GUEST BLOG: Just Say No | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

GUEST BLOG: Just Say No

July 25, 2017
by Mac McMillan
| Reprints
There are some very urgent steps that healthcare IT security leaders need to take, right now, in the face of constant malware threats, says Mac McMillan

Recently, I had the occasion to see firsthand the devastating effects of a serious malware attack that took a majority of a hospital’s systems offline, forcing them to use work arounds to maintain some semblance of operations. The impact before it’s over is likely to be incredibly costly for that organization. Days later we heard the announcement of another hospital taken down by ransomware. And then there was NotPetya which turned out to be a directed denial of service attack designed to destroy the systems and data it infected. There was no magic key to decipher or roll back its effects. All of this just reinforces the need to get more vigilant about our cybersecurity and to just say no to the things that keep us from being secure.

1.      Get your head in the game. We have thousands of malware attacks every day, crashing into our perimeters looking for the one mistake we have made, which is all the attackers need to get in. Just in the past few weeks, we saw several hospitals suffer massive ransomware attacks and a worldwide attack of new strain of WannaCry (Petya) that seeks not financial gain, but more sinisterly to destroy systems and data. Organizations hit by this new malware have woken up to the real dark side of hacking – attacks with the sole aim to destroy their systems and their data. Yet many will just say, wow glad that was not us, we dodged another one. The question is will you dodge the next? Will you instead ask IT if that had been us, how would we have fared? Don’t be afraid to say no to those who think cybersecurity is just an IT issue. It’s a leadership issue.

2.      Get fanatical about vulnerability management. And I mean all aspects; hardening, patching, configurations, change control, testing…all of it. There is nothing exciting about this work, no one will argue that, but it is critical and those who do not give it attention are destined for excitement…just not the type they bargained for. More than 90% of hacks take advantage of a vulnerability more than one year old. Meaning someone could have patched it, disabled it, closed it, etc. and did not. The attacker only has to get lucky once to find that mistake, whereas we have to get it right all of the time. Maintenance and administration are hugely important to defending the enterprise, we can no longer afford to neglect them. Don’t be afraid to say no to sacrificing maintenance and administration for up time.

3.      Get rid of old IT. Obsolete, unsupported software, browsers, operating systems are all magnets for malware. Many of the victims of WannaCry learned this firsthand as they watched the Windows XP systems still deployed in their environments succumb. Refresh schedules have to stay ahead of obsolescence in order to remove this threat. Where that is not possible, we need to employ other means of isolating these systems by separating them from or putting additional protections between them and the network or the Internet. Don’t be afraid to say no to unsafe usage of obsolete IT or to purchases of systems with obsolete software.

4.      Get the best defenses. Traditional security technologies have proven they alone are no match for the new attacks being thrown at the enterprise. All you have to do is just look at Mirai, WannaCry, and most recently NotPetya to realize this fact. You need to invest in next generation firewalls, advanced malware detection, email and web gateways, virtual honeypots, and other newer technologies. Investment is necessary. Security costs, but lack of security or no security costs significantly more. Just ask anyone who has been the victim of a serious malware attack. Don’t be afraid to say no to those that say we can do the job with what we have.

Webinar

Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

5.      Get limited. We’ve known forever that the best way to protect something is to limit the number of people who have access to it. That is doubly true for access with elevated privileges. The overwhelming majority of the damaging attacks we’ve witnessed took advantage of weak access practices or exploited someone’s administrative level permissions. That happened because there are too many, they are weakly controlled, and they are not monitored or audited regularly. Employ two-factor authentication on all remote, web and administrative level access. Eliminate all elevated privileges through vaulting. If you can’t do that, then eliminate all administrative access possible and monitor what remains. Don’t be afraid to say no to access for convenience.

6.      Get buoyant. The reason a naval vessel can withstand battle is because the ship is compartmented. Each compartment can be sealed off to stop the impact of the damage to another. Networks employ a concept called segmentation that can achieve this same effect when attacked, but only if that segmentation is real. Simply deploying VLANs does not segment the network securely. We need to start deploying access controls on segments, use segmentation firewalls and better configuration of network devices managing traffic. With the right technologies, detecting events, and the right segmentation, we can stop, isolate and limit the impact of attacks to protect critical assets and information. Don’t be afraid to say no to just doing it the easy way.

7.      Get everything backed up. When we talk about backing things up, we often focus on the data alone, which is a huge mistake as many are learning. We also think of backups as having an electronic copy of information on a system. We need to redefine our definition of backup to include everything we need to reconstitute the enterprise, baseline images, configurations, current applications and the data. Secondly, we need to make sure that we have a copy that is air gapped from the rest of the enterprise so that when the unthinkable happens, we have what we need to rebuild. Many victims of malware attacks have had to rebuild from the bare metal, meaning reloading the basic operating system, reloading applications, reapplying configurations and reloading data.  Not having up to date information about any aspect of the current environment can grind that recovery process to slow pace. Don’t be afraid to say no to those who say we can’t take something offline long enough to back up.

8.      Actively monitor. The computing environment that we operate in today generates millions of log events per day, week, and month depending on the size of the organization involved, but regardless of where you fit it, it is not possible for your staff to monitor this activity manually. This is an area where organizations need to seek out a partner, a professional SOC capable of monitoring, alerting and providing early warning - often hours before an event will likely affect you. This is not something most healthcare organizations can do effectively even with tools. Don’t be afraid to say no to unrealistic expectations.

9.      Get organized. Fire drills have never particularly been anyone’s favorite activity, but well organized ones that end quickly or ones that worked in a real crisis were appreciated and made a difference. Responding to cyber incidents is no different. You need a process, you need people who know how to run it, you need the right equipment to support them, you need a communications plan, you need the right responders, you need to stop the event, isolate the intruder/infection, analyze/investigate the cause, eliminate the attacker, restore the enterprise and all the while continue to operate.  This will not happen by accident. Plan, train, exercise, perform, learn. Don’t be afraid to say no to those who say we don’t have time to practice.

Get confident. Create the cybersecurity strategy that gives the organization the confidence to handle whatever comes without impacting the mission. Knowing that you have a better than average chance of seeing events before they can do real damage, you can respond to mitigate the attack,  forcing the attacker to work for whatever they get, and in the worst-case, you can reconstitute quickly and efficiently provide real confidence in your computing environments. It also provides the confidence to just say no to ransom demands. Paying a ransom only guarantees a positive outcome for the attacker, which just further incentivizes them to go after others. Spend that money elsewhere like better defenses, better warning, better responding or better recovery.

Mac McMillan is president and CEO of the Austin, Texas-based CynergisTek consulting firm.


The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/article/cybersecurity/just-say-no-0
/news-item/cybersecurity/health-first-data-breach-exposes-information-42k-patients

Health First Data Breach Exposes Information of 42K Patients

November 15, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

A data breach at Florida-based Health First exposed the personal information of some 42,000 patients, according to various industry media reports this week.

The website DataBreaches.net reported that in early October, the healthcare provider Health First notified the Department of Health & Human Services (HHS) of a breach that affected 42,000 patients.  The breach actually occurred earlier in the year, however, between February and May 2018, according to the report, which received a statement from the organization’s senior vice president, consumer and retail services.

The Health First executive noted that “a small number of our employees were the victims of a phishing scam which compromised some of our customers’ information. The criminals were able to gain access of these employees’ email accounts for a limited period of time.”

Health First officials also told Florida Today this week that the data breach “was fairly low-level, though it could have included some customers' Social Security numbers. Mostly it appears to have involved information such as addresses and birth dates. No medical information was compromised,” according to this report.

Phishing attacks continue to plague the healthcare industry; the single largest breach this year was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. That said, cybersecurity professionals are still looking for more advanced ways to get out in front of these attacks, as healthcare has traditionally lagged behind other industries in in phishing resiliency.

More From Healthcare Informatics

/webinar/components-strong-cybersecurity-program-closer-look-endpoint-security-best-practices

Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Tuesday, December 18, 2018 | 1:00 p.m. ET, 12:00 p.m. CT

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of endpoints.

Attend this session to learn why it's more important than ever for healthcare organizations to actively manage their full range of endpoints, endpoint security best practices, and how your endpoint management strategy may need to evolve over time.

Related Insights For: Cybersecurity

/news-item/cybersecurity/44m-patient-records-breached-q3-2018-protenus-finds

4.4M Patient Records Breached in Q3 2018, Protenus Finds

November 7, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

There were 117 disclosed health data breaches in the third quarter of 2018, leading to 4.4 million patient records breached, according to the Q3 Protenus Breach Barometer report.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the most recent data shows that although the number of incidents disclosed in Q3 decreased somewhat from Q2, the number of breached records increased from Q2 to Q3. Also, the number of affected patient records has continued to climb each quarter in 2018—from 1.13 million in Q1 to 3.14 million in Q2 to 4.4 million in Q3.

In Q3, the report noted that the single largest breach was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. Hackers used phishing techniques, “official-looking emails”, to gain access to the organization’s email system and capture employees’ passwords. This new incident follows one that took place at the same organization in April when 16,400 patient records were breached as a result of another phishing attack.

For incidents disclosed to HHS (the Department of Health & Human Services) or the media, insiders were responsible for 23 percent of the total number of breaches in Q3 2018 (27 incidents). Details were disclosed for 21 of those incidents, affecting 680,117 patient records (15 percent of total breached patient records). For this analysis, insider incidents are characterized as either insider-error or insider-wrongdoing. The former includes accidents and other incidents without malicious intent that could be considered “human error.” 

There were 19 publicly disclosed incidents that involved insider-error between July and September 2018. Details were disclosed for 16 of these incidents, affecting 389,428 patient records. In contrast, eight incidents involved insider-wrongdoing, with data disclosed for five of these incidents.

Notably, when comparing each quarter in 2018, there has been a drastic increase in the number of breached patient records as a result of insider-wrongdoing. In Q1 2018, there were about 4,600 affected patient records, in Q2 2018 there were just over 70,000 affected patient records, and in Q3 there were more than 290,000 affected patient records tied to insider-wrongdoing.

What’s more, the report found that hacking continues to threaten healthcare organizations, with another increase in incidents and affected patient records in the third quarter of 2018. Between July and September, there were 60 hacking incidents—51 percent of all Q3 2018 publicly disclosed incidents. Details were disclosed for 52 of those incidents, which affected almost 3.7 million patient records. Eight of those reported incidents specifically mentioned ransomware or malware, ten incidents mentioned a phishing attack, and two incidents mentioned another form of ransomware or extortion. However, it’s important to note that the number of hacking incidents and affected patient records have dropped considerably when comparing each month between July and September 2018.

Meanwhile, of the 117 health data breaches for which data was disclosed, it took an average of 402 days to discover a breach from when the breach occurred. The median discovery time was 51 days, and the longest incident to be discovered in Q3 2018 was due to insider-wrongdoing at a Virginia-based healthcare organization. This specific incident occurred when an employee accessed thousands of medical records over the course of their 15-year employment.

See more on Cybersecurity

betebettipobetngsbahis bahis siteleringsbahis