This is part 2 of a two-part series on the presentation August 10 by Mac McMillan of the CynergisTek consulting firm, at the CHIME/AEHIS LEAD Forum event in Nashville. Part 1, which can be read here, covered the main portion of McMillan’s presentation in Nashville. This part covers the conclusion of McMillan’s speech, and his exclusive interview afterwards with HCI Editor-in-Chief Mark Hagland.
In his August 10 presentation to healthcare IT leaders at the CHIME/AEHIS Lead Forum event in Nashville, Mac McMillan, CEO of the CynergisTek consulting firm, spoke on the topic, “Developing and Managing an Ongoing Risk Management Program.” He told attendees that it was very important for healthcare and healthcare IT leaders to meet a cresting wave of cybersecurity threats by developing a comprehensive cybersecurity strategy, one that applies a risk management approach to the challenges facing patient care organizations right now.
One of the key elements in that, he told his audience, is that “It’s important to think about the metaphor of compartmentalization, and the way that battleships are built. They’re built in tight compartments, so that when one compartment is hit, the ship and go on,” he said. In that context, it is very important to hold regular cyber-drills, in order to prepare all staffers within patient care organizations to execute if and when breaches and other incidents and events occur. In that regard, he said, it is time to bring in expert outside consultants to do “monitoring, auditing, and analysis. “You always need outside help,” he stressed. That is particularly when sheer calculating ability is bringing the world to a new dawn of massive data and information processing capability.
“By 2025, we are going to have calculating ability to where laptops will process information at the 10 to the 9th power, or 10 trillion calculations a minute,” he noted. “What that means is that our industry will be turned on its head because of innovation; but security will be turned on its head, too. Ten years from now,” he predicted, “any system based on rules is going to be totally obsolete. Because when we have processing speeds that fast, and broader connections, any system that has to stop a packet and interrogate it to figure out if it’s good or bad is not going to be able to do it—unless vendors can figure out some new kind of artificial intelligence to do that. And I’m hearing that they’re nowhere near that. So we have to move away from rules-based technologies to behaviorally based technologies that detect anomalies in real time.”
In that regard, McMillan told his audience, “We’ll have to focus on anomalies. So we need to do a better job of managing our environments, of keeping our environments up to date. Obsolete systems, end-of-life systems that can’t be patched, do nothing for us, from a security perspective. And we need to make sure we’re hardening our systems and configuring them against all known risks, and keep them patched. So, 98 percent of attacks last year took advantage of a known vulnerability that was either a year or more old, meaning, there was a patch available for it, a configuration somebody could have made, a service someone could have used, but we didn’t.”
The hackers and cyber-criminals, he said, are “counting on our being too tired and too busy to keep up normal maintenance. It’s the same thing with our car, right? The warning light comes on and tells you that you need an oil change. In this case, the warning lights are there until somebody bad comes in. Those warning lights also tell you when you have an anomalous situation. If everything is hardened as it needs to be, you’ll recognize anomalies. We need to employ layers, protections at the endpoint, network, file layers, etc.—from our core all the way out to our endpoints, and even out to our cloud and SaaS providers, to allow us to carry those protections outwards. We definitely need to enhance our protected complimentary controls.”
Administrative privileges: a key point of weakness?
One of the key areas that McMillan wants healthcare IT leaders to look at is that around administrative privileges. “Look at any of the breaches that have happened out there, especially the advanced ones, and somewhere along the way, the bad guy out there has obtained administrative privileges, to turn certain controls off, to hide what they’re doing, toe exploit the environment and take advantage of it. Why? Because most of us are letting our administrators use their administrative access way too often. Number two, we’re not encrypting passwords and privileges on internal traffic, because somehow, we’re thinking we’re safe, and we’re not. And three, we have a reluctance to apply two-factor authentication to our processes.”