By Mac McMillan, CEO, CynergisTek
Many healthcare organizations don’t realize just how many privileged accounts are on its network that insiders have access to. Periodically taking inventory of these accounts and getting rid of those that aren’t needed can go a long way toward protecting your organization’s network: think of it as a new type of spring cleaning.
In the spirit of spring cleaning — and discouraging hackers — you can also hide (i.e. rename) privileged accounts so they are less obvious. While this is not an optimal solution, it does make it little harder for them to be recognized by the “bad guys.” You can also encrypt passwords so they are not distinguishable and a little harder to find. Better yet, you can eliminate, encrypt, and associate a second factor to privileged accounts so that even if the bad guys do figure out your passwords, they still can’t use them.
Best yet, why don’t we just get rid of them altogether? Like we would with any valuable, put them in a safe place — a vault. When technical staff needs them, they check them out. When they are no longer needed, they are checked back in. If not checked in by a certain time, they expire. While out and about, they are encrypted and have that second factor associated with them for authentication.
Taking account inventory, eliminating unnecessary privileges, encrypting across the board, adding a second factor for authentication, and hiding accounts in a vault with an expiration date just skims the surface of how you can protect your organization’s network. Here are a few more strategies to consider.
Break Out The Tackle Box And Go Phishing
Phishing is by far one of the most serious threats to an organization’s network, and the first step to combating it is education. A large number of hacks start with a very simple, yet effective, technique which dupes users via email into divulging sensitive information or downloading dangerous malware.
Just recently we heard of yet another hospital that was the target of a crippling attack by ransomware that could have started from a simple phishing email. The hospital ended up paying the attackers approximately $17,000 (40 bitcoins) to obtain the decryption key. This attack kept the hospital’s systems offline for more than a week, disrupting operations, causing the diversion of some patients, and negatively impacting the business. The ransom in this case also represents a higher number than usually seen, suggesting attackers are changing their approach to a more market-based system. What isn’t unusual, unfortunately, is the attack itself; we have seen an upward trend in these attacks in healthcare.
Engaging users in regular phishing exercises in order to heighten awareness has proven to be a very effective strategy. Improving awareness and recognition reduces the chances of users opening or following through when they receive a suspicious email. To create real anglers though, you need to make sure the difficulty of your phish constantly increases. You might start in the “stock pond” with simple phish, like ones requesting that bank transfer to Namibia, but to really prepare users you’ll need to graduate to the deep waters of spear phishing where the emails look very realistic, mirror your own communications or appear to be sent by colleagues. Frequency, education, and complexity are the keys to raising resistance to this risk.
Check For Unwanted Visitors
Like other structures, networks become susceptible to cracks and gaps that allow unwanted visitors (ports, patches, USB, etc.). Many of these unwanted visitors take advantage of healthcare’s lack of discipline in processes like hardening, patching, change control, access controls, and segmentation (real segmentation, not just creating vLANs).
Verizon’s threat study at the end of 2015 found that, in the hacks reviewed from last year, 99.9 percent of the time hackers took advantage of vulnerability in the network that was at least one year old, with the majority of them five to seven years old. This means that each of these hacks were avoidable, had someone configured things correctly, patched the environment or perhaps tested to know they were there.
Organizations can learn a lot from these mistakes: plan assessments and make sure that it includes technical testing, preferably by a third party. Many organizations test their own network environments now, and while that is absolutely advised, organizations also need the due diligence of someone not familiar with its system testing, as we often don’t see our own mistakes.
Beware Of Insiders
Insiders are still a huge component of our risk in healthcare, but insider mishaps are not always intentional. While we have to rely on audits and monitoring to catch the bad actors, we can do something to reduce mistakes as well. Well-informed users make fewer mistakes, so turn up the education and don’t forget to make it interesting and relevant.
Just like we talked above with phishing, talk to your users about Ransomware, rouge USBs, cute passwords, leaving computers on constantly, physical and situational awareness for their environment, and the Internet Of Things. You are guaranteed to get attention when you share with your staff the risks associated with personal devices, such as their big screen smart TV, smart refrigerator, smart thermostat or wireless security system that communicates with the phone they just installed.
And that phone they recently replaced probably went through the factory reset process, but may not have been thoroughly wiped before it was sold on eBay. Ouch. Even more importantly, do your insiders know how the HVAC system that supports their environment or the medical devices they use every day can be used to compromise the hospitals network? Don’t forget that while you are sharing information about the risks that exist today it is equally important to educate your staff about how they can avoid those situations in the first place.
Whether it be by “spring cleaning” or otherwise, managing the risk to your network and combatting the threats hackers impose requires controlling who in your staff has access to the network, as well as making education and awareness a part of the culture.