Organizations counter rising malware variants with more vigilance
Healthcare providers and payers have been confronting cyber attacks for several years, and there are no indications the threat environment will get any better in 2017. But as hackers step up the pressure by constantly creating new forms of malware, providers are fighting back.
Provider organizations, such as Henry Ford Health System, Barnabas Health, Sentara Healthcare and others are doubling down on efforts to improve network defenses, raise awareness about the methods hackers use and employ analytics to detect anomalies in network traffic.
For example, Henry Ford Health System, with six hospitals serving metro Detroit and the city of Jackson, has engaged an outside vendor to monitor firewalls, outbound traffic and inbound logins, including the successes and failures of those logins, according to John Fowler, deputy information security officer.
Meeting the Challenge
A failed login, particularly a string of failures, could mean a legitimate user forgot the password, or it could be an indicator of real or attempted compromise. But successful logins also can be suspicious, such as a user logging in at one location, then logging in again at another location. That, Fowler says, could be a compromise or the user knowingly shared his password with someone else. Either way, these scenarios and others should be treated as early indicators of possible compromise and investigated.
Henry Ford also is using data loss prevention software to assess information leaving the organization so only authorized data that also complies with various state and federal regulations is released.
“Data loss prevention is becoming a major part of our security protection,” Fowler notes. The software also can assign confidential levels to specific individuals so only those absolutely needing to see the data can see it.”
Experienced hackers take time to study an organization and figure out how best to get in before making their move, says Hussein Syed, CISO at nine-hospital Barnabas Health serving New Jersey. That means providers need to do their own homework by assessing vulnerabilities and implementing protective measures.
Barnabas is changing its security culture by requiring two-factor authentication for all remote users with no exceptions, so if malware is on a computer and a hacker has a username and password, data can’t be accessed because of the additional authentication required, Syed explains. Two-factor authentication could be a biometric scan or a one-time randomly generated PIN that regenerates every 30 seconds.
Barnabas Health also is using “privileged account management,” under which employees with higher access levels also need stronger authentication, such as a key card for an additional authentication step. “These fortify security beyond baselines,” Syed says.
The organization also monitors computers—conducting an audit of a computer—to ensure no one is copying the database or making unapproved changes. Further, some technicians are working full- or part-time looking through network environments to detect abnormal activities, including employees who may be getting less vigilant about security.
Healthcare organization also must, to the degree they can, conduct their own forensics to take the malware they find, examine it and assess the implications of the malware and actions that should be taken, Syed advises. “Once a hacker has complete control, that’s when you have problems.”
Inexpensive and open source forensics are available; the problem is finding the technical resources to appropriately use forensic technologies, he notes “Hiring and retraining forensic professionals is difficult. Compensation plays a big role as financial companies can pay much higher than healthcare. Good security pros get approached weekly.”
Syed suggests hospitals bring in security interns, train them and hope they stay for a while. He’s working with the Barnabas human resources department on hiring and training interns, “and leverage their expertise and eagerness to learn to my advantage.”
Finding a Balance
A major challenge for health organizations for many years, now exacerbated as the threat environment has significantly increased, is to find the right level and mixture of security without unduly imposing new burdens on those who use information technology.
While restricting access to data is part of Henry Ford’s security posture, so also is making it easier to share data to ensure business functions are not impeded. A cloud storage platform can support the sharing of information among authorized users and should be encouraged via a corporate-supplied cloud, Fowler says. Those needing such services and not getting it will go and find their own cloud service to get around the restrictions, he warns. “They’re just trying to get their jobs done.”
In a major new initiative, Henry Ford now has a full-time forensic analyst on staff, a position that Fowler says is not yet common in the industry. Most organizations adopting forensics outsource this function, “but their vendor is paying attention to us and other clients, and at a cost,” he adds.
The delivery system further belongs to several collaborative organizations that include the National Health Information Sharing and Analysis Center, Michigan Healthcare Cybersecurity Council and the CISO Coalition, an invitation-only program to share information in a safe environment “to see the threats coming before we get hit,” Fowler says.
With a little technical knowledge it is easy to become a hacker. The Dark Web, a subset of the Internet, is a malware marketplace enabling hackers to remain anonymous. Malware, says Daniel Bowden, vice president and CISO at Virginia-based Sentara Healthcare, can be easily purchased on the Dark Web and then easily find its way to you.
Most acquired malware is not new; it often is older software that someone else wrote and a hacker that buys it can tweak it for his or her own means, he explains.
It is imperative, he contends, that healthcare organizations engage in cyber threat information sharing programs to identify indicators of compromise “so you can block that host before it gets to you.”
Sentara Healthcare participates in national, healthcare-specific and Virginia-based threat sharing initiatives, and interactions with these entities happen throughout each day, Bowden notes. “If someone in your forum finds a threat, they publish it so you can see if you already are hit with it.”
He advises also not just having software programs that filter or block malicious activities, but also technology to determine if filters actually block the malware. And additional double-checks are available. “When we get shared feeds from the forum, we might find that Cisco already blocked something that you already blocked.”
There is never an opportunity to take a break, Bowden warns. “The business is always changing and data is always organically growing, so you need to constantly reset your capabilities, reviewing and re-evaluating how quick to recover if hit via data backups, recovery of snapshotted data or tapes.”
In the past year, Sentara has invested in a security operations center that includes logging tools that will show brute force attacks, phished credentials, untypical user behavior or a signature hit of specific malware.
But above all, a robust cybersecurity training program is a bulwark of protection. Sentara conducts annual training of 28,000 staff members as well as non-employed providers and others with access to information systems; the training is conducted in stages throughout the year.
The training program includes mock attacks on employees and others to identify those who made a mistake and need a security reminder. If someone clicks on a link they should not have, they are directed to a site that tells them they would have fallen prey to an attacker, and are told what the specific error was.
Phishing exercises are not just for large provider organizations; smaller ones need to do their best based on resources to always keep security top of mind, Bowman cautions. “If they have the right skill sets, smaller hospitals can write their phishing training programs and not have to buy a tool to deliver the campaign.”