Unfortunately, healthcare organizations face a variety of challenges in pursuing this effort. This can include decentralized or inexperienced resources supporting the process, a lack of an accurate IT asset inventory and determining and documenting if a fix was applied or if an exception was granted.
Another challenge with vulnerability management is that the scope of the problem typically exceeds the span of control for the information security team. For any comprehensive vulnerability mitigation and ongoing maintenance to occur, information security teams almost completely depend on the cooperation of other teams, such as desktop and server support, systems administration and network operations, to make the necessary remediation changes. These groups know that each change can potentially be time consuming and possibly require reboots or scheduled downtimes. Consequently, these groups usually have different timelines and sets of priorities compared to the information security teams that want to address the identified vulnerabilities as quickly as possible before they become unintended problems of their own.
Regrettably, you can’t just go out and buy vulnerability management. It can only be established, administered and matured.
And healthcare organizations need to do more than just scan for known problems and provide a huge vulnerability report to system and network administrators for remediation.
In a nutshell, vulnerability management is a set of processes and technologies that establishes and maintains a security configuration baseline and discovers, prioritizes and mitigates exposures. To reduce information risk, effectively managing vulnerabilities is really about patching, updating software, hardening configurations and implementing technical policies on IT assets. There are hundreds of system settings that should be managed to achieve a secure environment. Technical security configuration policies based on industry recognized practices provide implementation details for hardening and for specify the recommendations of organizations such as the Center for Internet Security (www.cisecurity.org), the SANS Institute (www.sans.org) and vendor-specific guidelines.
Healthcare organizations that reference policies based on industry recognized practices also demonstrate due diligence during audits or regulatory compliance investigations. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates vulnerability scanning, reporting and even specific remediation time frames. Some vendors provide templates they declare to comply with regulations like HIPAA. However, these templates can't directly map regulatory requirements to the various technical settings because the regulations aren’t typically specific enough in this area.
Where to start? Healthcare organizations should begin a vulnerability management program by:
- Documenting the current state of the environment
- Inventorying systems and applications
- Documenting the security infrastructure and external access to corporate systems and support processes
- Establishing a security configuration baseline or desired state for each component of the IT infrastructure, based on industry recognized practices
- Conducting internal vulnerability scanning across the entire network at least annually
- Conducting external network perimeter scanning at least quarterly
- Identifying the patch and configuration issues responsible for the most numerous and serious vulnerabilities
- Creating a vulnerability remediation plan of action
- Prioritizing remediation actions based on potential business impacts and the likelihood or probability that a vulnerability will be exploited
Sensitive assets with critical or high ranked vulnerabilities should be assigned the highest mitigation priority. This requires some risk quantification and analysis. Major network, server and database assets should be classified in terms of the applications they support. Thus, vulnerabilities can be related to the business processes that are at risk. Key assets also should be rated in terms of availability, data sensitivity and data integrity requirements. Healthcare organizations that have performed a business impact analysis as a component of their business continuity planning have a good starting point.
Vulnerability management requires an automated or manual workflow in which the vulnerability assessment reports are passed to network, system and application administrators and then verified by an auditing and feedback process. Once corrective action is taken to remediate the vulnerability, the IT asset should be re-examined for compliance. The more automated the process, the more efficiently your organization can correct known vulnerability exposures through patching and configuration changes.
It is essential to recognize that resolving the vulnerability for good, by remediating it, depends on the IT asset, as well as its role. The following can be considered remediation measures:
- Patching the vulnerability
- Disabling vulnerable functionality
- Uninstalling vulnerable components
- Changing the system configuration to reliably prevent exploitation
Healthcare organizations should document all decisions not to remediate to prevent vulnerabilities from multiplying and thus becoming unmanageable. Leaving a vulnerability without taking action is a decision to accept the risk. This decision should never be made by the IT or information security team, but by the business owner of the vulnerable asset. And the corresponding decision should be carefully documented. Exceptions should show up on vulnerability assessment reports and the use of exceptions should be logged.
The need to find and fix vulnerabilities will persist for the foreseeable future. As a result, healthcare organizations should implement a vulnerability management program that begins with a security configuration baseline and references best-practice policies. Strong leadership can promote top-to-bottom commitment to the vulnerability management process. A layered approach to vulnerability management that combines strong perimeter protection and other forms of blocking with general system hardening should be fundamental to adequately secure any healthcare environment from external and internal threats.
Vulnerability management, therefore, should be a foundational element to every information security program.