If the Target breach was the wake-up call to the retail sector that cyber security was no longer just an abstract threat but one that could end up costing hundreds of millions of dollars, 2015 started off with what will hopefully provide a needed jolt to another sector: healthcare. The recent cyber attack against Anthem, one of the nation’s largest health insurers, is evidence that the healthcare industry is not only a hot target for the adversaries but a particularly vulnerable one, according to an article that ran in the New York Times earlier this month. The piece highlights the fact that Anthem—and the healthcare industry on the whole—is not taking adequate steps to protect sensitive personal information.
Our recent CrowdCast, The Cardinal Rules of Protecting Your Network, focused on the vulnerabilities the healthcare industry is currently facing, and profiled how Cardinal Innovations, a managed behavioral healthcare organization, was struggling to maintain visibility across the organization’s many endpoints and with their ability to continuously monitor for advanced threats. Cardinal Innovations, unwilling to remain vulnerable to adversaries because of their sense of duty to the patients they are charged with protecting, partnered with CrowdStrike and implemented CrowdStrike Falcon to provide end-to-end protection and response capabilities. Now, Cardinal Innovations is able to continuously monitor all endpoints against attacks, and in the course of just a few months since implementing CrowdStrike’s solutions, has been able to stop several attacks within mere minutes, preventing untold damage and protecting the data adversaries are trying diligently to access. To hear more about Cardinal Innovations’ story and see CrowdStrike Falcon at work protecting healthcare data, you can watch the recording of the CrowdCast here.
We also recently featured a Q & A with Pete Murphy, CIO of Cardinal Innovations Healthcare Solutions to get his take on the cyber security challenges facing the healthcare industry and his suggestions on how healthcare organizations can best protect their systems. Murphy characterized the healthcare sector’s overall cyber security posture the same way the New York Times article did: lacking and lagging behind that of other sectors. He pointed out that the high street value of protected healthcare information (PHI) makes the healthcare industry a high-value target for adversaries, and that the threat is now compounded by new vulnerabilities and attack vectors, such as the rise of mobile devices and connected medical wearables.
The healthcare sector represents a perfect storm of opportunity and vulnerability to adversaries: an industry that is, as a whole, lagging in terms of executive buy-in and investment in next-generation cyber security measures necessary in today’s ever-evolving threat landscape; high-value PHI largely unprotected and ripe for the taking and selling on the street; and a the emerging proliferation of connected and wearable medical devices that could, if compromised, be used to manipulate a person’s health—or even end their life.
We’ve developed this Best Practices for Protecting Healthcare Sector Networks and Data checklist to help guide healthcare organizations cyber security efforts.
Best Practices for Protecting Healthcare Sector Networks and Data
The Threat Landscape for Healthcare Organizations: A Perfect Storm for Adversaries
- Healthcare organizations are lagging behind other sectors in terms of their security strategies and practices. A 2014 FBI notice to the healthcare industry indicated that “healthcare security strategies and practices are poorly protected and ill-equipped to handle new cyber threats exposing patient medical records, billing and payment organizations, and intellectual property.”[i]
- Medical records are worth more to hackers than credit card or bank account numbers. According to an EMC2/RSA white paper[ii], the value of personal data to a cybercriminal is much higher than a credit card or bank account number.
- The emerging threat of connected medical devices, wearables and the Internet of Things. A 2014 SANS report[iii] indicated that ”connected medical devices, applications and software used by health care organizations providing everything from online health monitoring to radiology devices to video-oriented services are fast becoming targets of choice for nefarious hackers taking advantage of the IoT to carry out all manner of illicit transactions, data theft and attacks.”
Proactive Defense Checklist for Healthcare Organizations
- Consolidate and Monitor Internet Egress Points. In the event of an intrusion, monitoring egress points is a critical part of identifying hacker activity. All connections to the Internet from your corporate environment should be monitored to identify data leaving the network.
- Identify Isolate and Log Access to Critical Data. Focus your resources on those areas of the network that are most critical to your business. Determine where your most sensitive data or networks are located and implement increased logging and network monitoring in those areas.
- Implement Centralized Logging. DHCP, DNS, Active Directory, Server Event Logs, Firewall Logs, IDS and Proxy Logs should all be stored in a protected centralized system that is time-synchronized and easily searchable.
- Secure Web Applications and Internal Software Projects. Web applications and homegrown software are regularly targeted and frequently compromised. Incorrect implementation of web application platforms can introduce vulnerabilities even on fully patched servers. Validate all new and updated applications via penetration testing.
- Patch, Patch, Patch. Patching operating systems and third-party applications is one of the most inexpensive and effective ways to harden a network. Build a strong patch management process and ensure critical security patches are installed as soon as possible.
- Minimize or Remove Local Admin Privileges. Users should not utilize accounts with local administrator privileges as this opens multiple ways for targeted attackers to move laterally and compromise credentials. Disable the local administrator account on all workstations and servers via Active Directory. If this is not possible within your environment, develop a password checkout procedure to ensure that every local admin account has a strong password.
- Implement a Tiered Active Directory Admin Mode. Use at least three levels of administration to isolate credentials and limit the damage due to compromise of critical accounts. A minimum implementation would be the creation of Doman Admins, Server Admins and Workstation Admins. No single account should be able to access all systems.
- Develop Incident Response and Data Breach Response Plans. Take active steps to prepare for a breach. Incident Response Plans tend to focus on efforts to restore data a systems’ confidentiality, integrity and availability. Data Breach Plans tend to focus on external requirements like contacting insurance carriers, law enforcement, regulators, customers, vendors and public relations teams in response to the loss of protected healthcare information.
Increased Cyber Intrusions for Financial Gain, https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf [ii] Cybercrime and the Healthcare Industry, http://www.emc.com/collateral/white-papers/h12105-cybercrime-healthcare-industry-rsa-wp.pdf [iii] Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon, http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf
To learn more about how CrowdStrike can help healthcare organizations protect themselves against cyber threats, visit our website to learn more about our pre and post incident response services.