How healthcare organizations can avoid repeating 2015's IT security failures

'As IT security professionals, we have been doing it wrong for years'
By Nathan Wenzler
01:21 PM
Share

In 2015, it seems like barely a month goes by without another report of a data breach suffered by a health care organization exposing personal information about patients, employees and related health services providers. HIPAA was intended to provide a framework for health care organizations to improve their overall security posture from both a technical and procedural standpoint, with the ultimate goal of preventing these kinds of breaches from happening. Unfortunately, what we've seen this year is quite the opposite.

As IT security professionals, we have been doing it wrong for years. We are taught about castles and moats and building strong perimeters to keep the outside at bay, but that just doesn't work anymore. Instead, we have to start from the inside and work backwards from the core of our environment in order to achieve better security. A few months ago, I wrote about lessons healthcare organizations can learn from Ponemon's 2015 study on Privacy & Data Security of Health Care Data report. Since then, I've often been asked to further explain why healthcare organizations must focus more on securing data closest to its source, in addition to traditional cyber defenses such as external firewalls.

In this piece, I'll go into more details about how to use an inside-out strategy for building a security program to help avoid repeating the same security failures that plagued the industry in 2015.

Changing perspective
Security professionals have been taught for years to look out into the vastness of the Internet, and identify the places where hackers and other outsiders would try to break into their networks. This led to the foundation of the defense-in-depth security strategy of building walls and checkpoints to help mitigate the various places an attacker would try to penetrate the various system in place and steal the target data they're after.

First, firewalls are put in place to guard the perimeter. Then, network access control comes into play to dictate where traffic can go once it's past the firewall. Those systems which can be accessed are then hardened with patch management programs for fixing broken code and eliminating known points of exploit, and system configuration frameworks for avoiding poorly managed settings which could allow too much access. Eventually, user names and passwords come into play in order to access the core applications which access the critical data housed in the deepest, most protected areas of the network.

Somewhere along the way, a policy gets put into place outlining exactly what the organization should be doing to protect its data, conveniently structured to accommodate the technology and methodology that is already been put in place.

The time is long since past that the IT security community give up this notion of protecting the outside first and working outward. While the castle and moat analogy gets used a lot, the truth is that we're not building castles anymore, but interconnected webs with an ever-growing number of connections that tie back to the center of the structure.

It has become imperative that IT security professionals working for healthcare organizations stop viewing the world from the outside-in perspective, and start looking at building our programs from the core data at the center of our networks outward. All the layers are still needed, but when we can build a strong core to begin with, the rest of the pieces begin to deliver the fullest potential of their value by focusing in on the security measure they're specifically designed for. Here are some strategies for healthcare organizations to kick-start a center-focused IT security strategy:

  • Identify and classify critical assets and data. Healthcare organizations must begin with the old adage, "You can't protect what you don't know you have." An outside-perspective may look at the most common vulnerability an attacker would use to get into a network. But that vulnerability being present on a user's workstation is far less of an issue that it being present on a business-critical database server. IT security teams need to identify what assets are most critical in your environment and perform a data classification study to understand where these important assets reside and where they should prioritize their efforts.
  • Actively manage the keys to the kingdom. There are a lot of security tools out there that help protect critical assets, but all of them can potentially be bypassed by an attacker who has the right credentials. IT security professionals working in healthcare must have software in place that can actively manage who has access to the most privileged credentials (such as Domain Administrators, root accounts, etc.) in their environment, as well as the ability to automatically change the passwords as often as possible to neutralize an attackers ability to compromise these accounts.
  • Create more control points for network access closer to the data center. In today's connected world, trying to create a network perimeter control point is nearly meaningless. Outsourced IT staff, cloud-based hosting providers, B2B services, remote employees and more make the idea of controlling access with a VPN, and then letting connected users go wherever they want, absolutely unmanageable. Healthcare organizations must segregate networks closer to critical assets, and more stringently control what users and even systems are allowed to connect directly to them. Using a combination of internal firewalls, routing access control, credential management and proxying capabilities to not only enables better control of who can access critical systems, but to also give attackers far fewer points of entry.

Taken and implemented all together, healthcare organizations can vastly improve the strength of each defense layer. For example, if account credentials are better secured and cannot be compromised to access core applications by an unauthorized party, then a network intrusion detection systems can be more fine-tuned to look for anomalies, without having to account for every credential, everywhere. Or, once critical systems are identified, patch management efforts can be better prioritized to address the vulnerabilities on those critical systems first, letting operations team move more quickly and decisively on which issues to address in a timely manner.

These improvements can result in more efficiency, better accuracy and overall a much stronger security posture for the entire healthcare organization.