Guide To Healthcare Cybersecurity - Patching

In June of 2017, healthcare cybersecurity guidelines were delivered to and Congress by the Healthcare Industry Cybersecurity Task Force (HCIC). The report contains more than 100 recommendations and action items grouped under six specific imperatives.

Digging into the numbers behind healthcare cybersecurity attacks, one thing becomes clear:

Keeping systems patched and current is the #1 step

healthcare organizations can take to reduce vulnerabilities

In the recently released Ponemon Institute Cost of a Data Breach study, healthcare breaches ranked as the costliest of any industry for the 7th straight year. Healthcare breaches in the US alone cost $6.2 billion annually. And at an average of $320 per record, healthcare breaches are 2.5 times more expensive than the global industry average.

And, according to BitSight, 15% of healthcare organizations are running outdated operating systems with 16% running outdated software. It’s no surprise that 90% of hospitals have reported a breach in the past two years.

How does this relate to patching? The Office of the National Coordinator for Health Information Technology (ONC) looked at how and where breaches of unsecured protected health information occurred.

99% of healthcare breaches were hacking/IT incidents

95% of breaches occurred through network servers

If those numbers don’t give you pause, the increased sophistication of attacks will. In 2014, just 1.8 million people were affected by hacking, in 2015 that number jumped to 111 million people.

So what does the HCIC recommend as it relates to patching and system monitoring? The first two patching and monitoring recommendations are included in Imperative 2 - Increase the security and resilience of medical devices and health IT.

The first is action item 2.1.3 under recommendation 2.1 - Secure legacy systems. It states:

For devices that still receive some support from the device manufacturer and/or application vendor, these organizations must make real-time updates and patches (e.g., to the operating system), as well as make compensating controls available to end users. Organizations should also have a policy/plan in place to be able to receive and implement available updates.

The key language here is “real-time updates and patches”. Historically this was difficult due to manual patching processes and the complexity of maintaining a myriad of systems and 3rd party software. The ability to patch in real time was quite literally impossible without significant overhead costs and resources. Not so today.

Automox is one of a new breed of patching and monitoring solutions that can handle any operating system (Windows, Mac, and Linux) as well as 3rd party software patches in real time through secure, fully controllable patch automation.

The next recommendation is 2.2 - Improve manufacturing and development transparency among developers and users.

The recommendation calls for transparency regarding third party software components. Organizations need to create a “bill of materials” to manage their assets. They need to know what they have on their systems in order to determine if the technologies could be open to threats or vulnerabilities. Action item 2.2.1 states:

Manufacturers and developers must create a “bill of materials” that describes its components (e.g., equipment, software, open source, materials), as well as any known risks associated with those components to enable health care delivery organizations to more quickly determine if they are impacted.

This “bill of materials” is another way of stating that healthcare companies need to understand their systems inventory and monitor it on an ongoing basis. This is not a new idea in IT security, but you may not have known that you can now monitor your entire infrastructure for free. There is no limit to the number of systems monitored and preconfigured reports are included. Additionally, you can see the system configuration for each system as well as outstanding patches and updates with their severity rating.

The final patching and monitoring recommendation is included under Imperative 4 -  Increase health care industry readiness through improved cybersecurity awareness and education.

It is part of recommendation 4.2 - Establish a cybersecurity hygiene posture within the healthcare industry to ensure existing and new products/systems risks are managed in a secure and sustainable fashion. Cybersecurity hygiene includes online behaviors and practices including password length, USB port usage, virus scanning, and backing up data. Action item 4.2.3 states:

Health care organizations must develop a strategy for cybersecurity hygiene for existing and legacy equipment, a systematic approach for patching, implementation of compensating controls, isolation, and/or replacement (as available or applicable) should be applied.

Don’t become a statistic.

Pairing an affordable systematic approach for patching with fast and easy implementation of configuration setting management (ensuring employee compliance with your improved security practices), Automox supports your adoption of the new healthcare cybersecurity guidelines in just a few minutes a day.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trialof Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.