A Hacker Identifies Glaring Holes in Network Security
Aaron Hayden is an information systems analyst with CliftonLarsonAllen, a large certified public accounting firm. He’s also an ethical hacker, one of 40 in the organization. And they are 100 percent successful hacking any business, except a bank.
Healthcare organizations hire the firm to hack their information networks. An internal auditor at the targeted organization will know of the coming attack and will schedule it, but no one else will know until the hacking is done and the results are presented.
In the era of HIPAA privacy and security, CliftonLarsonAllen has done 4,000 penetration tests across multiple industries. If a hacker is good at phishing, which is the art of fooling an unsuspecting individual into giving up network credentials, the hacker will have a success rate of 100 percent, Aaron told a large audience during the 2015 AHIMA Convention.
Hayden recently phished a CEO after sending an email purportedly from the CFO that paved the way for getting the CEO’s computer credentials, and took control of her machine.
Once in control of one computer, a hacker can assume the identity of the person being attacked. If the person is an administrator, Hayden can install software to read the database password on the computer, as well as passwords from other computers on the network. Once in a network, a hacker can establish persistence—a home—and inject code into startup processes to stay in the network. One university, Hayden said, had 8,000 routable addresses that he could see.
Another trick: Once he controls your computer, Hayden can send a false announcement from HR of changes to the company’s health insurance plan and get you to fill out new forms with the carrot of getting a Starbucks gift card when finished. The card doesn’t work, but it does take over your computer.
Password guessing is one of the easiest ways of initially penetrating a large network. Believe it or not, if the month is August 2015, there is decent chance somewhere on the network will be a required password titled, August 2015.
Hacking techniques work well in healthcare for multiple reasons, Hayden said. Employees are readily tricked and need more training, there are too many passwords to manage (with physicians the worst), some employees are lazy at changing passwords according to policy, hackers assume a known identity, and incident response is rarely practiced and almost never tested.
Hackers also take their time, creating queries in a network and pulling little bits of data over time and encrypting the data so it is not detected. Those little bits of data that you don’t know the hacker has add up over time to be a giant load of data. “You can empower employees, train them and make them more vigilant,” Hayden said. “Propose structural accountability to doctors and you will be more secure.”