As more data moves to the cloud, and cyberattacks multiply, organizations need to adopt an alternate paradigm of security, says Nikhil V. Bagalkotkar, a virtualization specialist at Citrix.
“This alternate paradigm of security does not try to fight the attacks but assumes that attacks are going to go through and works on preventing exposure when an attack goes through,” he says in an interview with Information Security Media Group.
A key step, he says, is to segment all networks and provide a layer of security for each, so that someone using the internet, for example, does not expose the corporate intranet.
“We are also seeing new technologies to protect cloud data which are fuelled by analytics, big data and artificial intelligence that help in monitoring the security posture of the user in real time,” Bagalkotkar says.
In this interview (see audio link below photo), he also discusses:
The need to establish corporate governance through information security to protect digital identities;
How to manage third-party risks in the cloud;
The layered security model.
As the presales head for virtualization at Citrix India, Bagalkotkar’s responsibilities span across all technical facets of Citrix’s business in India. He specializes in assisting organizations in conceptualizing, designing and executing transformational solutions backed by technology. His previous stints in the technology sector have involved architecting solutions around information management, workspace re-invention and digital transformation.
Penetration testing can help find security vulnerabilities that aren’t typically identified by scanning and other monitoring. But the testing comes with some risks, say Chuck Kelser, CISO at Duke Health, and security expert John Nye of the consulting firm CynergisTek.
“Web applications tend to be a very fertile ground for attacks, so we want to be sure we’re proactively identifying those vulnerabilities,” Kesler says in an interview with Information Security Media Group at the HIMSS18 conference in Las Vegas.
“A lot of vulnerabilities, particularly in web applications, can’t be found in a simple vulnerability scan. There are sophisticated vulnerabilities … that the penetration tests will help highlight.”
Be Wary of Risks
But organizations also need to be aware of the potential risks posed to certain devices and systems during penetration testing.
“Penetration testing can cause systems to drop offline, and they can also cause corruption in medical devices and internet of things devices, or really cheap devices, like IP cameras, that can break,” Nye says.
The testing can also impact production systems “because we’re running scans against all those systems, and [are] hitting them with thousands of packets sometimes. It could slow the system down or stop a system from being accessible,” he notes. “This all needs to be considered.”
Prior to penetration testing, entities and testers need to carefully consider “what systems to touch, what systems not to touch and what the potential impacts are,” Nye says.
Kesler and Nye were co-presenters during HIMSS18 on the topic of pen testing.
In the interview (see audio link below photo), Kesler and Nye also discuss:
Other security concerns involving biomedical devices;
Top security priorities at Duke Health this year, including bolstering network access controls and management around bring-your-own-device as part of a broader three-year security plan;
The most troubling emerging cyber threats facing the healthcare sector.
As CISO for Duke Health, Kesler leads the organization’s information security office, which provides services for all Duke University Health System’s units as well as academic departments and research institutes in the university’s schools of medicine and nursing.
Nye, vice president of cybersecurity strategy at CynergisTek, has spent nearly a decade in information security, including stints with the U.S. Army, CSG International, Peter Kiewit and Sons, First Data Corp. and KPMG LLP. He now works exclusively as a penetration tester.
Attorney Steven Teppler, who recently wrote a report that addresses risks related to the internet of things, offers insights on risk management steps organizations in all sectors must take as IoT devices proliferate in the enterprise.
One key step is to identify and map all the IoT devices that are connected to their networks and put into place policies that help prevent new devices from being introduced into the environment, he says in an interview with Information Security Media Group.
“You can have a snapshot or picture of your network at any given time – and do a network map, see who and what is connected to your network – and if there’s something with which you’re not familiar, you will [need to] investigate and maybe remove or quarantine [the devices] from the network,” says Teppler, who wrote a paper for the Information Security Systems Association on the facilitation of IoT devices and the increasing proliferation of crime-as-a-service.
Unknown Devices, Unidentified Risks
Among the challenges in reigning in IoT-related security risks is that the number and types of devices entering an environment is difficult for many organizations to control, he says.
“The problem is that you have so many people with so many devices … that can be brought in and added to the network, that you almost have to do this [mapping process] … on a continuing basis,” he says.
If someone has added a “smart” mini refrigerator in an office or other connected consumer device, for instance, “you need to be very vigilant …because this is a BYOD – bring your own device – problem on steroids,” he says.
“Now you have devices that you can’t necessarily brick, you can’t know how they operate because … the organization hasn’t set them up or have no control over shutting them down,” he says. “If these devices have access to the network, they may have embedded code … that might start scanning [the network] for whatever is susceptible to an attack.”
In the interview, Teppler also discusses:
Why cyberattacks on IoT devices involving Mirai botnets have had such a devastating impact on some organizations;
Other cybercrime-as-a-service concerns involving IoT devices;
Security risks posed by medical devices and who should be responsible for addressing those risks.
Teppler is a partner at the Abbott Law Group in Jacksonville, Fla., where he leads the electronic discovery and technology-related litigation practice. He was also one of the attorneys who represented plaintiffs in a data breach class action lawsuit against health plan AvMed that ended in a $3 million settlement in 2013. Teppler is an adjunct professor at Nova Southeastern University Law School.
A ransomware attack on electronic health records vendor Allscripts late last week is a reminder of the potential disruption to patient care delivery healthcare entities can face if a cloud-services provider suffers a cyberattack. It also points to the need for business continuity planning.
In a Friday statement, Allscripts said a ransomware incident impacted “a limited number” of applications and that the company was working to restore these systems, “and most importantly, to ensure our clients’ data is protected. Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems. We regret any inconvenience caused by this temporary outage.”
As of Monday, some services appeared to be back in operation, but not all.
Allscripts in a conference call for customers on Saturday said its Professional EHR and Electronic Prescriptions for Controlled Substances cloud-based services were the hardest hit by the ransomware attack, according to news site CSO Online. Other services, such as direct messaging, had availability issues as well, but those had been restored more quickly, according to that report.
In a Monday statement provided to Information Security Media Group, Allscripts says that on early morning Thursday, the company discovered a ransomware attack had affected two of its data centers, which house a small subset of our products.
“The ransomware has since been identified as a new variant of the SamSam malware. Of the roughly 1,500 clients impacted, none were hospitals or large independent physician practices, and services to many already have been restored,” the company says. “In addition, we immediately notified the FBI and have been providing information to assist with their investigation. Importantly, there is no evidence that any data was removed from our systems. We continue to work unceasingly to restore all services to our clients who are still experiencing outages.”
A Friday statement by NY American College of Emergency Physicians says that New York’s Department of Health was aware that a cyber incident involving AllScripts that disrupted the company’s e-prescribing application for controlled substances.
“This may have an impact on the ability for hospitals, clinics, nursing homes, individual prescribers and pharmacies to transmit and receive prescriptions electronically. It is permissible for those impacted to use paper official prescriptions in accordance with New York State regulations,” the DOH statement says.
Only Some Services Restored
Some healthcare entities that had their access to certain Allscripts services disrupted said those services had been restored.
For example, in a statement provided Monday to ISMG, New York-based Northwell Health says the healthcare system “disconnected from Allscripts data centers strictly as a precautionary measure” after Allscripts notified the organization on Thursday that the vendor was impacted by a ransomware attack.
“Northwell moved quickly to avoid the potential for complications and Allscripts does not believe any data from its system was removed,” Northwell says in the statement. “The electronic prescribing of controlled substances was the only electronic medical record that was unavailable to providers at Northwell Health’s facilities – we have 23 hospitals and about 660 ambulatory locations. Northwell systems are secure and were never at risk. Northwell resumed normal operations over the weekend” using Allscripts’ services, Northwell says.
Meanwhile, a spokeswoman at Clark Memorial Hospital in Jeffersonville, Ind., says the Allscripts outage had minimal impact late last week, and the disruption has been resolved.
That disruption included some patient education material not being accessible and the hospital being unable to send out test result feeds to primary care doctors. “The outage was at the end of last week, so thankfully, there wasn’t a lot of disruption” since many doctor’s offices are closed during the weekend anyway, she says.
But other organizations complained on twitter late last week, and were quoted in other news reports, that they had lost access to their cloud-based electronic health records systems and had to revert to paper records. And it remained unclear Monday how many of the affected entities had service completely restored.
Allscripts has not yet revealed how many of its cloud-based EHR customers had been affected. According to the company’s website, Allscripts’ services are used by 45,000 physician practices, 180,000 physicians, 2,500 hospitals and 40,000 in-home clinicians.
Plan for Worst
Healthcare organizations relying on cloud-based services need to be ready for potential ransomware and other cyber-related outages that impact patient care and other business operations, says Tom Walsh, president of consulting firm tw-Security.
“Healthcare entities need to take a closer look at their disaster recovery and business continuity plans to make sure the plans address what to do if the cloud services are unavailable,” he says. “The lack of well-written disaster recovery and business continuity plans have been and still are a common finding in healthcare. These plans are supposed to be designed around the worst-case scenario, but seldom are.”
Some cloud-based services providers also have worst-case scenario planning in mind for customers that could be impacted by ransomware attacks on the vendors, Walsh notes.
“Some EHR vendors offer a downtime or disaster recovery service offering in the form of a copy of the database of current inpatient population to a local workstation or server,” he says. “While a full-functioning EHR may not be available, there is at least enough information available at a local level to provide patient care. But plans are only effective if they are periodically tested using a different scenario each time they are tested and revised as a result of the test. “
Healthcare providers that rely on cloud-based services providers are often at the mercy of these vendors, because their “eggs are all in one basket,” Walsh adds.
“Don’t forget the basic concepts of business continuity and disaster recovery,” he stresses. “Plan for the worst case. Develop strategies. Test plans. Revise plans and recovery strategies as needed. Disaster recovery and business continuity plans need to be reviewed frequently and not something that is written in order to check a compliance box. “
Mac McMillan, CEO of security consulting firm CynergisTek, says healthcare organizations must “treat cloud vendors, or for that matter any third party you are relying on for critical services, the same way you treat those services/systems in your own environment, meaning have a practical strategy for incident response, continuity of operations and recovery. Make sure you are comfortable with your vendors’ plans for events.”
Despite the threat of their cloud services providers suffering attacks, healthcare entities can often improve security by using such services, McMillan contends.
“One of the positives of using a cloud vendor is that often they can recover much quicker than the average healthcare entity so using them can still be a net positive,” he says. “For instance, a lot of cloud vendors are running VM environments and multiple SANs for storage/back up. This makes recovery much easier as they can quickly blow away the infected machines, stand up new ones and pull the data needed, test it and everyone is back up and running. Ransomware can happen to anyone.”
In another recent security incident involving a cloud-based service in healthcare, medical transcription services provider Nuance was seriously impacted by the NotPetya malware attack last summer. As a result of the attack impacting services to clients, the Waltham, Massachusetts-based company issued a financial statement warning Wall Street analysts that its fiscal 2017 third and fourth quarter revenue and earnings results would be negatively impacted by the June 27 ransomware attack.