Mitnick proceeded to do several demonstrations that should chill every IT executive in healthcare. He showed how incredibly easy it is for skilled hackers to penetrate organizational networks of all kinds, as well as to penetrate individual consumers’ information system defenses, and how to hack their social media accounts, credit card accounts, and other personal spaces, thus making it exceptionally easy to gain access to organizational networks. His live demonstrations, in minutes, showed the audience how profoundly easy it is for skilled hackers to penetrate nearly every kind of defense imaginable.
Following his live hacking demos, Mitnick responded to audience questions. The first question asked was, what would the first thing be that he would do if he were hired into a healthcare CIO position? “The first thing I would assess is,” Mitnick said, “is that I’d be really concerned about protecting HIPAA data; I’d want to make sure my network was segmented. My skill set is attack and defense, not management,” he emphasized. “Given that, I would look into architecting the network, and making sure the data is properly segmented, that you have good authentication and audit controls on that data, so if it’s accessed, you can quickly detect where. I recently did a pen-test for an organization, and we were quickly able to penetrate their entire network, because there was no segmentation whatsoever. That’s one of the first areas.”
There will always be an exploitable human error. How do we protect against threats when humans are involved? was the second audience question. “Obviously, with regard to any attacks that target the human element, it’s really important to educate the people who are using and operating your systems, about the latest threats,” Mitnick emphasized. And in a lot of cases, a successful hack “requires the victim to do something, like tricking them into installing an update, before the exploit an take place. So I would do a show-and-tell every once in a while, to keep them involved.”
Do you think the federal government should get involved? one audience member wanted to know. “I’m not really a proponent of federal regulation of anything, given my experience” with investigation and incarceration, Mitnick said, to laughter. “I think companies really need to take this into their own hands. You need to take security into your own hands, and manage it properly, and do it well enough that you’re doing it well enough that you’re deflecting 80-85 percent of the attacks out there.”
Do you think the use of ransomware or malware has peaked? Or will we see a rise? Another audience member wanted to know. “I definitely am seeing an increase in ransomware, and of new, more sophisticated versions of ransomware. I recently was working with an oil and gas company; and it turned out that during one of our pen-tests, an employee opened a phish that claimed to be a credit card company’s email. The employee installed a Java update that installed ransomware, but fortunately, the company was able to restore quickly, to the backup of the night before.”
And, another audience member asked, should healthcare IT leaders use multi-factor authentication in their organizations? “Absolutely,” Mitnick said. “Will it stop all attacks? No, because hackers can steal session keys and can bypass two-factor authentication. Two-factor authentication usually works very well at the front door. But sophisticated hackers can still get in. But you should absolutely install two-factor authentication.”
Finally, asked the one piece of advice he might leave with the audience, Mitnick responded, “You can always mature your security processes. You can segment your network. You can make sure that people connecting you use VPM. You can enforce two-factor authentication. You can take the steps necessary to make you a harder target, so that the bad guys can go to another company that doesn’t use rigorous security controls.”
Shortly prior to Mitnick’s opening keynote presentation, CHIME president and CEO Russell P. Branzell referenced a survey that the association was set to publish on Sunday around cybersecurity. Branzell noted one key survey result: that, even now in 2017, fewer than 50 percent of the organizations whose CIOs were surveyed had yet hired a full-time chief information security officer (CISO).
Get the latest information on Staffing and Professional Development and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.