The Australian Government’s recent launch of an Information Sharing and Analysis Centre (ISAC) for the Australian healthcare system cannot come any sooner.
When it comes to critical infrastructure protection, there is arguably no sector more vital than healthcare – lives are on the line. Unfortunately, cybercriminals continue to heavily target the Australian healthcare sector. According to latest data from the Office of the Australian Information Commissioner (OAIC), healthcare emerged as the top sector with 102 notifications of data breaches between January to June 2024.
Earlier this year, electronic prescription provider MediSecure revealed that a ransomware attack may have exposed the personal and health information of approximately 12.9 million individuals. Victoria’s largest public health service Monash Health became involved in a data breach of a supplier ZircoDATA that led to compromised information relating to family violence and sexual assault support units.
Incidents such as these illustrate how complex and interconnected healthcare networks can be. Unknown and unmanaged devices are so prolific that many healthcare organisations lack insight into the true scope of their attack surface. Vulnerabilities in legacy systems can be difficult to remediate, and third-party risks can multiply these challenges.
Ransomware attacks, especially in the healthcare industry, exploit low-hanging fruit: unpatched vulnerabilities and unsecured physical or virtual assets. In addition to the new ISAC initiative, the Therapeutic Goods Administration has provided guidance for mitigating some of these risks. It is essential that healthcare organisations ensure complete visibility and continuous security across all medical devices, clinical assets, and environments to treat the root cause of this ongoing condition.
Healthcare organisations have a complex attack surface, spanning IT, OT, IoT, IoMT, cloud, and virtual systems.
Many of these devices may be unknown or unmanaged, such as when a patient connects their Xbox to the network or a connected medical device is forgotten in storage. HVAC and other building controls are also often overlooked, but disrupting them could have severe implications – from cancelling a surgery to increasing the risk of disease transmission.
Medical devices can be particularly challenging to secure, even in the face of known vulnerabilities, because they rely on legacy operating systems that are unable to support security agents or cannot be patched. Something as simple as a nurse call system can be riddled with vulnerabilities, and replacing a device like an MRI machine is not always feasible, especially for an industry that faces constant budget cuts.
Healthcare systems are also vulnerable to third-party risks, such as site-to-site VPN tunnels with lab testing partners. Sophisticated threat actors may seek to attack these more vulnerable partners as an entry point into healthcare networks. For example, the Change Healthcare breach earlier this year demonstrates how threat actors target hubs that branch into multiple organisations.
A holistic approach to cyber exposure management must start with a comprehensive asset inventory of hardware, software, and systems across all enterprise assets, including IoT, IoMT, OT, cloud, remote, and virtual.
Contextualising this inventory, such as differentiating between an infusion pump in an ER vs. one in a day clinic, can help prioritise risk remediation efforts to ensure vulnerabilities that impact critical patient care are addressed first.
Vulnerability assessments and patch management processes should leverage this comprehensive and contextualised asset inventory to identify vulnerable devices and prioritise their remediation. Healthcare organisations must focus on ensuring the reliability of patient care, as well as protecting sensitive data.
Securing accounts from unauthorised access and misuse requires a combination of controls, such as Identity and Access Management (IAM) and MFA, in addition to real-time network scanning to detect suspicious behaviour patterns like unauthorised access to EHR.
Monitoring the network can also help to detect IoT devices with unencrypted or default credentials and alert security teams to failed authentication attempts, which can be a sign of brute force attacks. Integrating actionable threat intelligence, such as monitoring attacker techniques, malware campaigns and high priority vulnerabilities can also help prioritise the remediation of vulnerabilities that bad actors are actively exploiting.
Australian healthcare organisations should ideally be implementing all of these processes to work toward network segmentation, one of the strongest controls an organisation can have. Finally, it is important to understand that all of these best practices must not be approached at a fixed point in time or a one-time event, but rather as a continuous process. Proactive risk and vulnerability management is a form of threat prevention, and prevention is the best medicine.
Mohammad Waqas is the Chief Technology Officer (CTO) for Healthcare at Armis. He is an information security professional with over a decade of experience in the healthcare cybersecurity industry. Currently Mohammad helps healthcare organisations across the globe with medical device security and works on aligning the value of the Armis platform to the specific use cases that exist in healthcare. Mohammad not only looks at the security threats of cyberattacks on healthcare delivery organisations but also has a passion for protecting patient privacy and the implications of the two on clinical risk management.
Healthcare Channel – Sharing knowledge and resources for Australia’s health and aged care sector
We always welcome thought leaders ready to mentor the next generation. Be a Healthcare Channel learning partner today!
Healthcare Channel acknowledges the traditional custodians of the lands where we live, learn and work. We pay our respects to Elders past, present and emerging.
Healthcare Channel acknowledges the traditional custodians of the lands where we live, learn and work. We pay our respects to Elders past, present and emerging.
