The executive team was confident their 2,453 bed integrated delivery network was secure, especially since they invested heavily in a solid perimeter. Their engineers implemented “a defense in depth” strategy with redundant systems and internal segmentation of all 16 compartments in the unlikely event of a perimeter breach. They were so confident of their system that they didn’t implement a full disaster recovery strategy, thinking that no more than 40 percent of the resources would require assistance at a time. This overconfidence was fueled by an under-scoped and incomplete risk assessment, which fueled inadequate planning, and thanks to Murphy’s Law, ultimately led to disaster.
There are eight lessons healthcare organizations can learn from this incident.
- Understand the organizational context
Board members and senior executives need to fully understand the context of their organization so that a complete risk assessment can be performed. This includes understanding the location and criticality of all sensitive systems needed to deliver care. It also means understanding all internal and external dependencies, such as knowing the status of other dependent organizations’ security controls. Within the healthcare community, covered entities and business associates should avoid fixating on the protection of Personal Health Information (PHI) while ignoring other critical systems such as biomedical devices, supervisory control and data acquisition (SCADA) controls, and physical access security. These have vulnerabilities that, if not addressed, can be used to access sensitive data. Healthcare organizations are not immune to breaches and hacking of valuable assets, such as financial and employee data, or even email lists which can be used for ransomware attacks. Risks also exist in interconnected supporting organizations, such as business associates and affiliated physician groups where compliance teams can have a difficult time defining perimeters and the overall scope of a security management program.
- Implement a defense in depth strategy
Defense in depth strategies is used to prevent catastrophic system failure in case the perimeter is breached. Firewalls alone are increasingly insufficient as the enterprise has expanded to include things like bring your own device (BYOD), Internet of Things (IoT) devices, and increased demand for mobile equipment connectivity. One defense in depth strategy is to provide the system administrators with two user accounts – one privileged to manage servers, network, and firewalls, and a separate one for administrative activities. This helps isolate critical accounts from phishing schemes and malware infections originating from malicious email and Internet websites. CIOs can also employ separate networks for PHI, SCADA and payment card systems, and network aware biomedical devices. Breaches have occurred to clinical systems that started with HVAC, CCTV and payment systems that were compromised first proper use of network and account segmentation and limit damage following an incident.
- Integrating automated threat detection with staff check-points
Early threat detection capabilities are most effective when technology and procedures are tightly integrated to allow staff to react to security incidents before serious harm is done. Anti-virus software can stop most known threats but require frequent (even hourly) updates. Other technologies such as next-generation firewalls, heuristic-based malware protection, and intrusion detection/prevention systems (IDS/IPS) are needed to monitor and react to alerts in near real time. While this technology is important, it does not replace the need for a human in the loop to isolate and respond to imminent threats.
4. Routinely test the perimeter
Understanding how the perimeter will react when stressed, specifically when targeted by hackers and groups engaged in social engineering to exploit the network, is important so that vulnerabilities can be identified and addressed. External and internal vulnerability scans, as well as periodic penetration tests, serve to find holes that can be exploited for bigger problems. Since threat awareness has been identified as one of the most serious security weakness, anti-phishing exercises can help identify staff blind spots.
5. Develop realistic disaster recovery plans
Disaster recovery plans need to be realistic and well-practiced in case the perimeter is breached. While tabletop exercises can provide valuable training to key personnel, these generally do not provide the operations staff with the necessary experience of recovering systems while under stress. The limited scope of tabletop exercises can create a false sense of security for the executive team, ultimately undermining the business case for better disaster planning and investments. Disaster recovery plans are not static and need to be updated frequently to respond to new threats. For example, the prevalence of ransomware has refocused the need for frequent offline backups that will be available following an attack as online or mirrored backups may also be compromised.
6. Ensure a communication plan for leadership is in place
A defined communication plan to quickly alert executive leadership is critical in the event of a breach. Valuable time can be often lost trying to confirm the cause of a failure rather than immediately sounding the alarm. Executives can overcome organizational inertia and the desire to follow the “chain of command” by encouraging individuals who discover anomalies to communicate directly with senior decision makers. Healthcare organizations may want to implement hotlines, with anonymous reporting capabilities, to encourage quick reactions that limit damage and get the organization on a recovery path sooner.
7. Avoiding minimally compliant goals through continuous improvement
Executives should recognize that dated security standards may not be appropriate for today’s threat environment. Executives should define and communicate that security and compliance objectives must meet all current legal, regulatory, contractual requirements, and known threats. Recognize that legacy security standards are no longer adequate to protect covered entities against today’s threat environment. For example, HIPAA was published in 1996 and since then, ransomware and malware are frequently being used by organized crime groups, nation-states, and politically motivated actors in ways that were not imagined two decades ago. The more common standard for security today in healthcare is the NIST CSF. The HIPAA security rule covers only 19 of the elements contained in the CSF. The myth of a “secured perimeter” is becoming outdated, as BYOD, IoT, and interdependencies between interconnected covered entities blurred traditional boundaries. Adopting continuous improvement as a measurable performance goal helps insulate healthcare organizations from stagnation.
8. Develop a formal risk management process
Finally, executives should be fully engaged in the risk management process. Every incident that negatively impacts either confidentiality, integrity, or availability should have a root cause analysis performed. For the integrated delivery team’s disaster referred in the introduction, the root cause can be traced back to an under-scoped risk assessment, managers who misunderstood and even downplayed the impact of critical risks, and a lack of executive leadership that allowed risk management decisions to be made too low in the management hierarchy. Those same lower-level managers identified the risks but their overconfidence in legacy technology led to poor design decisions. In the end, the “system” was ill-prepared to respond to a visible threat due to organizational inertia, even when the threat was identified before the attack.
The executives in this specific example never had an opportunity to learn that newer technologies, quicker communications, avoiding unnecessary risks, and better planning, all of which could have saved them. Without warning and only weeks after launch, a small perimeter breach quickly escalated into a catastrophic event. The alerting system detected the threat before the initial breach, but the communications process was not able to alert executives to change course. A root cause analysis later proved that internal segmentation was not designed to adequately contain the breach once it occurred, so the internal damage control systems were overwhelmed. After the threat successfully breached the perimeter, calls for external assistance were unable to reach outside help because the regulations at the time were decades behind current technology.
Thus no one was listening for a distress call in the middle of the night. When the executives recognized what all was lost, they also understood that their disaster recovery plan, e.g., the number of lifeboats, did not have the capacity to save all the passengers and crew. So, on that cold April night over 105 years ago, 2,224 users learned that a small hole in the perimeter, totaling just 1.1 square meters, was enough to sink the Titanic in two hours.
About the Author: Clyde Hewitt, CISSP, CHS is vice president of security strategy at CynergisTek. He brings more than 30 years of executive leadership experience in cybersecurity to his position with CynergisTek, where his many responsibilities include being the senior security advisor and client executive, thought leader and developer of strategic direction for information and cybersecurity services, nationwide business development lead for security services, and contributor to CynergisTek’s industry outreach and educational events.