Healthcare Needs better Access Control

 

A rising tide of opportunistic ransomware and targeted nation state cyber attacks against medical research labs working on cures for COVID19 has made cybersecurity a turning point for most providers.


Last week in the Cylera blog I wrote about Zero Trust which is slowly growing in popularity across organizations like Google, but has so far, only limited deployment across the healthcare industry. Zero trust may prove to be nothing more than another panacea at the end of the day against a rising tide of cyberattacks, or, it may prove to be a vital cog in the wheel that finally redresses the balance between defenders and attackers by minimizing what can be attacked. I'm betting on the latter personally.

Zero Trust works on the basis of well-known, frequently voiced, but usually not fully implemented security principles of 'Least Privilege' and 'Trust But Verify'. Trust your staff but verify their activity and don't provide them more access than they need to do their jobs. The principles are not too dissimilar to military personnel, where access is granted on the basis of 'need to know' following 'mandatory access control' principles - based upon your role, rank and assignment.

In other words instead of being given access to everything when you join an organization, you should be provided access only to what you need in order to do your job. You get a key to this box and that box but no other boxes and what you access is monitored. Essentially you have segmented or compartmentalized access rather than carte blanche. As your role or assignment changes, so certain keys are revoked and new ones are provided.


One way of looking at this segmentation approach is to think about the story of a fox in the hen house. Rather than one large hen house and one large door, segmentation places each hen in its own hen house with its own locked door. A hungry fox can then only get to one hen with each breach rather than them all at once as is the case in most hen houses today. By limiting and containing a successful attack, the fox only gets to steal one hen which may not be worth the effort to break down its coup door. The loss of one hen won’t put the farmer out of business and alerts him to the fact that there is a fox in his midst and to get his shotgun.

Of course, in this example the fox is an outside threat, but malicious insider threats are a growing concern with rising levels of cyber espionage and theft of commercial trade secrets and intellectual property by staff. The recent story of Xiaolang Zhang is perhaps a good example. Zhang, had worked at Apple in the Bay Area for several years on its autonomous self-driving car project. He announced his intention to leave the company after returning from a trip to China, in order to join a competitor XMotors (aka Xiaopeng Motors) based in Guangzhou.

Before handing in his resignation however, he trolled the Apple network for data and copied over 40GB of trade secrets, and walked out the building with a Linux server, and circuit boards. He was arrested by the FBI at San Jose airport before boarding a plane out of the country. Zhang was caught because he had gone outside of the swim-lane required for his role and had raised suspicions. 'Trust but Verify' in this case landed Zhang in court when verification of his activities took place and were found to be illegitimate.


In healthcare, there is an implicit trust across staff to do the right thing and a common belief that everyone is mission-orientated to provide the best possible patient care. However, that may not always be the case. The value of healthcare data – PII, PHI, and IP such as clinical research into new drugs and treatments is rising in value, and a number of clinical researchers have been caught stealing intellectual property of the hospital or research facility they work for.

Last year a husband and wife team, Yu Zhou, 49, and Li Chen, 46, were charged with stealing intellectual property related to pediatric medical treatments they had worked on while employed at Nationwide Children's Hospital in order to launch their own pharmaceutical company in China. When they took this company public in China, it netted them millions of dollars based on the cutting edge research developed at Nationwide Children's.

Zhou and Chen are not alone however, and nor are they the only Chinese citizens involved in medical IP theft. The NIH and FBI are investigating 180 individual cases of alleged intellectual property theft of biomedical research funded by the U.S. government, primarily involving Chinese or Chinese American researchers, The New York Times reports.

While the principles of Zero Trust and Segmentation would probably not have averted all of these attacks, it is likely that many could have been contained to smaller thefts of data, and alerts raised earlier as verification of access took place, thus alerting security staff to suspicious access.

Zero Trust is a key ingredient in helping to solve healthcare security. Not only is it a very effective preventative control, restricting access by users and objects like applications or devices to data, but it's also a critical indicator of risk, letting your operations team know when anomalous access behavior is attempted.

Subscribe to our periodic posts via email me to new posts so I don't miss them please.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.