Cloud CISO Perspectives: Late July 2023
Taylor Lehmann
Director, Office of the CISO, Google Cloud
Phil Venables
VP/CISO, Google Cloud
Welcome to the second Cloud CISO Perspectives for July 2023. Security, privacy, and protecting data is one of the major drivers behind the accelerated transformations in healthcare.
Cyber threats to healthcare are on the rise, including compromised access and data, ransomware, and exploitation of vulnerabilities — and not enough is being done to stem this dangerous trend. It’s vital that healthcare leaders and boards take action to better protect patients and their data, argues Taylor Lehmann, our cybersecurity and healthcare expert and director in Google Cloud’s Office of the CISO, in his guest column below.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
How cloud can help healthcare improve its security and resilience
By Taylor Lehmann, director, Office of the CISO, Google Cloud
Healthcare delivery is the one of very few industries where there is a direct connection between security, resilience, and the safety of human life. Yet weak protections for sensitive, valuable data has made healthcare an easy, appealing target for hackers.
The consequences of weak security and poor risk-management in healthcare delivery were put on stark display during the worst of the COVID-19 pandemic, when cyberattacks against healthcare organizations spiked — but it’s the latest headlining-grabbing moment that has experts steeped in the nuances of protecting healthcare and life sciences organizations worried for our collective future.
In June, St. Margaret's Health, the only hospital in the small, rural community of Spring Valley, Illinois, permanently closed its doors, in part because of the insurmountable costs to restore hospital services following a 2021 ransomware attack.
To put it gently, the trendlines are not in our favor. While St. Margaret’s Health is the first healthcare facility to cite a cyberattack as one (of a few) reason to permanently cease operations; indicators say that it is unlikely to be the last. In 2022, we saw an increasing number of alleged deaths due to cyberattacks against hospitals. While safety feels like a more recent threat, the old business of stealing records for profit continues to be lucrative. The average cost of a data breach in healthcare has increased 42% since 2020 to $10.1 million, the highest of any industry, according to the Ponemon Institute.
Healthcare leaders report worrying trends. Mandiant’s 2023 Global Perspectives on Threat Intelligence Report found that 40% of global cybersecurity decision makers in the healthcare industry reported they experienced at least one “significant cyber attack” in their organization in the 12 months leading up to the report’s publication. Yet 67% of healthcare cybersecurity decision makers said they think their senior leadership team continues to “underestimate” cyberthreats to their organization.
As a society, we’ve learned the hard way about a cybersecurity double-whammy: Threat actors know that our health systems are vulnerable, and they don’t care about hurting the vulnerable people they treat. To put an end to the growing, existential threat that healthcare faces, it will take creativity, innovation, partnership, and a willingness to change the current state of IT security and risk management in healthcare.
The good news is that public clouds like ours can play an important role in helping healthcare and life sciences organizations become more secure.
A role for government regulation
Google is working on several fronts to help healthcare organizations mature their cybersecurity postures and risk-management capabilities, often in conjunction with government agencies. In April, a multinational effort put its weight behind advocating for security by design and by default. Google has long advocated for a secure-by-design and by-default approach, which means that core infrastructure is designed, built, and operated with security in mind.
Threat actors know that our health systems are vulnerable, and they don’t care about hurting the vulnerable people they treat.
While the long-term impact of secure-by-design should improve the cybersecurity posture of the healthcare industry, we are already seeing some practical effects of this approach. The Omnibus Appropriations Act of 2023 includes two significant provisions related to the security of connected medical devices, including a new Federal Drug Administration requirement that connected medical devices be cybersecure and stay that way once they enter the market. Failure to do so would allow the FDA to apply enforcement and these devices from reaching the market beginning October 1st. The EU has similar regulations.
In addition, the FDA signaled in its draft Computer Software Assurance model last year that a risk-based approach to managing quality, security, and safety of medical devices was coming. The guidance made it clear that security, alongside safety and quality, must be considered in the design and implementation of these systems. Google Cloud services can help organizations implement the guidance, at no extra cost.
How Google Cloud can help
Improving the security of care delivery, including connected medical equipment, should be an essential part of any attempt to improve the industry's cybersecurity. At Google, we’ve adopted the belief that security has a direct impact on safety, and we need to frame security threats accordingly. That’s why we’ve been advocating for the use of a software bill of materials (SBOM) with the Supply chain Levels for Software Artifacts (SLSA) framework and vulnerability exchanges to make technology more secure.
Open-source security tools such as our Assured Open Source Software and Software Delivery Shield are designed to make adoption of these frameworks easier. Securing the software supply chain is a critical security priority for defenders and something Google is committed to helping everyone do.
Customers use cloud services including Cloud Build, Cloud Storage, Google Kubernetes Engine (GKE), Cloud Run, and others to design, implement, and operate regulated medical devices and GxP-compliant workloads. In addition, partners such as BrightInsight work with our customers to accelerate their adoption of our services and bring FDA-regulated workloads to the cloud.
Better threat intelligence can help healthcare
We are also invested in combating the threats that healthcare and life sciences organizations continue to face. In addition to our ongoing support of improving threat intelligence and using it to inform better security outcomes, the ambassador partnership with the Health Information Sharing and Analysis Center (Health-ISAC) we announced last year has since grown to help share healthcare-specific threat intelligence and additional services that help Google play a direct role in protecting the planet’s healthcare infrastructure.
Improving the security of care delivery, including connected medical equipment, should be an essential part of any attempt to improve the industry's cybersecurity.
Working with the Health-ISAC Threat Operations Center (TOC), Google Cloud security engineers developed an open-source integration that connects the Health-ISAC Indicator Threat Sharing (HITS) feed directly with Google Cloud’s Chronicle Security Operations information and event management. HITS allows Health-ISAC members to easily connect and quickly share cyber threat intelligence through machine-to-machine automation. In addition, we’ve expanded our intelligence sharing partnership by augmenting the Health-ISACs TOC with Mandiant Threat Intelligence and VirusTotal analysis capabilities.
Improving healthcare in real-time
Healthcare and life science organizations leading in digital transformation say that security, privacy, and protecting data are three of the major drivers behind their accelerated transformations. Some examples of how they’re achieving better security and usability include:
Hackensack University Medical Center, which moved to Google Workspace and distributed Chrome OS devices during the pandemic, which led to an immediate, 30% reduction in spam. This meant staff were less likely to receive phishing attempts.
International biopharmaceutical company AstraZeneca, which has increased access to medicine through “Software as a Medical Device” solutions that allows patients to order medication through a user-friendly web app that encrypts sensitive data in transit, at rest, and while in use.
Ransomware gangs have been known to use medical imagery to extort patients and organizations. Medical image experts Ambra Health leverage Google Cloud Data Loss Prevention (DLP) to prepare medical images for research by removing Protected Health Information (PHI) from the image data on a vastly accelerated timeline as compared to manually deleting that data.
There’s no doubt that the cost of cyberattacks against healthcare and life sciences is going in the wrong direction. The inherent, better security in the cloud, combined with regulatory motivation and widespread community efforts, can help organizations avoid permanent closures, while improving their security — and patient outcomes.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
Get ready for Google Cloud Next: Discounted early-bird registration for Google Cloud Next ‘23 has sold out, but you can still register for the conference. This year’s Next comes at an exciting time, with the emergence of generative AI, breakthroughs in cybersecurity, and more. It’s clear that there has never been a better time to work in the cloud industry. Check out our scheduled security sessions, and register now.
Best Kept Security Secrets: Keeping secrets, the Secret Manager way: Can you keep a secret? An organization’s digital credentials are its vital secrets, used to authenticate access to protected resources and services. Fortunately, we have an important tool to help our customers better manage their secrets: Google Cloud Secret Manager. Read more.
Introducing predictable cost options for Cloud Data Loss Prevention: Cloud DLP now offers a new pricing model for the discovery service, allowing you to choose the option that best fits your needs. Read more.
Using Workforce Identity Federation with API-based web applications: Workforce Identity Federation allows use of an external identity provider to authenticate and authorize users to Google Cloud resources. To show how you can implement this in your own environment, this blog walks through configuring a web app hosted in Google Cloud to call Google Cloud APIs after being authenticated with Azure AD. Read more.
Introducing Cloud Armor WAF enhancements to help protect your web application and API service: We’re introducing new features in Cloud Armor: granular rate limiting and more flexible options to configure custom rules to further enhance protections against DDoS and other attacks. Read more.
Introducing time-bound key authentication for service accounts: Google Cloud customers can now secure their service account keys with customizable options to enforce expiration dates. Read more.
How to better manage customer IDs to support user experience: Google Cloud Identity Platform can enable retailers to add identity and access management capabilities to their customer facing applications, including ecommerce platforms. Read more.
How integrating Microsoft Intune with BeyondCorp Enterprise can help your organization: BeyondCorp Enterprise can incorporate signals from third-party systems to help make better access decisions. Here’s how Wayfair integrated Intune into their deployment. Read more.
News from Mandiant
North Korea leverages SaaS provider in targeted supply chain attack: This month, Mandiant responded to a supply chain compromise affecting a U.S.-based software solutions entity that we believe began as a result of a sophisticated spear phishing campaign aimed at JumpCloud. Here’s what we learned by investigating one of JumpCloud’s impacted customers. Read more.
Pro-P.R.C. HaiEnergy campaign exploits U.S. news outlets: In August 2022, Mandiant released a report detailing an ongoing influence campaign leveraging infrastructure attributed to the Chinese public relations firm Haixun, but couldn’t confirm the organization’s involvement. In recent months, we’ve identified additional evidence suggesting that Haixun is actively supporting the campaign. Read more.
Exploitation of Citrix zero-day by possible espionage actors: Mandiant is active in investigations involving recently-compromised ADC appliances that were fully patched prior to a July 18 Citrix security bulletin describing several vulnerabilities, including one which could allow an unauthenticated remote attacker to perform arbitrary code execution. Read more.
KillNet showcases new capabilities while repeating older tactics: KillNet has remained relatively consistent in its targeting of Ukraine’s supporters and prioritization of DDoS attacks since Russia invaded in February 2022. Despite new capabilities, the collective has hardly altered its targeting patterns. While Mandiant cannot confirm collaboration or cooperation with Russian security services, KillNet’s targeting of victims consistently reflects the interests of the Russian state. Read more.
Now hear this: Google Cloud Security and Mandiant podcasts
How Google secures the software you use: Assured Open-Source Software (OSS) is Google Cloud’s nifty customer solution that helps organizations use the same OSS packages in their workflows that Google secures and uses. We talk with our own Himanshu Khurana, engineering manager, and Rahul Gupta, product manager for Assured OSS, about why the solution is such an important game-changer. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.