lengths and a mortality rate of 53%,” said Baker, who supports health organizations, state and local governments as well as educational institutions in their digital transformation efforts. Cyber attacks in the past 12 months have led to thousands of patients being transferred to other facilities or redirected. The attacks were associated with delays in procedures and tests, increased complications and poor results.
From the point of view of the user registration, MFA is a good first step according to Baker, but not enough. Bad actors have found various ways to go through MFA with vectors such as MFA bombing as an example. This is a cyber attack strategy for social engineering, in which attackers repeatedly transmits authentication requirements of the second factor to the email, telephone or registered devices of the target victim. “We have to keep users from ever reaching phishing websites,” he said. “A big step will be to have security, block the phishing attempts, regardless of whether the user works in the network or in off-network (from anywhere).”
CISA encourages health service providers who use software and software manufacturers to use the recommendations in the CSA sections section in the new advice. It is to be hoped that these recommendations can harden networks of malicious activities and reduce the likelihood of domain proposals.
Offline security systems
“One way to stop attacks directly on applications and infrastructure is to only remove them from the Internet,” said Baker. “Hide these applications and infrastructures behind a security cloud so that the bad actors cannot even find them on the Internet. This security cloud can be safely connected to the applications.”
CISA not only recommends applying the newly listed reductions, but also exercising, testing and validating the security program of an organization against the threat behavior of the consultant.
Frank Nydam, the CEO of TauSights, the first AI-sought-after data security company of health care, said that the health service providers are still a main goal of cybercriminals, and there are no signs of this trend. In the first 6 months of 2023 alone, he said, 325-covered companies reported data injuries to the US Health and Human Service for Civil Rights (OCR). This corresponds to an increase of 86% compared to the same period in 2022. “Cyber attacks have not only become more common, but have also become more expensive, both from a financial and from the perspective of the patient results,” said Nydam.
Mostly basic cyberhygiene
Many health service providers may think that they need several levels of advanced tools, but Nydam said most of the time: “Basic cyberhygiene and understanding where their data are. This is critical and often overlooked.” These strategies include regular patch updates for weaknesses, basic device encryption, monitoring business partners to access their data and the compliance strict access management practices such as MFA. One of the frequent mistakes is that the failure to place a cyber reaction playbook is not set up, ”said Nydam.
Other frequent more frequently do not include encryption and patching machines or proper data recovery systems. The most important elements of a to-do list can simply be summarized. “Start tidying up your house,” he said. This includes a data assessment to understand where your sensitive data live, said Nydam. “Steps for house cleaning like this can significantly reduce the attack surface, so that a cyber attack has a long -term cyber attack.”
This article originally appeared in kidney and urology messages