Embrace 'consequence-based engineering' before the next WannaCry or Petya attack

As attack surfaces become more common across various industries, the fact that this tactic has already worked elsewhere means hospitals can use the best practice too.
By Bill Siwicki
10:58 AM
Share
WannaCry ransomware

With industry-specific compliance requirements driving security spending and technology deployment, it’s natural to assume that best practices for securing access to sensitive data are different from industry to industry. 

Not so fast. 

“Traditionally, threat trends have reflected the environments in which they occur,” said Anthony Giandomenico, senior security strategist and researcher at FortiGuard Labs at Fortinet. “However, as organizations continue to adopt a variety of new, highly distributed network ecosystems, and access similar data, applications and resources, we are beginning to document that threats are no longer being confined to a specific place or industry.” 

[Also: Today's lax medical device security can be fixed. Here's how.]

What’s more, hackers and cybercriminals can exploit those infrastructures across multiple industries, as the world witnessed with the recent WannaCry and Petya attacks. And they are doing so with automated tools intended to fuel widespread, if not global, security incidents. 

Fortinet conducted an analysis, in fact, that determined almost every industry has pretty much the same attack surface, with very few exceptions, Giandomenico said, pointing to education and telecommunications as two examples. 

That means that healthcare CIOs, CISOs and security pros can pick up best practices and strategic techniques from other industries and, in turn, apply those to their security posture.

[Also: More cyberattacks are imminent, but hospitals are fighting with their hands tied]

Giandomenico offered a best practice more common in other realms that can now also be effective in healthcare: consequence-based engineering. 

“Consequence-based engineering involves understanding your key assets, determining what sorts of threats your organization is most vulnerable to – such as remote access denial, corrupted applications or data, or rendering key IT or operational assets unavailable – and engineering as much of that risk out by design as possible,” he said.

This requires developing a strategy for seeing and tracking every device on a network; understanding what resources individuals, devices or applications can access; and understanding who and what should have privileges to access those resources, he said.

“While individual teams or departments may have some idea of what resources they need, and who should be able to access them, the challenge becomes more complicated as you consider the interaction between departments, applications and services,” he said. “Can privileges in one area be exploited in another? What happens when sensitive data collected by an application travels to another area of the network, such as a doctor’s personal device?

Giandomenico added that cybercrime basics, such as DDoS attacks and phishing schemes, and the fact that many connected medical devices were not designed with security in mind makes it harder for hospitals to secure them. 

“The challenge is not unique to healthcare, though. The IoT and the cloud are driving dramatic changes in the attack surface in many industries,” he said. “The types of vectors and infrastructure shifts are similar.”