Healthcare as a Target of Opportunity
Generally speaking, most patients will tell you that there should be more security associated with their personal healthcare data, and they are absolutely right to worry. Recent data from Modern Healthcare indicates that healthcare is steadily becoming one of the highest-risk areas for cyberattacks— with the Department of Health & Human Services reporting 106 hacking incidents in 2016, nearly double the year before and over 20 times more than 2010. And, the industry knows it is only going to get worse: 88 percent of provider executives surveyed expect cybersecurity attacks in 2017 to exceed the historically high levels of 2016.
So what are some of the suggestions in mitigation? In a recent article from Beckers Hospital Review, Neal Singh, CEO of Caradigm in Seattle had some solid counsel. He said, “Get a governance and compliance plan in place. The more you can put governance and risk compliance systems in place to get a handle on data, the better off you are. You’ll have people coming and going from your organization all the time, or activity happening with organizations joining yours. You have to make sure the right person is accessing the right data set.”
“As a PatchAdvisor engineer, I would suggest that all hospitals should work on the basics first, via IT security management directives. If there is a governance committee in place to support internal communications, even better. We always suggest that at the start of each quarter you could communicate to various target populations in your network about the most common vulnerabilities — poor passwords and missing patches,” said Chris Goggans, Chief Technology Officer.
As a manager, you know that in the workplace, security reviews are often triggered by events, not always by best practices. Goggans suggests that if something has already happened this year to breach any of your security measures, then start with these questions in the IT team discussions:
**Did someone guess or phish a password? What did that give the attacker access to?
**Did this originate with code-level vulnerabilities in some internet-facing web application?
**What information on the compromised system is useful elsewhere? Start with local account/password re-use, network trust relationships, SSH keys, cached domain credentials, or database connection strings, for example.
Goggans points out, “You need to try to determine the root cause of the attack, and work from there. If there is any such information, then ANY system that could be compromised with that information should be considered compromised as well. Also, look at any systems that could be compromised from information taken from the 2nd set of systems, and so forth. The compromise of one single system can quickly lead to the compromise of the entire organization.”
And, he adds, “You can’t just say ‘the attacker got into this server because of a missing patch, so we patched the server and now we are done.’ You have to assume the worst case and react accordingly”.
And, our PatchAdvisor teams often observe that human error often is at play. Here’s an example from this January in the headlines: Emory Healthcare’s Brain Health Center had an Internet-facing MongoDB left “un-passworded,” leading to data relating to 200,000 patients being stolen and erased with a ransom demand for .2 bitcoin.
Take A Regular Inventory Approach to Security And Your Systems
Goggans spends a great deal of his time counseling clients about where to begin. “If you don’t know what you have, what applications or process your systems are running, and what existing security issues you currently have, then you won’t know how to set your priorities. I’ve seen companies spend millions on internet-facing IDSes, enterprise-wide SIEMs, source-code security analysis tools, endpoint application whitelisting agents, etc., and then get fully compromised by our team because of poor passwords,” he points out. “On the flip side, I’ve seen organizations that fully implemented 2-factor authentication in attempts to eliminate the password threat, only to be fully compromised because of missing patches,” he summed up.
It is clear to our PatchAdvisor team leads that if you don’t know what your security issues really are, you will make incredibly poor decisions when trying to shore up security.