- Many healthcare organizations use VMware technology on both the front and back ends of their technical infrastructure, so the company’s recently-released patches for vulnerabilities in vCenter, ESX and ESXi may have security consequences for some organizations.
Hackers exploiting these technical susceptibilities, according to VMware, may have led to hackers to gaining access to EHR or other clinical data without valid credentials and caused a Denial of Service of the hostd-vmdb service, for example. To correct the issue and reduce the likelihood of exploitation, VMware said that vSphere components should be deployed on an isolated management network. The need for comprehensive security as part of virtual infrastructure management to enforce fine-grain access controls over every action and as role-based monitoring to detect potential threats in an environment is critical, according to Eric Chiu, president & co-founder of HyTrust.
When asked whether he thinks most healthcare organizations would be aware of these patch vulnerabilities, Chiu explained that most teams that manage the virtual infrastructure for these organizations should know about the patch vulnerabilities.
However, I do not believe that there is enough awareness at higher levels around the concentration of risk and potential for catastrophic failure that virtualization and cloud introduces — unfettered access to any application in the cloud, ability to copy every virtual machine with PHI information without being detected, and the ability to delete the entire data center in a matter of minutes.
Chiu disagrees with the notion that since seemingly many healthcare breach incidents involve human error such as laptop theft and not technical hacking, healthcare organizations shouldn’t be as concerned about patch vulnerabilities. In fact, Chiu argues that major technical breaches are happening more frequently and in greater size. He cited non-healthcare breaches such as Adobe with 38 million customers’ records compromised and source code of its most popular products stolen and Vodafone with 2 million customer records stolen.
All these massive breaches involved insider threats which can be exploited by outside attackers posing as insiders, as well as malicious employees. Virtualization and cloud make the problem worse because instead of stealing specific files, you can copy entire virtual machines without detection. Essentially, if an attacker has administrative rights for virtual infrastructure, it is game over for the company.
As for what healthcare organizations can do to mitigate thses risks, Chiu maintains that organizations should take an inside-out security approach and assume the hackers are already on their network. “With this assumption, make sure that access to sensitive data and systems has proper controls and role-based monitoring to protect against outside attackers and malicious employees,” he said. “And ensure that you have the proper data security and privacy for your critical applications and workloads.”