Healthcare’s Biggest Cybersecurity Blind Spots and Misconceptions

April 26, 2021 - Threat actors are moving at a drastic pace and with stealthy tactics able to hide their activities from system administrators. The truth is that healthcare is struggling with some massive cybersecurity blindspots and misconceptions, making it extremely difficult to keep pace.

Data exfiltration and extortion was once seen as a rare worst-case scenario, but now it’s occurring in the majority of ransomware attacks. Meanwhile, reports show an increasing number of attacks targeting a range of newly disclosed vulnerabilities, along with legacy security gaps that administrators have overlooked and failed to patch.

A brief look at the four zero-day vulnerabilities in Microsoft Exchange and the ease in which advanced persistent threat actors are actively exploiting the flaws highlight the ever-bleak threat landscape and the need for highly advanced cyber posture.

And as the supply-chain attacks against Accelion’s File Transfer Appliance (FTA) and SolarWinds Orion demonstrate, just one hack can have a dramatic, rippling effect across multiple entities.

On the whole, healthcare has always been behind the curve in terms of resources and, in previous years, awareness was lacking. Breaches are commonplace in the sector, but many are caused on the whole, not by a lack of security - but the struggle to keep pace.

READ MORE: Feds Find More Malware Tied to SolarWinds Supply Chain Compromise

Though the tides have somewhat shifted, and it appears most understand that the threat is real and data breaches are nearly inevitable, what’s holding back the sector from a more effective defense strategy?

Blindspots and Misconceptions

For Mitch Parker, Indiana University Health’s executive director of information services, the three major gaps not being addressed in healthcare are supply chain security, organizational integration, and physical security.

“In general, healthcare needs to do a better job communicating between siloed areas, specifically facilities, physical security, pharmacy, revenue cycle, environmental services, and even areas such as gift shops,” Parker explained. 

“These operational areas all work from the same physical locations,” he added. “We can't do our job of securing the environment without working together and coordinating our efforts so that we can develop plans to secure what is currently being used, and then developing plans to install more secure products.”

It’s not enough to tackle just one element, like EHR, API, or application security and think the task is done, he added. Instead, providers should examine the complete list of customer needs, then develop a plan to address those areas.

READ MORE: OCR: IT Asset Inventory Can Improve HIPAA-Required Risk Analysis

APT threat actors and other attackers are aggressively targeting the sector, which is well-known. Thus, providers need to look at both short-term and long-term risks, explained Kayne McGladrey, IEEE Senior Member.

Overall, there are three key areas that are inconsistently handled within the sector: tabletop exercise, structural walkthroughs, and anything to do with incident response plans. Administrators need to dust off incident response plans, before an attack to ensure they’re ready when the inevitable occurs.

"Don't try to do everything at once: Build a good, long-range plan to do so, [as] there is no magic bullet.” 

Without a practiced plan in place, workforce members tend to panic when systems are shut down, said McGladrey. By testing software systems and processes ahead of an incident, including staff assignments during the emergency scenario, the team can function during an attack with fewer stressors.

But to truly move the needle, providers needed to be passively looking at incident logs and other threat hunting mechanisms, instead of taking a passive approach to securing the enterprise. These steps are what mature enterprises are taking to improve their posture.

Vulnerability management is also a key blindspot in healthcare. Without tackling security gaps,  McGladrey explained that it’s impossible to understand new traffic patterns.

“Before an attack campaign, hackers get in the room and make a plan of attack,”  McGladrey said. “They don’t get on the network and then call it a day. The break in and move immediately, as far as they can onto the network… as seen with the Microsoft Exchange attacks.”

Where to Prioritize and Recommended Tech

The current threat landscape demands healthcare providers take immediate action before joining the growing list of breached organizations. Parker explained that providers need to first have a grasp on their asset inventory, a complete list of vendors, and who's responsible for tackling internal risks.

In the long-term, healthcare providers need a plan to assess and address third party risks, making sure to ask vendors how they are protecting their products throughout the lifecycle, as well as their plan for protecting the integrity of product updates.

But perhaps the most critical step is to perform a risk assessment, if an entity has not yet done so, explained Parker. The Office of the National Coordinator previously released a thorough System Readiness Assessment (SRA) tool that can get entities started on the process.

“Go through the assessment and see where your opportunities for improvement lie,” he added. “Then develop a gap analysis and plan to address these opportunities. Don't try to do everything at once: Build a good long-range plan to do so, [as] there is no magic bullet.”

For McGladrey, risk and harm reduction are the top two areas providers need to focus on, despite its limitations. One of the most basic places to start is to ensure no systems are operating on Windows 7. It’s universally agreed that the unsupported tech is a huge security risk.

Despite this, few healthcare entities actually have a complete inventory of devices and software packages operating on the network, including which ones are no longer supported.

Multiple security leaders have previously told HealthITSecurity that when performing asset and inventory processes for clients, the number of devices operating on the network at any given time is significantly higher than the estimated amount provided by the entity.

"If you don't know where data are and controls that exist on your network, there’s no tech that can fix the overall risk."

In short, many entities are completely unaware of just what is running on the network, let along those that are running with vulnerable tech.

“All organizations should pursue doing a complete inventory because if you don't have a comprehensive inventory of what’s running in your environment, it’s hard to respond to recent incidents,” said McGladrey.

“With the Holiday Bear/SolarWinds incident, there were organizations that didn’t know that they were running [the vulnerable tech],” he added. “The same situation arose with Microsoft Exchange, there were organizations that didn't know if they had the tech. The time spent in that investigation is time lost for an effective remediation.”

On the lower end, McGladrey added that entities need an inventory for all software and automated or persistent scanning. Organizations leveraging these processes are doing better than the vast majority of their colleagues.

After identifying technologies that are no longer supported, administrators also need to determine how to effectively isolate the vulnerable tech from the main network, through segmentation or a network enclave to make sure they’re no longer accessible to the network or public-facing endpoints.

Automation is a “moral responsibility those organizations with personally identifiable information and protected health information,” lest they make it easy for threat actors to steal and publish stolen data, McGladrey added.

Frankly, it’s not a high-cost solution and attempting to do it manually is a futile task.

For Brett Callow, EmsiSoft Threat Analyst, the single biggest step healthcare providers can take to improve their security posture is to use multi-factor authentication on every applicable endpoint. Microsoft data previously found MFA blocks 99.9 percent of all automated attacks.

The second-most important task is to retire any systems that are too old to support MFA and replace them with newer systems that can support it.

“The importance of MFA cannot be overstated: using it will not only prevent most automated attacks, but may also lessen the scope of any attacks which do succeed,” Callow added. “MFA should not, however, be considered to be a silver bullet. It isn’t.” 

“For example, in 2019 the FBI warned that threat actors had been observed ‘circumventing multi-factor authentication through common social engineering and technical attacks,’” he continued. “So all the other security 101s remain as critical as ever: patch promptly, disable PowerShell when not needed, conduct security awareness training, etc.”

If healthcare providers can employ these basic and necessary steps, proactively investing in security, Callow stressed that the enterprise will be significantly more secure.

McGladrey added that providers should also map out statutes and regulatory controls to determine the compliance areas they need to meet, then map those elements to a chosen industry-standard framework with the needed, critical security controls.

Then, providers should do a gap analysis to find out the areas they’re getting right, as well as the steps needed to move the needle on overall security. McGladrey added that the analysis will also show where a third-party may need to come in to fully secure the network.

“There’s not a one-size-fits-all approach to securing healthcare,” McGladrey said. “All organizations are doing the best they can, working hard against insurmountable odds. It’s important to respect and understand not where they are relative to the standard, but how they’ve improved over time.”

“But ultimately, if you don't know where data are and controls that exist on your network, there’s no tech that can fix the overall risk,” he added.