Resources > Cybersecurity
Whitepaper

Cybersecurity and the Healthcare Industry

Download the complete whitepaper, Cybersecurity and the Healthcare Industry.
Download

Contact us to learn more about cybersecurity in the healthcare industry.

This field is mandatory.
This field is mandatory.
This field is mandatory.
This field is mandatory.
This field is mandatory.
Text to Identify Refresh CAPTCHA Refresh CAPTCHA

Cybersecurity and the Healthcare Industry

Several factors drive the increase in cyber-attacks against our industry:
Healthcare data is critical. Our ecosystem provides time-sensitive care to patients and the ability to provide this care is driven by access to patient data. Our reliance on this data leaves us paralyzed when it is taken hostage. 
Healthcare data is persistent. Unlike the banking industry where a compromised debit or credit card can be easily replaced, social security numbers and national insurance numbers are permanent, making them more valuable to cybercriminals. 
Finally, a key business driver for adopting IT into healthcare is efficiency. Security is an afterthought. As the industry tackles the inherent complexities of delivering services faster, reliably and in a collaborative manner, we must move from a high cost model of bolting security on as an afterthought, to building security into our system development lifecycles. Having a first class cybersecurity program doesn't mean detracting from business objectives focused on innovation, speed and performance.

McKesson Medical-Surgical has both a self-serving and altruistic reason for sharing our thoughts on cybersecurity with our customers, suppliers and partners. First, selfishly, we rely on all three of these communities for safe, reliable and quality data exchanges. We want, indeed we need, our partners to engage in this dialogue and continuously pursue cybersecurity measures. More generally speaking, we believe that it is in the best interest of our country, our communities and our industry that we pursue it together. We all must take action as part of the healthcare ecosystem to collaborate and share information across our industry and encourage awareness that will allow us to prevent attacks and respond to future threats.

Cyber threats have evolved over time. Initially, few hackers had the knowledge and ingenuity to reverse-engineer code and perpetrate malicious attacks. Now, hackers collaborate through an ecosystem that is mutually supportive and largely opportunistic. The misconception that unleashing a cyberattack is difficult, expensive and can only be done by experts with special skills is false. Malware-as-a-Service (MaaS) is a vibrant, multi-billion-dollar industry that allows hackers to purchase, lease and pay others to launch an attack on their behalf 2.  

In 2016, the healthcare industry saw a rise in ransomware - malware that covertly installs itself on a victim's computer. Once installed, it encrypts the victim's computer and notifies them that they will have to pay a ransom to decrypt the files to regain access to the computer. 

The attack against Hollywood Healthcare clearly demonstrates cybercriminals' resolve. Hackers maliciously accessed and encrypted several of the hospital's servers and demanded the hospital pay a ransom to get their data back. The hospital paid a $17,000 ransom and, due to the potential loss of life and lack of confidence in their IT systems, began moving patients to other nearby hospitals3.

McKesson Medical-Surgical is no stranger to these types of attacks. In the coming years, we anticipate witnessing more automated and weaponized incursions. Instead of impacting one or two vulnerable systems on a company's network, the more sophisticated attack will propagate across customer and partner connected networks.

Defending against cyber threats is not something that we can solve in a vacuum, nor is it simply an IT issue. We are constantly evaluating the security posture of our technology, applications and services we provide to our customers. We must carefully weigh the impact of change on our customers and partners against the risk of doing nothing. There are no easy solutions. 

Our best collective path forward as an industry is a combination of:

 

Training

Most organizations implement a layered or "defense-in-depth" approach to security, a methodology requiring attackers to bypass multiple layers of security controls (i.e. firewalls, antivirus, email spam filters, etc.), thus making it more difficult for hackers to disrupt business operations. However, this approach ignores our most valued first line of defense: our employees.

MIT Sloan Management Review (Winter 2017) estimates that between "50% to 80% of all cyberattacks are aided or abetted by insiders, usually unintentionally - typically through some kind of social engineering or phishing expedition {involving emails containing a link or attachment to click on}. Untargeted mass phishing emails have an open rate of 1% to 3%. But highly targeted 'spear phishing' is much more effective, with an open rate of about 70%. With spear phishing, you'd get an email that appeared to come from a high-ranking executive at your company, that referred to you personally and that asked you to take some specific action consistent with your job4."Examples of spear phishing include emails ostensibly from the CEO asking an HR employee to send W2 information on all company employees or asking someone in Accounting to transfer funds to a new vendor.

Educating all employees to question suspicious emails or phone calls can greatly reduce the hardest threat vector to secure via technology.

System Maintenance and Updates

System maintenance and update (patching) efforts are individualized for every company. At McKesson Medical-Surgical, we're often reminded by our server and application development teams that our security group can dish out more work in a week than their teams can consume in a year. To their point, the number of new vulnerabilities identified on a monthly basis is alarming, especially for very heterogeneous IT environments.

Admittedly, the latest and greatest threats against technology will always have the security teams ready to declare the sky is falling. In lieu of waiting for impending doom, we find the best method for addressing vulnerabilities is a steady and consistent patch management approach focused on enterprise coverage.  

According to data gathered in the 2016 Verizon Data Breach Investigations Report (VDBIR) the majority of exploits are vulnerabilities that were released in previous years, giving credence to the adage, "oldie but goodies." The older the vulnerability, the more time hackers have to automate and weaponize exploits that target your systems5.

Focusing on a consistent approach rather than trying to tackle everything at once can help reduce the havoc levied on the network and application teams, leaving them fresh for battle when a "Day Zero" vulnerability is released on the Internet.  

Configuration management is also an important topic when addressing issues of cybersecurity. In this effort, it's best not to forget about your web applications. The Open Web Application Security Project (OWASP) Top 10 is a good reference for protecting your web apps from hackers. Not surprisingly, the Top 10 doesn't change much from year to year and includes, among other items, input validation. Simply put, if a web form has a name field, you expect a name to be input. OWASP suggests you scrub the data presented back to the application for special characters, as special characters can possibly lead to unauthorized database access.

Collaborative and Integrated Partner Solutions

Technologies like firewalls become less effective as connectivity solutions place our vendors, customers and partners directly on our networks. Network demarcation becomes ambiguous and border solutions less effective. The focus must be on protecting access to the data itself.

To help ensure our customer data is protected, McKesson Medical-Surgical has implemented and encourages our partners to incorporate Single Sign-On (SSO) solutions. This reduces the need to remember multiple complex passwords and ensures that the right people have the right access to data by relying on the partner's authentication mechanism - reducing the need to transmit the actual password across the network.

We've also enhanced our Electronic Data Interchange (EDI), which enables fast, accurate and reliable exchange of data between organizations. EDI creates a more robust standards-based format for automating business transactions and reducing costs and errors, and increases processing speed over other manual formats. The use of secure communication protocols also reduces the risk of data interception and tampering. These enhancements allow for easier adoption and business integration.

Our most common form of communication is email, and we discourage our employees from transmitting sensitive data via this medium. However, we know that from time to time it is required and, in those cases, we enforce encryption. To make email transactions easier, we've adopted Opportunistic TLS, a system which attempts to communicate with the receiving partners' email server and negotiate encryption protocols. As long as the partners' email server is configured for Opportunistic TLS, the email will be encrypted over the Internet with no intervention required for either the receiver or transmitter of the email. We encourage you to adopt this setting within your email server so that all email communications between our organizations will be encrypted. In cases where sensitive information needs to be transmitted via email and Opportunistic TLS is not configured at our partner's site, the recipient will be prompted to retrieve the email via our secure email gateway.

In June 2015, the Internet Engineering Task Force (IETF) released a new Request for Comment (RFC 7568) that replaces a previous protocol standard for securing websites, SSLv3, originally launched in 1996. At the time, this standard was considered secure, but now, twenty years later, the technology is outdated and cybercriminals have adapted. SSLv3 was commonly used in the HTTPS protocol that allows users to interact with a website securely. The IETF is advising organizations to configure their web servers to accept the newer, more secure TLS 1.1 and higher protocols. This impacts many organizations that utilize the older technology to secure their Internet facing web applications. This also impacts customers using older versions of Internet Explorer, Chrome and Firefox to browse Internet sites, as they will no longer be able to access sites configured to accept the new secure protocols.

Microsoft, Google and Mozilla have already taken steps to deprecate SSLv3 from their respective browsers. We are encouraging our customers, if they have not already done so, to upgrade to the latest versions of Internet Explorer - v11, Firefox - v27 and Safari - v5.

Citations

  1. Morgan, Steven. (2016, May, 13). Top 5 Industries At Risk of Cyber-Attacks. Retrieved from https://www.forbes.com/sites/stevemorgan/2016/05/13/ list-of-the-5-most-cyber-attacked-industries/#5b927943715e
  2. Poole-Robb, Stuart. (2015). Malware-as-a-service is Cyber Criminals' New Lucrative Business. Retrieved from https://betanews.com/2015/07/07/ malware-as-a-service-is-cyber-criminals-new-lucrative-business/
  3. Winton, Richard. (2016, February 18). Hollywood Hospital Pays $17,000 in Bitcoin to Hackers; FBI Investigating. Retrieved from http://www.latimes.com/ business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
  4. Mangelsdorf, Martha E. (2016, December 12). What Executives Get Wrong About Cybersecurity. Retrieved from http://sloanreview.mit.edu/article/ what-executives-get-wrong-about-cybersecurity/
  5. 2016 Verizon Data Breach Investigations Report  

The information contained in this white paper is for informational purposes only. McKesson makes no representations or warranties about, and disclaims all responsibility for, the accuracy or suitability of any information in the white paper and related materials; all such content is provided on an "as is" basis. MCKESSON FURTHER DISCLAIMS ALL WARRANTIES REGARDING THE CONTENTS OF THESE MATERIALS AND ANY PRODUCTS OR SERVICES DISCUSSED THEREIN, INCLUDING WITHOUT LIMITATION ALL WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. The content of this white paper and any related materials should not be construed as legal advice. Moreover, McKesson recommends consulting with a cybersecurity expert prior to implementing any of the strategies detailed herein.

©2017 McKesson Medical-Surgical Inc.

Login to McKesson

SupplyManagerSM