To Improve Health IT Security, Recognize the Importance of Privilege
March 9, 2017 | Security and Risk | Gerrit Lansing
The increased use of electronic medical records and rapid advances in healthcare technology have made hospitals target-rich environments for hackers. Unfortunately, the maturity of hospitals’ cyber security programs often are years behind that of other technology-dependent sectors, such as financial services. It’s no surprise that cyber security was a prominent topic at this year’s HIMSS conference.
In our conversations with industry professionals, we hear a widespread concern about the security posture at their hospitals. Outdated and unsupported software, inadequate resources, a lack of executive support, cultural resistance, and rapidly evolving technology have left hospitals vulnerable to attacks such as the ransomware exploit that forced Hollywood Presbyterian Medical Center to pay a $17,000 ransom to regain access to its network last year.
The problem is not limited to ransomware or network access. Poor cyber security hygiene makes networked medical devices on the hospital floor vulnerable to breaches, potentially putting patients’ health and lives in the hands of intruders. Properly managing access to privileged accounts and critical devices can mitigate risk and significantly boost hospitals’ cyber security posture.
The healthcare environment
Hospitals and medical centers are complex environments where advanced technology is supported by networks that were not wholly designed for it. Networked monitors, infusers, ventilators, etc. provide improved patient healthcare and reduce staff burden, and their deployment can increase the number of network endpoints by the thousands. The nature of these devices – they are critical to the health of patients — creates a conflict often seen with operational technologies and advanced security controls.
In a budget-conscious industry that struggles to control costs, decision makers without an understanding of IT often do not prioritize the critical task of cyber security. The mix of administrative, medical and technical users on the network also makes it difficult to get a stakeholder consensus on changes needed to improve security. This problem can be compounded in teaching hospitals, which like most universities, emphasize access and sharing.
The privilege pathway
The importance of controlling access to privileged accounts on connected devices was demonstrated last year when a massive distributed denial-of-service (DDoS) attack was launched against Dyn, a provider of Internet services to Internet sites. It was reported that the attack was conducted using millions Internet of Things devices compromised by the Mirai malware, which relied on factory-default user names and passwords to infect them.
These user names and passwords were easily available and intruders were able to access and install Mirai malware on thousands of online devices such as digital video recorders and IP cameras. Because device owners did not change the default settings they became part of a massive botnet used to launch DDoS attacks.
The impact of this risk goes beyond consumer devices and DDoS attacks. Privilege—the ability to use accounts that give users wide-ranging powers on a network and devices—is one of the first things an intruder looks for in an attack. Default administrative passwords are an easy way for intruders to get onto the privilege pathway and enabling them to complete their mission. This can put medical equipment on the hospital floor at risk of compromise; and the stakes with these devices are much greater and the threat more urgent.
Blocking the privilege pathway raises the bar for attackers by increasing the amount of effort and level of skills needed for a successful attack.
Mitigating the risk with good cyber security hygiene
Practicing good security hygiene in the form of proper password management is an effective way to reduce the risk from a breach. Managing access privileges does not mean denying them. Ensuring that default passwords are not being used, that administrative passwords are not being shared, and that all passwords are properly managed secures privileged accounts without disrupting access by those who need it.
This can be done without changing processes or disrupting established procedures. CyberArk has developed a powerful, modular technology platform that provides a comprehensive Privileged Account Security Solution to address this threat enabling healthcare organizations to take a painless first step in maturing IT security.