[BreachExchange] 8 Lessons Learned on Perimeter Security for all Healthcare Executives

[Audrey McNeil]

http://www.securityinfowatch.com/article/12382754/lessons-
learned-on-perimeter-security-for-all-healthcare-executives

The executive team was confident their 2,453 bed integrated delivery
network was secure, especially since they invested heavily in a solid
perimeter. Their engineers implemented “a defense in depth” strategy with
redundant systems and internal segmentation of all 16 compartments in the
unlikely event of a perimeter breach. They were so confident of their
system that they didn’t implement a full disaster recovery strategy,
thinking that no more than 40 percent of the resources would require
assistance at a time. This overconfidence was fueled by an under-scoped and
incomplete risk assessment, which fueled inadequate planning, and thanks to
Murphy’s Law, ultimately led to disaster.

There are eight lessons healthcare organizations can learn from this
incident.

      1. Understand the organizational context

Board members and senior executives need to fully understand the context of
their organization so that a complete risk assessment can be performed.
This includes understanding the location and criticality of all sensitive
systems needed to deliver care. It also means understanding all internal
and external dependencies, such as knowing the status of other dependent
organizations’ security controls. Within the healthcare community, covered
entities and business associates should avoid fixating on the protection of
Personal Health Information (PHI) while ignoring other critical systems
such as biomedical devices, supervisory control and data acquisition
(SCADA) controls, and physical access security. These have vulnerabilities
that, if not addressed, can be used to access sensitive data. Healthcare
organizations are not immune to breaches and hacking of valuable assets,
such as financial and employee data, or even email lists which can be used
for ransomware attacks. Risks also exist in interconnected supporting
organizations, such as business associates and affiliated physician groups
where compliance teams can have a difficult time defining perimeters and
the overall scope of a security management program.

      2. Implement a defense in depth strategy

Defense in depth strategies is used to prevent catastrophic system failure
in case the perimeter is breached. Firewalls alone are increasingly
insufficient as the enterprise has expanded to include things like bring
your own device (BYOD), Internet of Things (IoT) devices, and increased
demand for mobile equipment connectivity. One defense in depth strategy is
to provide the system administrators with two user accounts – one
privileged to manage servers, network, and firewalls, and a separate one
for administrative activities. This helps isolate critical accounts from
phishing schemes and malware infections originating from malicious email
and Internet websites. CIOs can also employ separate networks for PHI,
SCADA and payment card systems, and network aware biomedical devices.
Breaches have occurred to clinical systems that started with HVAC, CCTV and
payment systems that were compromised first proper use of network and
account segmentation and limit damage following an incident.

      3. Integrating automated threat detection with staff check-points

Early threat detection capabilities are most effective when technology and
procedures are tightly integrated to allow staff to react to security
incidents before serious harm is done. Anti-virus software can stop most
known threats but require frequent (even hourly) updates. Other
technologies such as next-generation firewalls, heuristic-based malware
protection, and intrusion detection/prevention systems (IDS/IPS) are needed
to monitor and react to alerts in near real time. While this technology is
important, it does not replace the need for a human in the loop to isolate
and respond to imminent threats.

      4. Routinely test the perimeter

Understanding how the perimeter will react when stressed, specifically when
targeted by hackers and groups engaged in social engineering to exploit the
network, is important so that vulnerabilities can be identified and
addressed. External and internal vulnerability scans, as well as periodic
penetration tests, serve to find holes that can be exploited for bigger
problems. Since threat awareness has been identified as one of the most
serious security weakness, anti-phishing exercises can help identify staff
blind spots.

      5. Develop realistic disaster recovery plans

Disaster recovery plans need to be realistic and well-practiced in case the
perimeter is breached. While tabletop exercises can provide valuable
training to key personnel, these generally do not provide the operations
staff with the necessary experience of recovering systems while under
stress. The limited scope of tabletop exercises can create a false sense of
security for the executive team, ultimately undermining the business case
for better disaster planning and investments. Disaster recovery plans are
not static and need to be updated frequently to respond to new threats. For
example, the prevalence of ransomware has refocused the need for frequent
offline backups that will be available following an attack as online or
mirrored backups may also be compromised.

       6. Ensure a communication plan for leadership is in place

A defined communication plan to quickly alert executive leadership is
critical in the event of a breach. Valuable time can be often lost trying
to confirm the cause of a failure rather than immediately sounding the
alarm. Executives can overcome organizational inertia and the desire to
follow the “chain of command” by encouraging individuals who discover
anomalies to communicate directly with senior decision makers. Healthcare
organizations may want to implement hotlines, with anonymous reporting
capabilities, to encourage quick reactions that limit damage and get the
organization on a recovery path sooner.

       7.  Avoiding minimally compliant goals through continuous improvement

Executives should recognize that dated security standards may not be
appropriate for today’s threat environment. Executives should define and
communicate that security and compliance objectives must meet all current
legal, regulatory, contractual requirements, and known threats. Recognize
that legacy security standards are no longer adequate to protect covered
entities against today’s threat environment. For example, HIPAA was
published in 1996 and since then, ransomware and malware are frequently
being used by organized crime groups, nation-states, and politically
motivated actors in ways that were not imagined two decades ago. The more
common standard for security today in healthcare is the NIST CSF. The HIPAA
security rule covers only 19 of the elements contained in the CSF. The myth
of a “secured perimeter” is becoming outdated, as BYOD, IoT, and
interdependencies between interconnected covered entities blurred
traditional boundaries. Adopting continuous improvement as a measurable
performance goal helps insulate healthcare organizations from stagnation.

       8. Develop a formal risk management process

Finally, executives should be fully engaged in the risk management process.
Every incident that negatively impacts either confidentiality, integrity,
or availability should have a root cause analysis performed. For the
integrated delivery team’s disaster referred in the introduction, the root
cause can be traced back to an under-scoped risk assessment, managers who
misunderstood and even downplayed the impact of critical risks, and a lack
of executive leadership that allowed risk management decisions to be made
too low in the management hierarchy. Those same lower-level managers
identified the risks but their overconfidence in legacy technology led to
poor design decisions. In the end, the “system” was ill-prepared to respond
to a visible threat due to organizational inertia, even when the threat was
identified before the attack.

 Summary

The executives in this specific example never had an opportunity to learn
that newer technologies, quicker communications, avoiding unnecessary
risks, and better planning, all of which could have saved them. Without
warning and only weeks after launch, a small perimeter breach quickly
escalated into a catastrophic event. The alerting system detected the
threat before the initial breach, but the communications process was not
able to alert executives to change course. A root cause analysis later
proved that internal segmentation was not designed to adequately contain
the breach once it occurred, so the internal damage control systems were
overwhelmed. After the threat successfully breached the perimeter, calls
for external assistance were unable to reach outside help because the
regulations at the time were decades behind current technology.

Thus no one was listening for a distress call in the middle of the night.
When the executives recognized what all was lost, they also understood that
their disaster recovery plan, e.g., the number of lifeboats, did not have
the capacity to save all the passengers and crew. So, on that cold April
night over 105 years ago, 2,224 users learned that a small hole in the
perimeter, totaling just 1.1 square meters, was enough to sink the Titanic
in two hours.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171218/af1d2402/attachment.html>