Security Technology Executive

NOV-DEC 2017

Issue link:

Contents of this Issue


Page 28 of 71

www. • November/December 2017 • SECURIT Y TECHNOLOGY E XECUTIVE 29 T he executive team was confident their 2,453 bed integrated delivery network was secure, especially since they invest- ed heavily in a solid perimeter. Their engineers implemented "a defense in depth" strategy with redundant sys- tems and internal segmentation of all 16 compartments in the unlikely event of a perimeter breach. They were so confident of their system that they didn't implement a full disaster recovery strategy, thinking that no more than 40 percent of the resources would require assistance at a time. This overconfi- dence was fueled by an under-scoped and incomplete risk assessment, which fueled inadequate planning , and thanks to Murphy's Law, ultimately led to disaster. There are eight lessons healthcare organizations can learn from this incident. 1 Understand the organizational context Board members and senior executives need to fully understand the context of their organization so that a complete risk assessment can be performed. This includes understanding the location and critical- ity of all sensitive systems needed to deliver care. It also means understanding all internal and external dependencies, such as knowing the status of other dependent organizations' security controls. Within the healthcare community, covered entities and busi- ness associates should avoid fixating on the protection of Personal Health Information (PHI) while ignoring other critical systems such as biomedical devices, supervisory control and data acquisition (SCADA) controls, and physical access security. These have vulnerabilities that, if not addressed, can be used to access sensitive data. Healthcare organizations are not immune to breaches and hacking of valuable assets, such as financial and employee data, or even email lists which can be used for ransomware attacks. Risks also exist in interconnected supporting organizations, such as business associates and affiliated physician groups where compliance teams can have a difficult time defining perimeters and the overall scope of a security management program. 2 Implement a defense in depth strategy Defense in depth strategies are used to prevent catastrophic system failure in case the perimeter is breached. Firewalls alone are increasingly insufficient as the enterprise has expanded to include things like bring your own device (BYOD), Internet of Things (IoT) devices, and increased demand for mobile equip- ment connectivity. One defense in depth strategy is to provide the system administrators with two user accounts – one privileged to manage servers, network, and firewalls, and a separate one for administrative activities. This helps isolate critical accounts from phishing schemes and malware infections originating from malicious email and Internet websites. CIOs can also employ separate networks for PHI, SCADA and payment card systems, and network aware biomedical devices. Breaches have occurred to clinical systems that started with HVAC, CCTV and payment systems that were compromised first proper use of network and account segmentation and limit damage follow- ing an incident. 3 Integrating automated threat detection with staff check-points Early threat detection capabilities are most effective when technology and procedures are tightly integrat- ed to allow staff to react to security incidents before serious harm is done. Anti-virus software can stop most known threats but require frequent (even hourly) updates. Other technologies such as next-generation firewalls, heuristic-based malware protection, and intrusion detection/prevention systems (IDS/IPS) are needed to monitor and react to alerts in near real time. While this technology is important, it does not replace the need for a human in the loop to isolate and respond to imminent threats. 4 Routinely test the perimeter Understanding how the perimeter will react when stressed, specifically when targeted by hackers and groups engaged in social engineering to exploit the network, is important so that vulnerabilities can be identified and addressed. External and internal vul - nerability scans, as well as periodic penetration tests, serve to find holes that can be exploited for bigger problems. Since threat awareness has been identified as one of the most serious security weakness, anti- phishing exercises can help identify staff blind spots. Overconfidence in your plan and an underestimated threat can spell disaster By Clyde Hewitt , CI SSP, CH S

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - NOV-DEC 2017