Myth busted: Firewalls and security software help, but they aren't all you need

Hospitals often put too much weight on the latest technology solution, but these “shiny objects” are still being breached.
By Jessica Davis
09:24 AM
Share
firewalls in healthcare

Head to any security event or conference, or read an email from a new security software provider, and it could be easy to start thinking that what your organization needs is the newest technology. For example, in 2016 when ransomware first began pelting the healthcare industry, many security firms were offering the latest technology that could thwart all new foes.

“The issue is that the security market is broken -- and not just the security startups,” said Kurt Hagerman, chief information security firm for Armor, a security firm. “All of the solutions get over-marketed as the silver bullet, as able to protect and keep the bad guys at bay.”

[See them all: 10 stubborn cybersecurity myths, busted]

“That’s oversimplifying the problem, as the healthcare industry is pretty behind the curve from a security standpoint,” he added.

The healthcare industry is already operating on tight budgets -- especially when it comes to security, explained Hagerman. “They’re suffering from the ‘shiny object syndrome.’ They don’t think about it in terms of strategy and prioritizing what’s most at risk for an organization … There’s no standard in terms of service.”

Not all leaks happen as a result of brute force attacks. 

“Just think about most of these attacks: Almost all of these breached networks have security solutions and firewalls. Some even have next-gen networks. How in the hell did they get a breach?” said CynergisTek CEO Mac McMillan.

In fact, McMillan said that most hackers bypass the firewall completely. That’s not even getting into the attacks that happen behind the firewall within the internal network.

“How does this happen? Firewalls are what they are: Perimeter defense. It doesn’t protect the entire network,” said McMillan. “Even with a lot of secured systems, an authorized user with an unauthorized piece of software is a dangerous combination.”

To make matters worse, many errors come from misconfigured firewalls, he added.

Vendor errors with database or cloud configurations are also problematic and have nothing to do with a flaw in the software. For example, New York’s Bronx Lebanon Hospital suffered a breach in May 2017 when its third-party vendor misconfigured the rsync backup for a MongoDB database.

The result? At least 7,000 patient records exposed online -- and there’s no estimate for how long the data was exposed.

This points to one of the biggest issues with security: human error. A lot of hacking attempts and security errors are just due to people doing the wrong thing or clicking a malicious link.

“You still have to teach the staff. The human is vulnerable: It’s still a big deal,” said ICIT Senior Fellow James Scott. Holding security training on Saturdays doesn’t work. It needs to be continuous and interesting to staff, but not through penalizing those employees who fail the tests.

“The organization needs to pummel this into the intellectual DNA of its staff,” said Scott.

 

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com