An explosion of technologies continues in healthcare that can have life-altering impacts for patients. But if not properly protected, the same technologies may also compromise patient safety and sensitive data.
Cybersecurity is ever evolving, and as nefarious attackers continue to learn and change their tactics, so must healthcare organizations in response. Internal audit can, and should, play a key role in assessing the readiness and effectiveness of critical controls and principles.
Kevin Dunnahoo is an Associate Director with Protiviti’s National Healthcare Practice. He is a lead for healthcare IT, digital, cybersecurity and HIPAA compliance services. Kevin can be reached at [email protected] protiviti.com and (214) 300-9585.
Nick Britton is a Senior Manager in Protiviti’s Security & Privacy Practice. Nick is a lead for Protiviti’s cybersecurity lab team and oversees a global team of security professionals who help organizations increase their security posture through targeted assessments. Nick can be reached at [email protected] protiviti.com and (469) 374-2460.
According to HHS.gov, over 195 million records have been compromised since breach reporting became a requirement and the agency's Office for Civil Rights (OCR) started tracking breaches electronically in 2009. Looking through the numbers reveals that 75 percent of those records were breached from hacking/IT incidents.
Reviewing 2018 and 2019 breaches reveals an increase in breaches from phishing, ransomware, network/workstation compromise, malware and so on. According to the OCR, recurring healthcare IT issues identified in investigations include failure to patch software, lack of appropriate auditing, lack of transmission security, failure to perform enough risk analysis, and failure to manage risks once they have been identified.
All the information available paints the picture that the healthcare industry may be failing in its duty to protect patient data—and, in some cases, patient safety might be hanging in the balance. Many TV shows, books and movies have described fictional scenarios in which a patient's health is impacted due to a cyberattack of hospital or medical equipment.
The fictional scenarios are beginning to play out in the real world, as illustrated in England with the WannaCry ransomware attack. The attack disrupted patient care due to the inability to access key medical systems and rendered more than 1,200 devices unusable, impacting more than one-third of the healthcare delivery system in England.
With the increased sophistication of attacks against healthcare organizations, many organizations are considering how to stay on top of cyberattacks. Leading organizations have battled back by thinking like the attackers and performing mock attacks against their own networks.
Think like an attacker
While some cyberattacks are haphazard or untargeted in nature, many that lead to a significant compromise are targeted and follow a defined recipe for success. Understanding the typical attacking steps in Exhibit 1 allows for the development of specific audit objectives and procedures for ongoing assessments to continually strengthen the controls and processes necessary to protect critical systems and data.
Planning a preemptive assessment by testing the organization's preventive and detective controls in each attacking step can help identify areas of improvement that should be an organizational focus. Gone are the days of focusing solely on enforcing strict controls on an organization's perimeter network, such as firewalls and web pages.
Due to healthcare's distributed network and computing environments, numerous devices and the need for instant connectivity, your focus must be on the entire enterprise technology stack. All the elements used to run applications, including back-end and front-end components, need to be considered.
Conduct your preemptive strike
Some key considerations—organized by the key steps attackers take—should be assessed to help you better understand how your organization is performing various cybersecurity tests.
Exhibit 1 – Attacking steps
- Reconnaissance – build a deeper understanding of the target
- Foothold – obtain initial access to the network or system
- Escalate – establish a persistence on the network and gain elevated access
- Lateral movement – move through the network to locate sensitive systems and data
- Action – perform action on the objective to meet an end goal
Attacker objective – What can be attacked?
Audit objective – What attack surface exists that must be secured and what information is available about our organization that can be used to attack us?
The healthcare industry may be failing in its duty to protect patient data.
Recommended approach – Use publicly available resources to determine what information is readily available about your organization. Begin with basic online research such as Google and Bing. LinkedIn can also be valuable in identifying individuals who work at the organization that could be targeted.
In addition, job boards can provide insights into areas that may be shorthanded or have key organizational projects underway. Slightly more technical tools such as NMAP and Shodan can provide information about the organization's network, services exposed to the internet and other vital information that can be leveraged during an attack.
Challenges and areas of focus – Does the organization know the entire attack surface—a complete inventory of assets, systems, applications and services? Has the organization assessed the ability to be attacked from related parties that have legitimate access—associated vendors, partners and joint ventures? During many penetration testing efforts, access through related parties is a step that often is overlooked but provides an important understanding of potential alternative attack paths.
Attacker objective – Can the network be broken into?
Audit objective – Is our organization protected from external unauthorized access?
Recommended approach – Perform external network assessments, including vulnerability scanning and penetration testing, and use social engineering and phishing exercises to assess technical filtering controls as well as user awareness. Do not limit social engineering attacks to emails—use telephonic (vishing) and physical social engineering tactics as well.
Perform simple password-guessing techniques on external services such as email and remote access (VPN). Try the most commonly used passwords, like “Fall2019” or “Fall2019!” across a wide array of accounts. Leverage previously compromised passwords for users you identified in the reconnaissance step by using freely available lists of compromised accounts that have been released from prior breaches across all industries.
Test the ability to detect attack techniques by using a “purple team” approach.
Challenges and areas of focus – Many healthcare organizations still struggle to adapt or enforce multifactor authentication for all user accounts. Numerous legacy systems and devices still in use can no longer be patched. Networking environments are constantly growing and becoming more complex, with many entry points and physical environments that are difficult to lock down.
Attacker objective – Can our foothold be leveraged to gain additional and more critical access?
Audit objective – Are our most critical systems and accounts properly protected from compromise, even from users with access to our internal network?
Recommended approach – Perform internal network assessments, including vulnerability scanning and penetration testing. Assume workstation compromise and test what information can be utilized from this foothold to escalate access. Test for appropriate management of privileged/elevated access to determine whether these accounts are properly secured from account takeover or compromise.
Challenges and areas of focus – Many healthcare organizations have applications dispersed throughout different departments where access is administered. How are these systems adhering to proper procedures and company policy?
Are the proper tools and configurations in place to manage elevated and vendor accounts to reduce the potential of abuse of these accounts? Users with elevated account access can perform activities that are considered off-limits to end users, such as administer user access and changes to the system, database or server. Each system may have a different definition of elevated accounts. Are we monitoring the activity of elevated accounts to identify inappropriate or irregular activity to detect potential issues in a timelier manner?
Attacker objective – Can our current access be used to move throughout the network and gain further access?
Audit objective – Is our network designed to detect and minimize the impact of ongoing breaches?
Recommended approach – Perform reviews and testing of network segmentation to validate functionality. Perform reviews of cyber defense and response capabilities to determine readiness.
Test the ability to detect attack techniques by using a “purple team” approach. One team (red team) launches an attack to determine whether another, defense-focused team (blue team) can detect and ultimately thwart the attack, one attack at a time, with open communication.
Challenges and areas of focus – Many healthcare organizations utilize a flat network to reduce cost, maintenance and administration due to the high number of systems and devices that need to communicate, as well as constraints with legacy systems and devices. Flat networks may allow attackers to gain access to all systems and data once they have initial access to the network.
Healthcare organizations have a vast array of users and activity within their environments and systems. Identifying behavior that is irregular is difficult, as no litmus test exists for what should be considered regular. What rules and alerts are in place, and are the alerts being monitored and acted on?
Think like the attackers and perform mock attacks against your own networks.
Many healthcare organizations are outsourcing their security monitoring to managed security service providers (MSSPs) that specialize in system and network monitoring and responding to cybersecurity events. These outsourcing providers can be a great investment for healthcare organizations that may not be able to attract, train and retain resources to fulfill this need internally. However, outsourcing arrangements may also lead to confusion about which party is responsible for detecting and responding to security events.
Each outsourced, cloud-based relationship needs to be vetted, contracted and monitored.
Many healthcare organizations do not, or are not allowed to, test MSSP performance through activities like purple teaming. Assessing how well the procedures and controls are functioning—and evaluating how ready the organization is to detect, stop, respond and recover from attacks—is vital.
Attacker objective – How can our access be leveraged to impact the organization or obtain financial reward?
Audit objective – What are our most critical assets and how are the assets being protected? Recommended approach – Perform tests to simulate data exfiltration efforts to determine if a user can move data outside of the trusted network. Test the organization's ability to respond to a ransomware event by determining the ability to recover systems and data, and the time needed to do so. Test incident response procedures to determine how well prepared the individuals are who have been designated as responsible for performing response activities.
Challenges and areas of focus – Given the vast amounts of data and numerous formats protected health information and other sensitive data can take within a healthcare environment, can the organization accurately identify what should and should not be considered sensitive?
Similarly, given the array of outbound and inbound network connections and different data feeds to partners, joint ventures, government entities, payers, health information exchanges, and even patients, can the organization identify what is authorized versus unauthorized traffic? Does encrypted traffic outbound get a free pass, allowing attackers to potentially remove large quantities of data if they send the data via an encrypted channel? How prepared is the organization to identify and stop the exfiltration of sensitive data?
Cybersecurity reality and emerging risks
While the basic steps an attacker may take to compromise a network are easy to summarize, cybersecurity in the healthcare industry is very difficult, and the ultimate impact truly can be life or death for patients.
Many key differentiators in healthcare organizations create unique challenges that other, more cyber-mature industries, like financial services, do not have to contend with. The act of managing a person's health is an extraordinarily complex undertaking that relies on multiple specialties, systems, types of care and devices in a process that starts at birth and ends at death.
Couple that with an industry facing significant challenges that threaten the overall security posture every day and the scenario becomes even more daunting. Further increasing the difficulty of keeping on the bleeding edge of security, some of the key challenges facing healthcare organizations today include, but are not limited to, the following.
Digital acceleration – A significant technology boom is occurring with new personal Internet of Things (IoT)—connected devices and applications, all aimed at improving the associated patient outcomes in countless ways. The devices are introduced in numerous ways to a healthcare organization both through the patient and through the provider.
Cloud-based focus – Most healthcare organizations are looking to outsource some of their computing requirements to cloud-based service providers. The organization offloads the burden of maintaining the systems and gains some cost efficiencies versus hosting and maintaining the systems in-house. But no two vendors are alike, no two contracts are equal, and each new relationship needs to be carefully vetted, contracted and monitored to keep information secure and private.
Perform tests to simulate data exfiltration efforts.
Mergers and acquisitions and joint ventures – Mergers, acquisitions and joint ventures have produced some super-sized healthcare systems. The result is a very complex networking environment that can have numerous ingress and egress points, unclear governance and oversight structures, and a nightmare of potential attack vectors. IT and security are rarely a significant consideration before the business ventures are consummated. A lot of heroic efforts are required on the back end to connect and secure these organizations after the deal has been inked.
Financial restrictions – At the same time, the healthcare industry is in financial turmoil given the pressure to reduce overall costs and transition to new value-based reimbursement models. The financial restrictions have led to further limits on spending where possible, thereby encouraging organizations to retain applications, devices and equipment past their supported life. Old systems and equipment create unique security complexities, as patches may not be available to address security flaws.
Healthcare organizations continue to be a prime target for attack due to the seemingly low barrier to compromise and the high value of the personal data that can be obtained. The data includes key elements that cannot be changed, such as birthday, blood type, family members and social security number. Our industry must begin to work collectively to investigate how healthcare's cybersecurity posture can be improved. Internal auditors will play an integral role in assessing, testing and helping advance procedures and controls.