IT Security Luminary Mac McMillan: Time to Develop Comprehensive Risk Management Strategies Around Data Security | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

IT Security Luminary Mac McMillan: Time to Develop Comprehensive Risk Management Strategies Around Data Security

September 1, 2016
by Mark Hagland
| Reprints
Mac McMillan urged CHIME/AEHIS LEAD Forum attendees in Nashville to think strategically around IT security

This is part 2 of a two-part series on the presentation August 10 by Mac McMillan of the CynergisTek consulting firm, at the CHIME/AEHIS LEAD Forum event in Nashville. Part 1, which can be read here, covered the main portion of McMillan’s presentation in Nashville. This part covers the conclusion of McMillan’s speech, and his exclusive interview afterwards with HCI Editor-in-Chief Mark Hagland.

In his August 10 presentation to healthcare IT leaders at the CHIME/AEHIS Lead Forum event in Nashville, Mac McMillan, CEO of the CynergisTek consulting firm, spoke on the topic, “Developing and Managing an Ongoing Risk Management Program.” He told attendees that it was very important for healthcare and healthcare IT leaders to meet a cresting wave of cybersecurity threats by developing a comprehensive cybersecurity strategy, one that applies a risk management approach to the challenges facing patient care organizations right now.

One of the key elements in that, he told his audience, is that “It’s important to think about the metaphor of compartmentalization, and the way that battleships are built. They’re built in tight compartments, so that when one compartment is hit, the ship and go on,” he said. In that context, it is very important to hold regular cyber-drills, in order to prepare all staffers within patient care organizations to execute if and when breaches and other incidents and events occur. In that regard, he said, it is time to bring in expert outside consultants to do “monitoring, auditing, and analysis. “You always need outside help,” he stressed. That is particularly when sheer calculating ability is bringing the world to a new dawn of massive data and information processing capability.

“By 2025, we are going to have calculating ability to where laptops will process information at the 10 to the 9th power, or 10 trillion calculations a minute,” he noted. “What that means is that our industry will be turned on its head because of innovation; but security will be turned on its head, too. Ten years from now,” he predicted, “any system based on rules is going to be totally obsolete. Because when we have processing speeds that fast, and broader connections, any system that has to stop a packet and interrogate it to figure out if it’s good or bad is not going to be able to do it—unless vendors can figure out some new kind of artificial intelligence to do that. And I’m hearing that they’re nowhere near that. So we have to move away from rules-based technologies to behaviorally based technologies that detect anomalies in real time.”

In that regard, McMillan told his audience, “We’ll have to focus on anomalies. So we need to do a better job of managing our environments, of keeping our environments up to date. Obsolete systems, end-of-life systems that can’t be patched, do nothing for us, from a security perspective. And we need to make sure we’re hardening our systems and configuring them against all known risks, and keep them patched. So, 98 percent of attacks last year took advantage of a known vulnerability that was either a year or more old, meaning, there was a patch available for it, a configuration somebody could have made, a service someone could have used, but we didn’t.”


Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

Mac McMillan

The hackers and cyber-criminals, he said, are “counting on our being too tired and too busy to keep up normal maintenance. It’s the same thing with our car, right? The warning light comes on and tells you that you need an oil change. In this case, the warning lights are there until somebody bad comes in. Those warning lights also tell you when you have an anomalous situation. If everything is hardened as it needs to be, you’ll recognize anomalies. We need to employ layers, protections at the endpoint, network, file layers, etc.—from our core all the way out to our endpoints, and even out to our cloud and SaaS providers, to allow us to carry those protections outwards. We definitely need to enhance our protected complimentary controls.”

Administrative privileges: a key point of weakness?

One of the key areas that McMillan wants healthcare IT leaders to look at is that around administrative privileges. “Look at any of the breaches that have happened out there, especially the advanced ones, and somewhere along the way, the bad guy out there has obtained administrative privileges, to turn certain controls off, to hide what they’re doing, toe exploit the environment and take advantage of it. Why? Because most of us are letting our administrators use their administrative access way too often. Number two, we’re not encrypting passwords and privileges on internal traffic, because somehow, we’re thinking we’re safe, and we’re not. And three, we have a reluctance to apply two-factor authentication to our processes.”

Given all this, McMillan said boldly, “I’ll say that anyone who doesn’t want to apply two-factor authentication is not long for his job. In fact, I would advocate that we change systems so that privileges expire automatically, so I have a much smaller footprint. We need to be smart about how we apply our protections, to understand that the attackers today are literally already inside our network, whether through phishing, some service or application; but we need to look at ourselves from the outside, not just the inside. And a PIN test—smart PIN testers test from the inside out, too. Someone does phishing, and if somebody has privileges already, inside your network, they can do things. The point is, most of us don’t know, because we don’t do that testing. And I’m suggesting that we have to quit trusting the inside of the environment, and test form the outside in, and from the inside, as well. Those are the kinds of things that we need to think about going forward.”

Finally, he noted, “We’re dealing with a much more sophisticated actor today. Even the less sophisticated criminals have the benefit of a web and black market that will teach them what they need to do. I sent my PIN testers to Black Hat,” he noted. “So we need to work smarter and harder,” he said, “not like Sisyphus. We need to understand our threat, how they come at us, understand what it takes to recognize what they’re doing. We need to educate our education and get everybody on board, and that it takes everybody to work together to do this. Within IT and security, we’re going to have to have some really specialized people who train to fight this battle, and who respond and react when these things happen. Because the organizing that’s doing a good job and can execute, will have to deal with problems from time to time, but won’t have to deal with a big breach.”

Where is all this headed? Some patient care organizations are definitely doing better than others, McMillan observed. “We see organizations that have a solid plan, have invested in good technology, have good processes, and can react successfully within hours, to limit damage. And that really is the best case we can hope for. This notion that we’re going to be able to stop everything before it gets in, is unrealistic, because we will never know where the next attack is going to come from.”

Shortly after the conclusion of his presentation, McMillan sat down with HCI’s Mark Hagland for an exclusive interview. Below are excerpts from that interview.

Just recently, the Banner Health breach has been in the news. It’s another large breach affecting many patients and patient records. What should we be thinking about this right now?

It’s a bit unfair to speculate about that particular recent breach, because, not knowing what they have or haven’t done, we don’t know what really happened. A couple of things: one thing that has been mentioned in recent incidents is that there might have been a nexus between their point-of-sale systems and clinical information systems. Some people instantly assume when the term “clinical systems” is mentioned that we’re talking about clinical systems like EHRs. That may not be the case. Most hospitals have segregated their PCI—payment card information—credit card services—away form clinical systems. So hackers could have gotten access to some servers inside the network.

And because financial systems handle billing and claims data, that could be how that breach went from a payment system to impacting clinical information as well. The medical record may not have been breached at all; we don’t know that. So it’s unfair to assume that. The clinical information could literally have been from a financial database. That said, they could possibly have gotten access to Social Security numbers and credit card numbers, right? So you just don’t know—you don’t know what level of investment Banner has made in security technology in the last couple of years. And after the breaches at the end of 2014 and into 2015, started investing in advanced malware detecting solutions. People buying DLP, advanced malware detection capabilities; etc.

It seems like there’s more awareness now of the risks of hacking and breaches, but that it also seems that people are feeling overwhelmed and daunted, and are lacking the resources, both human and financial, to address these challenges at scale.

Yes. What we’re seeing happening in healthcare today is similar to what we saw in banking in the 1990s. With online banking, the big banks could reach everyone in their home. All of a sudden, little neighborhood banks were in danger. In the old days, you went physically into your bank and you had relationships. But now, Bank of America has an ATM everywhere. So in the 1990s, the big banks bought the regional banks, and the regional banks bought the community banks. They gobbled up the smaller players who could not keep up with all the regulations coming out from the FDIC on data protection, or keep up with the technology. I think we are on the cusp of a wholesale change in healthcare as well. The only thing keeping critical-access hospitals alive today is that we still haven’t figured out how to get emergent care into some of those rural places. My theory is all of this regulation, all of these security issues, will make it harder and harder for the small guy to keep up, and at some point, they’ll either be acquired by the big systems, or the big systems will find the model to replace those small hospitals with telemedicine,, population health, etc. If you read any of the folks talking about the future, they talk about healthcare as being ripe for disruption. This is an industry where the model is going to change dramatically.

So in some ways, that’s going to work itself out through consolidation, then?

Yes. And don’t get me wrong; I love the little hospitals as much as anybody. They serve a very important purpose, and make a difference in people’s lives. But the fact of the matter is, when you’ve just got two pennies to rub together, and you’ve got to buy a $60,000 malware solution, you’re in trouble. And the fact is, the moment you connect to the Internet, you’re at risk—whether from purposeful threats, or even ones that are randomly out there. So being small doesn’t protect you anymore. There’s no invisible anymore.

Where are we now with CISO hiring, across U.S. healthcare?

My honest appraisal is that we’re making progress, but very slowly. The things that have happened recently that have caused security to become a more prominent issue, have sort of breathed new life into folks. We had a lot of folks with CISO titles, who had come into healthcare but were unhappy because of the lack of money, support, and prioritization, and they’d get frustrated and either give up and quit, or leave. We have quite a few folks who work for us. Our company’s growing constantly now. We have a lot of CISOs working for us as consultants who were at hospital systems. These are people who are really interested in doing a good job, and solving problems, and those kinds of things, and they get frustrated when they get no support. And It’s much easier sometimes to come in as a consultant, because at the end of the day, they’re not responsible for going and getting the budget to do it.  And so they’re contributing in their way.

And I believe the people who are working with us are trying to do a good job. The people who just want to check a box and do an audit, sometimes aren’t. We’re going to really help you create change; it’s a philosophical approach. So it’s getting easier to hire CISOs now, because the CISOs see there’s a real market for hiring and promotion. The challenge will be keeping them engaged. If they don’t come into a market where they feel that what they’re doing is appreciated, there’s a real chance they’ll go back out again. It’s one thing to get them, it’s another to hold onto them. We’re getting now, because the industry has a reputation now as being in trouble and needing CISOs. So the CISO community is interested.





The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Eye Center in California Switches EHR Vendor Following Ransomware Incident

December 11, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Redwood Eye Center, an ophthalmology practice in Vallejo, Calif., has notified more than 16,000 patients that its EHR (electronic health record) hosting vendor experienced a ransomware attack in September.

In the notification to the impacted patients, the center’s officials explained that the third-party vendor that hosts and stores Redwood’s electronic patient records, Illinois-based IT Lighthouse, experienced a data security incident which affected records pertaining to Redwood patients. Officials also said that IT Lighthouse hired a computer forensics company to help them after the ransomware attack, and Redwood worked with the vendor to restore access to our patient information.

Redwood’s investigation determined that the incident may have involved patient information, including patient names, addresses, dates of birth, health insurance information, and medical treatment information.

Notably, Redwood will be changing its EMR hosting vendor, according to its officials. Per the notice, “Redwood has taken affirmative steps to prevent a similar situation from arising in the future. These steps include changing medical records hosting vendors and enhancing the security of patient information.”

Ransomware attacks in the healthcare sector continue to be a problem, but at the same time, they have diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a recent report from cybersecurity firm Cryptonite.

More From Healthcare Informatics


Report: 30 Percent of Healthcare Databases Exposed Online

December 10, 2018
by Heather Landi, Associate Editor
| Reprints

Hackers are using the Dark Web to buy and sell personally identifiable information (PII) stolen from healthcare organizations, and exposed databases are a vulnerable attack surface for healthcare organizations, according to a new cybersecurity research report.

A research report from IntSights, “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry,” gives an account of how hackers are tracking down healthcare personally identifiable information (PII) data on the Dark Web and where in the attack surface healthcare organizations are most vulnerable.

The report explores a key area of the healthcare attack surface, which is often the easiest to avoid—exposed databases. It’s not only old or outdated databases that get breached, but also newly established platforms that are vulnerable due to misconfiguration and/or open access, the report authors note.

Healthcare organizations have been increasingly targeted by threat actors over the past few years and their most sought-after asset is their data. As healthcare organizations attempt to move data online and increase accessibility for authorized users, they’ve dramatically increased their attack surface, providing cybercriminals with new vectors to steal personally identifiable information (PII), according to the report. Yet, these organizations have not prioritized investments in cybersecurity tools or procedures.

Healthcare budgets are tight, the report authors note, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out. Healthcare organizations need to carefully balance accessibility and protection.

In this report, cyber researchers set out to show that the healthcare industry as a whole is vulnerable, not due to a specific product or system, but due to lack of process, training and cybersecurity best practices. “While many other industries suffer from similar deficiencies, healthcare organizations are particularly at risk because of the sensitivity of PII and medical data,” the report states.

The researchers chose a couple of popular technologies for handling medical records, including known and widely used commercial databases, legacy services still in use today, and new sites or protocols that try to mitigate some of the vulnerabilities of past methods. The purpose of the research was to demonstrate that hackers can easily find access to sensitive data in each state: at rest, in transit or in use.

The researchers note that the tactics used were pretty simple: Google searches, reading technical documentation of the aforementioned technologies, subdomain enumeration, and some educated guessing about the combination of sites, systems and data. “All of the examples presented here were freely accessible, and required no intrusive methods to obtain. Simply knowing where to look (like the IP address, name or protocol of the service used) was often enough to access the data,” the report authors wrote.

The researchers spent 90 hours researching and evaluated 50 database. Among the findings outlined in the report, 15 databases were found exposed, so the researchers estimate about 30 percent of databases are exposed. The researchers found 1.5 million patient records exposed, at a rate of about 16,687 medical records discovered per hour.

The estimated black-market price per medical record is $1 per record. The researchers concluded that hackers can find a large number of records in just a few hours of work, and this data can be used to make money in a variety of ways. If a hacker can find records at a rate of 16,687 per hour and works 40 hours a week, that hacker can make an annual salary of $33 million, according to the researchers.

“It’s also important to note that PII and medical data is harder to make money with compared to other data, like credit card info. Cybercriminals tend to be lazy, and it’s much quicker to try using a stolen credit card to make a fraudulent purchase than to buy PII data and run a phishing or extortion campaign. This may lessen the value of PII data in the eyes of some cybercriminals; however, PII data has a longer shelf-life and can be used for more sophisticated and more successful campaigns,” IntSights security researcher and report author Ariel Ainhoren wrote.

The researchers used an example of hospital using a FTP server. “FTP is a very old and known way to share files across the Internet. It is also a scarcely protected protocol that has no encryption built in, and only asks you for a username and password combination, which can be brute forced or sniffed

by network scanners very easily,” Ainhoren wrote. “Here we found a hospital in the U.S. that has its FTP server exposed. FTP’s usually hold records and backup data, and are kept open to enable backup to a remote site. It could be a neglected backup procedure left open by IT that the hospital doesn’t even know exists.”

According to the report, hackers have three main motivations for targeting healthcare organizations and medical data:

  • State-Sponsored APTs Targeting Critical Infrastructure: APTs are more sophisticated and are usually more difficult to stop. They will attempt to infiltrate a network to test tools and techniques to set the stage for a larger, future attack, or to obtain information on a specific individual’s medical condition.
  • Attackers Seeking Personal Data: Attackers seeking personal data can use it in multiple ways. They can create and sell PII lists, they can blackmail individuals or organizations in exchange for the data, or they can use it as a basis for further fraud, like phishing, Smishing, or scam calls.
  • Attackers Taking Control of Medical Devices for Ransom: Attackers targeting vulnerable infrastructure won’t usually target healthcare databases, but will target medical IT equipment and infrastructure to spread malware that exploits specific vulnerabilities and demands a ransom to release the infected devices. Since medical devices tend to be updated infrequently (or not at all), this provides a relatively easy target for hackers to take control.

The report also offers a few general best practices for evaluating if a healthcare organization’s data is exposed and/or at risk:

  • Use Multi-Factor Authentication for Web Applications: If you’re using a system that only needs a username and password to login, you’re making it significantly easier to access. Make sure you have MFA setup to reduce unauthorized access.
  • Tighter Access Control to Resources: Limit the number of credentials to each party accessing the database. Additionally, limit specific parties’ access to only the information they need. This will minimize your chance of being exploited through a 3rd party, and if you are, will limit the damage of that breach.
  • Monitor for Big or Unusual Database Reads: These may be an indication that a hacker or unauthorized party is stealing information. It’s a good idea to setup limits on database reads and make sure requests for big database reads involve some sort of manual review or confirmation.
  • Limit Database Access to Specific IP Ranges: Mapping out the organizations that need access to your data is not an easy task. But it will give you tighter control on who’s accessing your data and enable you to track and identify anomalous activity. You can even tie specific credentials to specific IP ranges to further limit access and track strange behavior more closely.


Related Insights For: Cybersecurity


Twelve States File First Multistate Healthcare Data Breach Lawsuit

December 5, 2018
by Heather Landi, Associate Editor
| Reprints

State Attorneys General from a dozen states filed a lawsuit Monday against several health IT companies, and their subsidiaries, alleging that poor security practices led to theft of protected health information (PHI) of 3.9 million individuals during a data security incident in 2015.

The 66-page complaint, filed in the U.S. District Court for the Northern District of Indiana, names four companies or subsidiaries, including Fort Wayne, Ind.-based Medical Informatics Engineering and NoMoreClipboard LLC. In the lawsuit, the state AGs allege that the companies failed to take “adequate and reasonable measures” to ensure their computer systems were protected.

Over several weeks in May, hackers infiltrated and accessed the “inadequately protected computer systems” of the companies and were able to access and exfiltrate the electronic PHI of 3.9 million individuals, whose PHI was contained in an electronic medical record stores in the companies’ computer systems. The personal information obtained by the hackers included names, addresses and Social Security numbers, as well health information such as lab results, health insurance policy information, diagnosis and medical conditions.

The lawsuit marks the first time state Attorneys General have joined together to pursue a HIPAA-related (Health Insurance Portability and Accountability Act) multistate data breach case in federal court, according to the Arizona Attorney General’s office. The lawsuit was filed by attorneys general from Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

According to a media report from, Arizonians were among those affected when hackers infiltrated WebChart, a web application operated by Indiana-based Medical Informatics Engineering Inc. and NoMoreClipboard (collectively known as MIE).

The 12 state AGs allege that the companies “failed to take reasonably available steps to prevent the breaches,” and “failed to disclose material facts regarding the inadequacy of their computer systems and security procedures to properly safeguard patients’ PHI, failed to honor their promises and representations that patients’ PHI would be protected, and failed to provide timely and adequate notice of the incident, which caused significant harm to consumers across the U.S,” according to the complaint.

Further, the companies’ actions resulted in the violation of the state consumer protection, data breach, personal information protection laws and federal Health Insurance Portability and Accountability Act (HIPAA) statutes, the lawsuit states.

In July 2015, MIE issued a statement acknowledging the data breach, classifying it as a “data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record.” The company also referred to it as a “sophisticated cyber attack.”

The company said that on May 26, 2015 it discovered suspicious activity in one of its servers. “We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement's investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data,” the company said in a statement three years ago.

At the time, the company said it was continuing to take steps to remediate and enhance the security of its systems. “Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset,” the company said.

In a statement, Arizona Attorney General Mark Brnovich said the 12 AGs allege MIE is liable because, among other things, “it failed to implement basic industry-accepted data-security measures to protect ePHI from unauthorized access; did not have appropriate security safeguards or controls in place to prevent exploitation of vulnerabilities within its system; had an inadequate and ineffective response to the breach; and failed to encrypt the sensitive personal information and ePHI within its computer systems, despite representations to the contrary in its privacy policy.”

Minnesota Attorney General Lori Swanson said in a news release, “Patients expect health companies to protect the privacy of their electronic health records. This company did not do so.”

The lawsuit says the states are seeking unspecified statutory damages and civil penalties.

See more on Cybersecurity

betebet sohbet hattı betebet bahis siteleringsbahis