The healthcare vertical is a complex and interconnected computing environment. This regulated industry has also been marked as one of the 16 critical infrastructure sectors by the Cybersecurity & Infrastructure Security Agency (CISA). Sound risk management and vulnerability management techniques are paramount to ensure national public health and safety. The unique combination of traditional computing infrastructure, interconnectivity and regulation necessitates a sound (and sometimes unique) approach to running a successful vulnerability management program.
This article is an extract from the report: CTEM: Redefining Vulnerability Management in Healthcare, which is available to download.
From a regulatory perspective, the healthcare vertical is usually synonymous with the Health Insurance Portability and Accountability Act, more commonly known as “HIPAA”. Within this act, passed in 1996, healthcare organizations needed to comply with “Security Standards for the Protection of Electronic Protected Health Information” by April of 2005 and more specifically in relation to security, the HIPAA Security Rule which covers electronic protected health information. Risk assessments are required with the HIPAA Security Rule, as such a strong vulnerability management process is necessary.
- The HITRUST Common Security Framework (CSF) is a framework organizations often utilize for enabling compliance with the HIPAA Security Rule. It consists of 19 domains focusing on data protection based on ISO27001. Structured similarly to ISO/IEC 27001:2005 and regularly updated to reflect technological and policy changes, the seventh domain specifically covers Vulnerability Management, including patching, vulnerability scanning, antivirus software, anti-malware, and network/host-based penetration detection systems.
4 Vulnerability Management Risks
Like most industries, there are risks that are inherent to a sector, however in the healthcare industry there are a significant number of areas that pose risks to healthcare operations. Many of which could be successfully mitigated with minimal effort if those risks are fully understood by management and by the information technology workforce. For the sake of brevity, the following are among the top to address;
- the reliance on legacy systems
- the integration of numerous types of technologies with poor role-based access and the proliferation of electronic access through API keeping systems updated and patched
- a wide variety of 3rd party software utilized in operations
- management awareness and buy-in
Legacy Systems
Legacy systems are systems that have outlived technological advancements and their supported lifespan. Outdated systems are often more vulnerable to cyberattacks because they lack the latest security features and updates. In 2021, hacking was responsible for 74% of all healthcare breaches in the United States.
The continued use of legacy systems significantly increases this risk because patches and security updates, intended to prevent exploitation, are no longer being delivered. Replacing these systems is crucial to mitigate these risks and protect sensitive patient information. However, replacing a legacy system can be costly and is often seen as a poor return on investment leading organizations to accept the risk.
System Updating and Patching
Keeping systems updated is another critical aspect of cybersecurity in healthcare. Regular updates and patches are essential to fix vulnerabilities that cybercriminals could exploit. In the first half of 2024 alone, there were 387 data breaches of 500 or more records reported to the Office for Civil Rights, highlighting the ongoing threat.
The main challenge for most security teams is accurately assessing the risk associated with known vulnerabilities. This task can be overwhelming due to the sheer number of vulnerabilities in the technology sector. Identifying which vulnerabilities are most likely to be exploited and could significantly impact the organization is crucial for effective mitigation.
The simplest and most efficient way to manage these risks is by regularly updating systems and applications with the latest security patches. Delaying updates out of fear of disrupting the environment should also be recognized as a risk and managed accordingly. Procrastinating on updates and patches can lead to resource issues and create a vicious cycle where the initial problem is never fully addressed.
3rd Party Software Utilization
A healthcare organization has a prolific collection of 3rd party software in use. From simple tools used by the IT workforce to business analysts to supply chain management, it is estimated that over 1300 separate vendors provide software in the average healthcare organization. It is an extremely large challenge for IT and security teams to keep up with this number.
There are over 175,000 identified vulnerabilities in the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) database. In 2023, over 26,000 vulnerabilities were disclosed which is a significant increase in reported vulnerabilities and the trend has been upward for several years.
As staggering as these numbers are, it makes it critical for healthcare organizations to have a well-defined vulnerability management program that covers 3rd party risk. For the past few years, over 90% of the largest reported healthcare data breaches were caused by 3rd party vendors.
Management Awareness and Buy-in
A critical risk factor is the lack of understanding among upper management regarding the severity of providing proper security measures. When leadership does not prioritize cybersecurity, it can lead to insufficient investment in necessary technologies and training.
This oversight can have severe consequences, as highlighted by the Department of Health and Human Services, which reported 725 healthcare data breaches in 2023, exposing over 133 million health records. Ensuring that upper management is aware of and committed to robust cybersecurity practices is essential for protecting patient data and maintaining trust in healthcare systems.
This responsibility is also shared by the organization's security leaders. If a Chief Information Security Officer (CISO) is in place, they must communicate appropriate risk levels and provide mitigation recommendations. In today's world, the absence of this role or a dedicated security professional with senior-level or board reporting responsibilities is a significant red flag, indicating a lack of understanding within the organization.
For any organization aiming to improve its security posture, it is crucial to have buy-in from all senior-level management. They must demonstrate their commitment by supporting and adhering to the same policies set for employees.
Share this
Limitations of Traditional Patch Management
Modernizing a Healthcare Vulnerability Management Program
