GUEST BLOG: Just Say No | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation


July 25, 2017
by Mac McMillan
| Reprints
There are some very urgent steps that healthcare IT security leaders need to take, right now, in the face of constant malware threats, says Mac McMillan

Recently, I had the occasion to see firsthand the devastating effects of a serious malware attack that took a majority of a hospital’s systems offline, forcing them to use work arounds to maintain some semblance of operations. The impact before it’s over is likely to be incredibly costly for that organization. Days later we heard the announcement of another hospital taken down by ransomware. And then there was NotPetya which turned out to be a directed denial of service attack designed to destroy the systems and data it infected. There was no magic key to decipher or roll back its effects. All of this just reinforces the need to get more vigilant about our cybersecurity and to just say no to the things that keep us from being secure.

1.      Get your head in the game. We have thousands of malware attacks every day, crashing into our perimeters looking for the one mistake we have made, which is all the attackers need to get in. Just in the past few weeks, we saw several hospitals suffer massive ransomware attacks and a worldwide attack of new strain of WannaCry (Petya) that seeks not financial gain, but more sinisterly to destroy systems and data. Organizations hit by this new malware have woken up to the real dark side of hacking – attacks with the sole aim to destroy their systems and their data. Yet many will just say, wow glad that was not us, we dodged another one. The question is will you dodge the next? Will you instead ask IT if that had been us, how would we have fared? Don’t be afraid to say no to those who think cybersecurity is just an IT issue. It’s a leadership issue.

2.      Get fanatical about vulnerability management. And I mean all aspects; hardening, patching, configurations, change control, testing…all of it. There is nothing exciting about this work, no one will argue that, but it is critical and those who do not give it attention are destined for excitement…just not the type they bargained for. More than 90% of hacks take advantage of a vulnerability more than one year old. Meaning someone could have patched it, disabled it, closed it, etc. and did not. The attacker only has to get lucky once to find that mistake, whereas we have to get it right all of the time. Maintenance and administration are hugely important to defending the enterprise, we can no longer afford to neglect them. Don’t be afraid to say no to sacrificing maintenance and administration for up time.

3.      Get rid of old IT. Obsolete, unsupported software, browsers, operating systems are all magnets for malware. Many of the victims of WannaCry learned this firsthand as they watched the Windows XP systems still deployed in their environments succumb. Refresh schedules have to stay ahead of obsolescence in order to remove this threat. Where that is not possible, we need to employ other means of isolating these systems by separating them from or putting additional protections between them and the network or the Internet. Don’t be afraid to say no to unsafe usage of obsolete IT or to purchases of systems with obsolete software.

4.      Get the best defenses. Traditional security technologies have proven they alone are no match for the new attacks being thrown at the enterprise. All you have to do is just look at Mirai, WannaCry, and most recently NotPetya to realize this fact. You need to invest in next generation firewalls, advanced malware detection, email and web gateways, virtual honeypots, and other newer technologies. Investment is necessary. Security costs, but lack of security or no security costs significantly more. Just ask anyone who has been the victim of a serious malware attack. Don’t be afraid to say no to those that say we can do the job with what we have.

5.      Get limited. We’ve known forever that the best way to protect something is to limit the number of people who have access to it. That is doubly true for access with elevated privileges. The overwhelming majority of the damaging attacks we’ve witnessed took advantage of weak access practices or exploited someone’s administrative level permissions. That happened because there are too many, they are weakly controlled, and they are not monitored or audited regularly. Employ two-factor authentication on all remote, web and administrative level access. Eliminate all elevated privileges through vaulting. If you can’t do that, then eliminate all administrative access possible and monitor what remains. Don’t be afraid to say no to access for convenience.

6.      Get buoyant. The reason a naval vessel can withstand battle is because the ship is compartmented. Each compartment can be sealed off to stop the impact of the damage to another. Networks employ a concept called segmentation that can achieve this same effect when attacked, but only if that segmentation is real. Simply deploying VLANs does not segment the network securely. We need to start deploying access controls on segments, use segmentation firewalls and better configuration of network devices managing traffic. With the right technologies, detecting events, and the right segmentation, we can stop, isolate and limit the impact of attacks to protect critical assets and information. Don’t be afraid to say no to just doing it the easy way.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More