Myth busted: Disconnecting networks and devices won't eliminate the risk
Disconnecting, unplugging or creating air gaps between devices and networks is a common tactic used by many healthcare organizations that think the process can make the data totally secure. Another common assumption is paper documents, USB ports and old machines left off and tucked away are somehow safer.
It all makes sense, but it’s not that easy.
While it’s important to store offline backups, the idea that removing the connection creates perfectly safe data is seriously flawed.
[See them all: 10 stubborn cybersecurity myths, busted]
Thinking a healthcare organization can even set up an infrastructure that’s completely disconnected is a mistake, said CEO and President of Identity Theft Resource Center Eva Velasquez. It’s not feasible to think a provider could have standalone machines and printers completely disconnected.
Especially in a healthcare network, it’s unrealistic to disconnect necessary technology that is needed to improve the quality and efficiency of care out of fear of breach. To Velasquez, hackers can and are getting through these very esoteric pathways, like an HVAC vendor on just a small segment of network.
“But disconnection of data is a myth,” Velasquez said. “Because unless you’re a sole proprietor with one machine and left offline, it’s unachievable.”
"What’s disconnected today may not be disconnected tomorrow, as networks are always changing."
Dale Nordenberg, Novasano
Disconnecting devices can, of course, help to mitigate risk, according to Dale Nordenberg, CEO of Safety and Security Consortium for Novasano. “But it doesn’t eliminate risk.”
For example, any USB is still a big problem, said Nordenberg. A lot of risk is introduced through ports, patients and providers.
And for Nordenberg, the reality is that “what’s disconnected today may not be disconnected tomorrow, as networks are always changing.”
Valequez took it a step further: “Data is on the move, it’s shared through thumb and hard drives, and there are an influx of new technologies connected that organizations might miss when trying to disconnect. And many data breaches are simply employee errors.”
Just one glance at HHS’ list of settlements over the last two or three years shows there are many organizations fined for just that: unsecured data on the move, loss or theft of external devices and others.
Not to mention the wide range of breaches that have hit in in 2016 and 2017 leveraged from a small, forgotten port or device. For example, the attack on domain name system host Dyn in the fall of 2016 that shut down major websites like Netflix, Twitter and Spotify, was caused by a massive-denial-of-service attack.
The source? IoT cameras.
For CynergisTek CEO Mac McMillan, these types of attacks aren’t surprising. There are security incidences all of the time on archived or old databases that aren’t connected to the network. Often these devices are still connected to the internet -- even if they’re not on a hospital network.
“Someone doesn’t pay attention or just doesn’t disconnect the device. And these older devices are more vulnerable than others,” McMillan said. “You still need to be concerned about access to the data, but simply disconnecting from the network doesn’t alleviate all the risk.”