“A cyberattack that targeted the Newfoundland-Labrador healthcare system in Canada might be the worst of its kind in Canadian history. The attack was first discovered on October 30, 2021. But by the time it was confirmed, it had already caused widespread disruption of healthcare services. It allegedly delayed thousands of medical appointments and almost all non-emergency appointments around the Eastern Health region.”
The event rocked the healthcare system, and thousands of procedures, including COVID-19 testing, were delayed. Access to emails, diagnostic images, and lab results was denied, and the province’s eastern health authority was left with no choice but to operate with pen and paper. Thousands of medical appointments had to be canceled. However, clinical experts advised against going ahead with most appointments using the paper-based system for safety reasons, as mentioned by David Diamond, CEO of Eastern Health.
In such cases, the severity of data breaches is extremely high. Healthcare organizations should be extremely cautious about safeguarding patient data and adhering to compliance standards while ensuring that their systems are always up and running. This places significant importance on securing machine identities.
With the growing number of machines talking to each other even on the go, the need for securing communication is paramount. Asymmetric key cryptography is a widely used practice for securing data in transit. Digital certificates are the way to establish and extend trust during communication. These certificates are used as identities for machines and are provided by certificate authorities (CAs). As the requirement for certificates grows, enterprises have to set up their internal public key infrastructure (PKI) so that private CAs can be created internally.
The Importance of PKI in Healthcare
While PKI has traditionally been used in hospitals to secure sensitive patient records, cryptography is finding new applications in wearable/remote IoT-enabled medical devices. With such devices capturing user information and relaying it back to healthcare professionals by the minute, it is essential to ensure that the line of communication is not intercepted. It is also crucial to keep the device up-to-date via regular updates for optimum security. By providing a device identity and a layer of protection to medical devices, PKI makes this possible.
Gone are the days when installing necessary SSL certificates on websites and servers and renewing them once every few years would be enough. Today, PKI protects nearly every internet-facing system (and its back-end servers), software programs (in the form of code-signing certificates), and communication in general. There have been well-documented occurrences of PKI being the weak link that resulted in a data breach.
Since PKI requires efficient management, administrators cannot spend their time manually renewing thousands of certificates, installing them, and ensuring that each one is always online. This is a recipe for disaster. It has become apparent that even the best-designed PKIs require supporting systems to help manage them by streamlining certificate tasks, key rotations, and the entire gamut of PKI operations. An efficient certificate lifecycle management solution will enable administrators to renew, revoke, or install certificates from a single interface and weave together multiple vendors (CAs, HSMs, IAM tools, et al.) and allow them to work seamlessly with your PKI.
Poorly managed PKI often marks the point of entry for a host of vulnerabilities that could have impacts ranging from lost time to lost revenue.
Expirations and Outages: Unexpected certificate expirations often lead to network or website outages. This ties into the fact that a lack of real-time visibility into the certificate infrastructure can make it very difficult for an administrator to manage it. As certificate lifespans begin to shrink, expirations will pose a more significant threat to teams that employ manual certificate/key issuance and management methods.
Root Compromise: Root Certificate changes can be planned or unplanned. Most enterprises now manage thousands of certificates regularly in their network infrastructure. These certificates must be monitored, tracked, and renewed on time to avoid expensive application outages. However, the maintenance required isn’t the only challenge posed by the growing number of SSL/TLS certificates. Security of private keys and the trust associated with the entire certificate chain is also a significant concern.
Apart from just certificate expiries, enterprises using certificates from deprecated roots or intermediates can also suffer severe disruptions. And, to successfully avoid such troubles, migrating to a trusted public key infrastructure (PKI) plays a significant role.
Manual certificate management techniques involve administrators having to individually identify every compromised certificate and then begin the slow process of migrating them to a new PKI. The process could take weeks, which is ample time for malicious actors to commit data theft.
Compliance and Fines: Every industry has its compliance standards for encryption. There are many regulations with which healthcare organizations must comply. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects patient privacy and requires organizations to keep patients’ medical records secure. Suppose your business is required to adhere to commonly accepted standards (for instance, replacing certificates every month, regardless of expiry). In that case, you’ll need a tool to automate this process and perform the necessary periodic checks to ensure that you don’t end up paying a hefty fine due to non-compliance.
Every organization is expected to have these capabilities in place even if you have not experienced large-scale PKI-related security issues. After all, you can’t take vulnerability for granted.
Organizations in the healthcare vertical should invest in an enterprise PKI solution ready to take on new opportunities that emerging technologies offer. Automation done right is not just the way forward but also the only way to a future-ready PKI. Your current certificate lifecycle management solution may have many merits, but if it lacks automation or doesn’t have it built-in, it’s forever going to have you running for cover. Using a next-gen certificate lifecycle management solution like AppViewX CERT+ keeps your enterprise safe from certificate outages and helps you stay cryptographically agile.