Digital Connectivity Across the Continuum of Care

Healthcare providers that operate within a region rely upon extensive digital connectivity to support their efforts at providing coordinated care across hospitals, clinics and specialist practices. When an incident involving a cybersecurity breach occurs within this type of environment (e.g. the Central Maine Healthcare data breach), it can demonstrate how extended digital connectivity can increase an organization's overall risk exposure through the use of multiple points of entry, as opposed to solely relying upon a singularly located attack vector.

Regional Healthcare Networks vs. Stand Alone Facilities

Regional healthcare networks leverage shared electronic health record (EHR) platforms, centralized identity management and ongoing remote access for their clinicians, administrative staff and third party partners. As a result, the interconnectedness of the systems provides authorized users with the ability to navigate seamlessly across multiple locations and systems and over to many different data repositories. Additionally, once an attacker gains access to a regional healthcare network through this means, they typically have very limited internal segmentation that allows them to continue to explore lateral movement across the network without decreasing the likelihood of being detected via alerts.

Because network access is prolonged, one of the largest risks associated with any extended network access is the amount of time an intruder spends in a compromised system or server. When a security breach occurs in healthcare, it is usual to see that the intruder has spent weeks to months inside the facility without detection. Because the access is continuous, and the user credentials appear to be legitimate, it can be challenging for someone to recognize that there is abnormal behaviour taking place compared to what would typically be seen within a facility or system. Prolonged dwell time allows a threat actor to gain knowledge of the healthcare organization's network architecture, escalate their user privileges and pick the time and location they wish to capture sensitive data, instead of using loud, detectable activities.

Another factor that complicates detecting and containing security breaches in the healthcare sector is the complexity of regional healthcare IT environments. Healthcare systems often operate in a hybrid model with some systems operating on legacy infrastructure, while others use modern cloud-based tools, and yet a third type uses a variety of very specialized clinical applications that must be available 24/7 and operated securely. Security teams typically have limits placed upon their operations due to operational constraints. Therefore, they cannot perform aggressive continuous monitoring of activities or frequently disrupt user access. The fragmented security visibility of security operations across different platforms has the added risk of allowing organisations to miss any suspicious activity.

The potential for harm is increased when access is extended. Once an attacker gains a foothold, patient data can be accessed through different systems as a result of interconnectivity between various organisations. Treatment history, insurance information, provider notes and identifiers may all exist in separate systems; however, they will still be accessible via shared frameworks for access. Because of this increased potential for exposure, this is a major concern within the healthcare sector since compromised information can result in identity theft, insurance fraud, and lasting consequences to a patient's privacy.

Access by third parties creates another layer of risk. In regional healthcare systems, vendors, consultants and service providers typically receive remote access to conduct billing, provide IT support, perform diagnostic tests and analyse data. Although such relationships are vital to operations, they increase the available attack area and create dependencies on the security measures implemented by those outside of the operating environment. If a third party's credentials are compromised or their security controls provide inconsistent protection, an attacker can gain entry into the internal systems of the healthcare organisation via a back door.

In order to address these risks, healthcare organizations must take steps beyond perimeter security (i.e., firewalls, etc.), including; extensive internal network segmentation, enforcing least-privileged access policies (i.e., limiting access to only what is necessary to perform job duties), and regularly reviewing user permissions for all systems. Continuous monitoring of systems to detect anomalies and to enable rapid responses is critical to identifying unauthorised activity as quickly as possible and to limiting lateral movement of malicious actors throughout an organisation. Governance is equally important to ensuring access is granted for valid business needs, users are regularly reviewed for access, and immediately removed from access when they no longer require it.

As regional network health systems continue to evolve and expand through digitization, it will be critical for all organisations to provide greater access to more people; however, this creates greater risk because as systems become more interconnected, the potential for breach exposure will grow exponentially. Understanding how increased interconnectivity increases the potential for breaches is crucial to creating highly resilient systems capable of protecting patient data while supporting modern care delivery.