News of Community Health Systems, Inc. (CHSI) experiencing a 4.5-million patient data breach sent ripples through the healthcare industry because of both the sheer scope of the incident and interest in how the hack occurred.
For a security director or CISO, learning the root cause to a major breach comes first and from there, they can decide how to react and which technologies and services they need to boost their security posture. Erik Devine, Chief Security Officer for Riverside Health, told HealthITSecurity.com he’s been looking for more information on the malware that the hackers used and there isn’t much out there to this point. For example, Devine would want to find out whether the hackers had siphoned the data, if the issue was an outdated vulnerability exploit or if it was a new, advanced type of malware that has just been developed.
My main concern is what hit them and how it entered. Was it through an entry point such as an internet portal or was it more of an end user error that was related to phishing? Hopefully, CHSI involving the authorities will mean that more light is shined upon the issue. But it will be interesting to see what comes out of that because the other recent incidents – healthcare related and non-healthcare related – involving technology haven’t told the full story of what actually happened. We often just hear “we found a virus and our systems are being cleaned” instead of what a breached organization really found.
The disappointing part, Devine said, is without any sort of real breach information, other organizations are left wondering what to do and if their current security vendors going to be up to the task of preventing a similar attack. With the caveat that no organization is ever 100 percent protected, Devine believes there should be a security baseline set within an organization while constantly looking for new security technologies.
When asked what he plans on doing to augment security in the instance more information doesn’t come out regarding the CHSI breach, Devine said that a lot of the work goes back to Riverside Health’s risk assessment strategy, which he said has been beefed up along with its audit procedures. “We now have a full matrix revolving around risk within the IT department and are focused on giving senior leadership the ability to see what types of risks they have out there,” he said.
Convincing senior leadership of what needs to be done has always been an organic part of a CSO’s job, but being able to demonstrate what the risks are how specific technologies can help is now more important than ever. For instance, Devine said that his department will try to explain what Riverside’s biggest risks are and whether they’re increasing or decreasing. And from there they can tell them which risks have been stabilized due to technology, education or policy.
You can’t just go to anybody and say that you have these really strong points to make and then try to make 15 [of them]. You need to pick the top three and explain what the organization needs to do and the costs related [to those products or services]. We’ve been pretty successful with that approach so far – we’re trying to sandbox some ideas to see if we can find some unknown attacks that are out there, such as some code that may have more risk than others.
With senior management’s blessing, Devine explained how Riverside Health is beginning to look at more technologies that deal with Advanced Persistent Threats (APTs) and unknowns. Devine is looking to bring in more web application firewalls than just mere standard internet firewalls within the next quarter and see what the technology can do for the organization. Additionally, Riverside is reviewing distributed denial-of-service (DDoS) technology so it can perform heuristic scanning and get ahead of the latest and greatest malware. “I’m assuming that’s where [CHSI hackers' malware] the came from, so maybe if we had more heuristics and DDoS being protected, we’d be able to really dive into the traffic, dump it into a sandbox and see what the traffic is doing,” Devine said. “Hopefully, that would increase our endpoint security a little bit more.”