The increased use of electronic medical records, rapid advances in healthcare technology and connection of wildly disparate IoT devices to physical networks have made hospitals target-rich environments for hackers.
Unfortunately, the maturity of hospitals’ cyber security programs are frequently years behind those of other technology-dependent sectors, such as financial services.
There have been widespread reports of “health care hacks” – data breaches - both in Australian and internationally with many cyber security firms establishing dedicated units to investigate why this vertical market is so at risk.
The conclusion is usually a combination of outdated and unsupported software and hardware (does your MRI still run Windows XP?), inadequate resources, a lack of executive support to put security on a higher footing than patient care, cultural resistance, and rapidly evolving technology have left hospitals vulnerable to attacks such as the ransomware exploits. Pay up or patients can die!
iTWire asked Matthew Brazier, Regional Director Australia and New Zealand at CyberArk for a few tips following his explanation of privilege account access last year. Brazier has penned a good all-round explanation of the issue which is reproduced below.
{loadposition ray}
The problem is not limited to ransomware or network access. Poor cyber security hygiene makes networked medical devices on the hospital floor vulnerable to breaches, potentially putting patients’ health and lives in the hands of intruders. Properly managing access to privileged accounts and critical devices can mitigate risk and significantly boost hospitals’ cyber security posture.
The unique healthcare environment
Hospitals and medical centres are complex environments where advanced technology is supported by networks that were not wholly designed for it. Networked monitors, infusers, ventilators, etc. provide improved patient healthcare and reduce staff burden, and their deployment can increase the number of network endpoints by the thousands.
The nature of these devices – they are critical to the health of patients — creates a conflict often seen with operational technologies and advanced security controls.
In a budget-conscious industry that struggles to control costs, decision makers without an understanding of IT often do not prioritise the critical task of cyber security. The mix of administrative, medical and technical users on the network also makes it difficult to get a stakeholder consensus on changes needed to improve security. This problem can be compounded in teaching hospitals, which like most universities, emphasise access and sharing.
The privilege pathway
The importance of controlling access to privileged accounts on connected devices was demonstrated last year when a massive distributed denial-of-service (DDoS) attack was launched against Dyn, a provider of Internet services to Internet sites. It was reported that the attack was conducted using millions Internet of Things devices compromised by the Mirai malware, which relied on factory-default user names and passwords to infect them.
These usernames and passwords were easily available and intruders could access and install Mirai malware on thousands of online devices such as digital video recorders and IP cameras. Because device owners did not change the default settings they became part of a massive botnet used to launch DDoS attacks.
The impact of this risk goes beyond consumer devices and DDoS attacks. Privilege – the ability to use accounts that give users wide-ranging powers on a network and devices - is one of the first things an intruder looks for in an attack. Default administrative passwords are an easy way for intruders to get onto the privilege pathway and enabling them to complete their mission. This can put medical equipment on the hospital floor at risk of compromise, and the stakes with these devices are much greater and the threat more urgent.
Blocking the privilege pathway raises the bar for attackers by increasing the amount of effort and level of skills needed for a successful attack.
Mitigating the risk with good cyber security hygiene
Practicing good security hygiene in the form of proper password management is an effective way to reduce the risk from a breach. Managing access privileges does not mean denying them. Ensuring that default passwords are not being used, that administrative passwords are not being shared, and that all passwords are properly managed secure privileged accounts without disrupting access by those who need it.
This can be done without changing processes or disrupting established procedures. CyberArk has developed a powerful, modular technology platform that provides a comprehensive Privileged Account Security Solution to address this threat enabling healthcare organisations to take a painless first step in maturing IT security.