By Sam Cooks, Vice President/Chief Information Security Officer
Hospitals are among those under assault from hackers.
According to an article this summer in Crain’s Health Pulse, health care providers, health plans and related business associates have reported a record number of data breaches in the first six months of 2021 as the pandemic resulted in new cybersecurity shortcomings. The health care sector is considered a top target for hackers because health records contain valuable personal information, such as social security numbers. An expert at the Greater New York Hospital Association attributed the rise in breaches to three factors: the pandemic’s strain on health care infrastructure, increased coordination by hackers and the rise of hard-to-track cryptocurrencies. “There are several large, well-resourced organizations that have developed lucrative operations worldwide with armies of small-time hackers attacking many multiple targets at a time,” she said.
Cyberattacks on health care systems have not come without consequences. According to an article in The Wall Street Journal, “a ransomware attack on a national hospital chain nearly brought Las Vegas hospitals to their knees. Another attack in Oregon abruptly shut down alerts tied to patient monitors tracking vital signs. In New York, one county’s only trauma center briefly closed to ambulances, with the nearest alternative 90 miles away.”
Sam Cooks, Vice President and Chief Information Security Officer at SBH Health System, sent staff email blasts during the summer warning against In Fear of Cyberattacks By Sam Cooks, Vice President/Chief Information Security Officer increased cyberattacks and Ransomware activity. Below is an article he wrote for SBH Medicine.
The lion’s share of breaches that lead to data leakage start with a preventable event. These preventable events generally fall into two categories: Software vulnerabilities or failure to protect passwords. The SBH security team consistently works to identify software vulnerabilities and patch them as quickly as possible. Microsoft has begun to do a good job in identifying flaws in their software and alerting the public about those flaws. They also provide mitigations when patches are not quickly available. The key is to PAY ATTENTION to Microsoft’s missives.
Colonial Pipeline | Password leakage |
Facebook, Instagram | Password leakage |
US Federal Government Software | vulnerability (third party-SolarWinds) |
T-Mobile Password leakage | via SIM stealing |
Patch management is one of Microsoft’s highest recommendations. That is until a zero-day vulnerability is discovered. Zero-day vulnerabilities are flaws in applications or operating systems that the software provider has not created a patch to resolve. One of the most widespread zero-day vulnerabilities was discovered back in April of this year. Microsoft disclosed that a flaw in “Microsoft Exchange” (the most widely used email server in the world) allowed an attacker to gain access to an exchange server and run arbitrary code. By the time Microsoft released the patch, hundreds of businesses had been affected by the vulnerability causing thousands of hours of downtime. I’m sure you’ve heard many other horror stories, but for the most part, by the time these stories hit the news, the Microsoft insider community has already started developing mitigations through configuration changes.
The approach of the SBH IT department regarding providing access to clinical systems is singular. Clinical or financial software is never installed directly on user workstations. User workstations are used as portals to access backend servers. This approach reduces the attack surface a criminal has to gain access to our data. The example I generally use is having a very, very large house with only two entrances. You may have to carry your groceries an extra 30 or 40 feet to get to a door, but you sleep better at night knowing that with limited resources, you can protect those two doors. Keeping clinical and financial software off end user workstations also allows us to run updates to the backend systems in a much more streamlined fashion. The updates can occur in the background and in some cases without a full downtime (the system being updated will run with reduced system resources or functionality).
The failure to protect passwords is a challenge most organizations face. We are no different. Regardless of how many times you ask a user to change their password, a criminal can send an email and trick a user into sharing their just updated password. The future is NO PASSWORDS. Microsoft is pushing adoption of a password-less Windows environment by using “Hello” facial or biometric recognition. Sound costly? Yes, it is. Hardware and support costs will increase, but security will be greatly enhanced. For now, the use of Multi-Factor Authentication for remote access (you’ve all seen the DUO app and pop up) is our way of adding an additional layer of security to remote connections.
In order to help reduce the risk and fallout from password leakage, we follow the principal of least privilege. This means that users generally have just enough access to network resources to perform their daily tasks. If a user inadvertently leaks their password, the damage should be limited AND we should be able to see the anomalous activity quickly.
A good CISO is like a veterinarian. A vet can treat a dog, cat, bird or horse in the course of a single day. A good CISO understands that the “I” in CISO could stand for Infrastructure instead of Information. They must have complete knowledge of the interworkings of servers, storage, desktops and networking (not to mention policy) in order to properly protect their environment.
Some believe that when all information is free, there is no need to steal it and that arbitrary laws about protecting personal information have caused the rise in data theft. Well, until we live in a world where we no longer need to feel threatened about EVERYONE knowing EVERYTHING about us, Information Security is among the most important priorities of any organization.