Kayne McGladrey (@kaynemcgladrey) is a member of the Institute of Electrical and Electronics Engineers and the information security services director at Integral Partners with more than 20 years of experience in cybersecurity and identity and access management across financial, health-care, retail, government, and manufacturing organizations worldwide.
The siege against health-care organizations by cybersecurity threat actors continues in 2018 and shows no sign of relenting. Health care is a target-rich environment from a threat actor perspective because of three primary challenges associated with cybersecurity programs. This article examines the three most common symptoms of an ailing cybersecurity culture and provides preventative guidance to avoid the most common disorders.
Health-care organizations exist to provide medical services to people in need, focusing particularly on lifesaving and life-extending techniques and technologies. Doctors, nurses, emergency medical technicians, and other medical professionals hold high ethical standards for patient care, and these standards often are at odds with the purpose of cybersecurity products. If a patient is bleeding out on an operating table, the EMT and physician will not tolerate the delay caused by a nurse needing to provide extra authentication credentials, swipe a badge, or otherwise shift his or her focus from the primary mission. This difference in mission, between saving lives and providing a safe and secure digital working environment, must be addressed with sensitivity and flexibility.
The current regulatory environment for health-care organizations places a high value on personal health information (PHI). The average cost per leaked PHI record to health-care organizations was $402, according to the 2016 Bitglass Healthcare Breach Report. However, the dark web market value of PHI has cratered, according to cybersecurity firm Flashpoint. Each full PHI record sold for an average of $75 to $100 in 2015. That fell to $20 to $50 in 2016, and $0.50 to $1 per record in 2017. The regulatory controls established by the Health Insurance Portability and Accountability Act of 1996 do not reflect this new market reality, but attackers have changed their techniques to maintain their profit margins. For example, the HEX-Men attack of 2017 brute-forced MySQL and Microsoft SQL Server database passwords to deploy cryptocurrency miners. These programs were more easily monetized from a threat actor’s viewpoint, at the risk of causing a visible performance degradation which could affect the quality and speed of patient care.
Health-care organizations often have unique use cases from a networking perspective, particularly with machines that may have periodic or no access to a centralized authentication service. The tendency with this use case is to set a static administrative password for these disconnected systems, and in the worst examples, that administrative password is shared across a good deal of administrative staff and never changed. A static administrative password is a jackpot from a threat actor’s perspective, particularly when that password is identical across many systems.
Thankfully, these are all preventable problems with a combination of sensitivity to the unique nature of health care and the appropriate use of existing technologies.
Think Like an End User
When planning a cybersecurity program, the program sponsor should reach out to the doctors, nurses, EMTs, and other future end users of the program to identify potential risks and concerns about the adoption of any new cybersecurity technology. The sponsors and technical staff should have a goal of partnering with their end users to set up a continuous feedback cycle. This exercise identifies use cases and allows for a pilot of those use cases with the end users in a limited environment before rolling the program out to a larger group.
For example, a health-care provider was considering the deployment of multi-factor authentication (MFA) when accessing patient records. The program sponsor identified an initial test group of doctors and showed them the new proposed workflow, which would force the doctor to provide a fingerprint or type a six-digit code when accessing a new patient record. The blistering feedback from the doctors was overwhelmingly negative, and they asserted that the program owner did not understand their day-to-day jobs. One group of doctors correctly pointed out that it is not possible to provide a fingerprint when wearing latex-free gloves. The other group asserted that the additional five to 10 seconds spent typing would result in more than two hours of lost productivity each month and the six-digit code could be better spent on patient care.
Instead of moving ahead with a disastrous deployment of MFA, the cybersecurity team changed its implementation goals. Instead of forcing MFA on all operations, the team configured user behavior analytics to require MFA only if the doctor was doing something unusual. For example, if the doctor worked in a clinic from 9 a.m. to 6 p.m. daily, Monday to Friday, he or she would not be prompted for a second factor of authentication. However, if the doctor was accessing PHI outside of his or her normal routine, such as from a remote location, the system would force MFA. The team also used interactive voice response (IVR) MFA, which allowed doctors to answer a phone call at a designated number if they could not provide a fingerprint.
Updated Attacker Profit Models
With the plummeting value of PHI on the dark web, the profit model for threat actors has changed, and health-care providers must change with it while maintaining HIPAA regulatory compliance. Health-care providers should focus on securing administrative credentials on key infrastructure to avoid cryptocurrency mining and ransomware attacks. To protect against brute-force credential stuffing attacks against infrastructure such as databases, these organizations should incorporate a Privileged Access Management (PAM) solution into their cybersecurity program. The PAM solution will automatically rotate the passwords of database and service accounts on a schedule with no human interaction required. Allowed staff can then request the password for an account, and the password will be rotated after their request has expired. This automated credential rotation prevents a threat actor from reusing legitimate hardware as attack infrastructure, and further improves HIPAA compliance.
Another health-care provider on the west coast planned on deploying a PAM solution to protect service and database accounts. This project at first required scanning all the computer infrastructure to identify potential accounts and the last date of a password change for those services. What they found was startling: Service account passwords had an average lifetime of more than five years. What was not surprising was the level of initial concern and resistance from the information technology teams charged with maintaining those infrastructure services. Again, the cybersecurity team acted with sensitivity to the valid concerns of the IT team and migrated service and database accounts using a phased approach, with plenty of time for feedback from application and service owners. This incremental approach was successful in onboarding and securing these critical accounts against credential stuffing and insider attacks.
A similar solution can be applied for periodically disconnected health-care systems that may not be able to use a centralized authentication store. Instead of setting the same administrative login password everywhere, a PAM solution was deployed to push password updates to those disconnected systems. Technicians who planned on working on these systems could set their own password before heading into the field for the day, but those credentials would be automatically reset after 12 hours to prevent a threat actor from reusing the password later.
Health-care hacking incidents increasing 24 percent in 2017, according to CryptoniteNXT. But all is not lost. With the right combination of sensitive planning and a long-term strategy to deploy appropriate cybersecurity technologies, health-care providers can provide both a safe digital working environment and first-rate patient care in 2018 and beyond.
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.