Let’s talk about your EHR needs: 1.800.383.6278 MEDHOST Community Login
While the hybrid model has given us the freedom to choose whether we complete our work at home or off-site, anywhere access to enterprise systems has also made it harder than ever to protect sensitive data.
Recently, data architecture has emerged as a popular vector for attack. Malicious actors can take advantage of internet-facing servers that require a username and password by creating a clone of the server login page and tricking users into entering their credentials.
In this blog, we’ll outline how multi-factor authentication (MFA) can protect these systems as well as best practices that healthcare organizations can adopt to prevent criminals from using digital resources to compromise security.
MFA is an electronic verification method that uses two or more pieces of evidence (factors) to authenticate a user. These factors can include something only the user might know, a device only the user owns, or some other quality inherent to the authorized party. These measures work together to ensure that a single piece of information, such as a password, can’t be used to access protected data.
Threat actors can infiltrate servers through a sophisticated process that involves cloning a login page, using phishing emails to lure employees into visiting the cloned page, then stealing their credentials. If the target’s website is a single-factor access point, the hacker now has everything they need to gain control.
First, the attacker will compromise an unrelated website. The intent is to use this website as a staging ground. The attacker will allow the original website to operate as normal, and this server will be used later to capture credentials from the real target. We will now refer to this as the threat actor’s compromised website.
Next, the threat actor will identify its real target—in this instance, a hospital or health system. This target will have an Internet-facing server with username and password authentication. The threat actor will then clone the authentication page to the compromised website as an additional URL.
Finally, the threat actor will create a phishing campaign to target the real victim. All the attacker needs is one user to enter their login information on the fake web page.
Companies must strongly consider what websites they allow to be externally facing. These public pages can be found by a search engine, which presents criminals with the opportunity to create clones that might fool unwitting users into giving up their login credentials.
For instance, we sometimes find a client has made their clinical software available on the internet. Usually, a physician has requested this for ease of use outside the facility.
Keep in mind: If content appears to have value, it will be targeted. For this reason, we strongly discourage attaching clinical software directly to the internet. Given the sensitivity of the data and the consequences of a breach in both regulatory fines and patient trust, we advise clients house this software behind a remote gateway. In creating this security apparatus, MFA is a must.
Furthermore, clients should have an asset inventory of what services and protocols are internet-facing. Website content should be analyzed for how much information is being exposed to an attacker. For example, the word “clinical” in the URL will get unwanted attention. A process should be established to approve all new websites prior to being enabled.
MEDHOST Information Security Services can provide the expertise to help identify these and other threats to your organization. We can provide a comprehensive security review that includes identifying vulnerabilities, prioritization, remediation strategies, and preemptive measures to help manage risk and improve security and safety.
To learn more about how MEDHOST can help protect its customers from cyber threats and reduce their impact on operations, please reach out to us at inquiries@medhost.com or call 1.800.383.6278.
The US is currently grappling with a critical shortage of information security professionals. According to the Washington Post, there are approximately 465,000 unfilled cybersecurity jobs across the country.
This shortage threatens to intensify an already dire proliferation of malicious actors and emergent vulnerabilities within the healthcare industry. Big names in medicine fall victim to ransomware attacks almost daily, lapses in best practices among staff threaten to undermine even the most advanced security systems, and devices that patients rely on for care may be the next target for criminals.
For our partners in rural, community, and critical access healthcare facilities, the difficulty of attracting and retaining the expertise needed to protect patient data is made worse by out-of-the-way locales and tighter budgets that may not support competitive offers.
This article will discuss how two infosec services from MEDHOST can alleviate some of the burden these workforce shortages put on smaller hospital information technology and security departments.
Evaluating a facility’s security posture helps to identify gaps in coverage and areas where mitigation strategies might prevent future attacks.
These assessments can also help identify and prevent lateral movement, a key concern for many of our partner hospitals. Lateral movement is a hacking technique that uses a single entry point, such as an unlocked or otherwise compromised workstation, to control and exfiltrate protected information.
Hospitals are often targeted because criminals know they are legally responsible for keeping patient information secure and are thus more likely to pay large sums to protect this data from exposure.
Our clients sleep easier knowing MEDHOST security teams can react quickly to harden their applications' cybersecurity defenses while mitigating the risk of future infiltration.
Our trusted and knowledgeable cybersecurity professionals can gauge existing security conditions, educate from experience, and guide customers through updating protections with minimal disruption to regular workflows.
Long-term change requires strong governance.
An assessment can provide hospitals with a snapshot of their security posture, but dedicated third-party support provides the necessary analysis, coaching, and expertise to eliminate risks identified by these security reviews.
Nevertheless, infosec professionals remain scarce, and healthcare leaders often turn to traditional IT organizations to overhaul their technology controls. While the association seems logical, and there is often some overlap, IT and security are two vastly different disciplines.
IT organizations are incentivized to get a technology or process functioning. If it works, then their primary responsibilities are fulfilled.
The improper management of service and admin accounts is a typical example of how relying on IT providers alone can compromise an entire healthcare information system. Over time, poor risk management, minimal oversight, and less-than-optimal business practices routinely leave these accounts vulnerable to criminal exploitation.
A tremendous burden is placed on IT staff to oversee multiple disparate data systems within hospitals. The partnership of a virtual Chief Information Security Officer (vCISO), providing regular status updates with our clients and their IT teams, is a key feature of MEDHOST’s managed information security services. In these meetings, we offer insight into our strategies for mitigating the effects of cyber threats and keep customers informed on the continued development of improved protective measures.
To learn more about how MEDHOST can help protect its customers from cyber threats and reduce its impact on operations, please reach out to us at inquiries@medhost.com or call 1.800.383.6278
On March 21st, President Biden issued an urgent warning to the public sector on the need to immediately strengthen their cybersecurity. Since Russia certainly has the expertise to target a nation like the United States, and with hospitals historically susceptible to cyber-attacks, what can we do to protect our organizations?
Today, I’m going to talk about passwords.
Every article I have read states multi-factor authentication (MFA) is a must. And I agree, MFA is necessary. However, I disagree MFA is the first place to build a healthy information security program.
For a user (or perpetrator) to get an MFA prompt, they must enter a password; however, the information security world seems to have waived the white flag on increasing password strength. There are two key reasons this is problematic—password complexity and rotation:
Both these commonly held password complexity and rotation policies are outdated, established decades ago, and nowhere near sufficient for battling the complexities of 21st-century cyber threats.
In addition, MFA can only easily deploy to so many places, and while it may stop an attacker from quickly gaining access via a VPN connection or Citrix, it does not prevent a phishing attack.
MFA also requires human interaction, which creates a small productivity hit.
I would never say MFA isn’t a necessity; it certainly is. MFA reduces risk. But without the backing of a policy that champions password complexity under high rotation, MFA cannot eliminate the potential of a break-in.
To achieve speed at cracking passwords, bad guys use pre-computed password hashes (scrambled representations of passwords) stored in databases. This is called a rainbow table. How do we knock the legs out from under that table?
If we can reduce the need for an employee to generate or utilize a password on their own, we can significantly increase productivity while having a broadly deployed control system.
Let’s say a worst-case scenario happened, and we lost all password hashes in a domain. Let’s also say we required 20-character randomly generated passwords for all employee and service accounts. The likelihood of a password being pre-computed is difficult at best. A larger number of characters with randomization takes away the easiest path for an attacker.
Now consider an eight-character password. It is almost a guarantee pre-computed hashes for most users will exist.
Changing a password every 90 days is just poor guidance. For server or administrator passwords, I believe they must be rotated weekly at a minimum, and for some accounts, after every use.
I would rather have a long, complex password with no rotation than a short, guessable password rotated quarterly for less secure accounts. I have never worked with a paid penetration tester who required a full business quarter to infiltrate a network successfully. You can be assured that a well-trained adversary won’t need that much time either.
To produce the long and complex passwords necessary to stump the automated cracking programs used by cybercriminals, hospitals, and other potentially vulnerable organizations must invest in password vaults. Allowing users to select and input their active directory password (AD) via a vault means they don’t have to know their password.
In addition, tools such as Windows Hello allow users to log on to a Windows workstation without knowing their password. Imagine no longer typing a password into the computer multiple times per day. Add a layer of multi-factor authentication to that process, and you are creating a situation where attackers have to work much harder to compromise an infrastructure.
By forcing the attacker to work harder, information security resources have an improved chance of finding an irregularity earlier in a compromise, decreasing damages and costs to remediate.
Password complexity with regular updates is a core tenant of cybersecurity at MEDHOST. Adherence to strict cyber security measures is something we employ in all the EHR environments we manage and a best practice we recommend to all our hospital partners.
To learn more about how MEDHOST can help secure your critical healthcare data, please reach out to us at inquiries@medhost.com or call 1.800.383.6278.
It seems ransomware may be a common topic to talk about these days; however, many people do not truly understand ransomware and its risks.
Ransomware is a symptom of a much larger root cause, like getting a fever or chills from seasonal flu. To prevent it, we need to break ransomware into three distinct phases:
In this blog, we will discuss initial infection and spread.
Ransomware typically arrives via phishing or through a vulnerability. These two vectors reduce most of the risk associated with infection. There are a variety of controls, but some of the most common include:
Even with all these controls enabled, risk will be reduced but not eliminated. Someone will always click on something they shouldn’t.
The second phase of ransomware separates organizations with robust information security programs from others. Ransomware wants to spread once the initial infection has occurred. To do so, it uses one of two methods.
Method 1 – Using a common vulnerability within a deployed operating system.
In 2017, WannaCry (a ransomware cryptoworm) spread via the EternalBlue vulnerability. Other ransomware strains, including NotPetya, followed up this infection.
There was a failure to install existing patches (vaccine) to the infected networks in both cases. Healthcare was a prime target due to the lack of consistent patching in biomedical devices or unpredictable areas targeted for an attack, such as an Emergency Department. For the latter, the blame falls on the lack of high availability architecture/design.
EternalBlue type vulnerabilities are rare, and although there have been high-risk vulnerabilities since EternalBlue, the spread vector witnessed in the WannaCry attack made it unique. What if ransomware had a highly privileged account such as a domain administrator account? It would no longer need a coding/environmental vulnerability condition. It would simply move through the network, installing itself on every device.
Method 2 – Using a domain admin account to spread the infection to other systems.
What if the person initially phished had access to a server with their standard account? The malware or the threat actor behind the malware can quickly advance to the server environment using the target's permissions.
If a service account with administrator rights existed on the box (service account to perform backups), the malware/threat actor could retrieve the more privileged account from memory. The infection can repeat these steps until it retrieves an account that allows a high enough saturation of machines. Once there, the malware will begin exfiltrating data or encrypting drives.
As security professionals, we must focus on segmenting users from administrators. An IT administrator must have a regular account and a privileged account. Administrators must be careful where they utilize their account(s). Whatever that account authenticates into is now a target. If the malware can authenticate there, it can retrieve the elevated account. Reset administrator accounts frequently or reboot machines to remove stored tokens in memory.
MEDHOST controls include:
These controls have a positive effect on ransomware. MEDHOST provides hosted customers additional peace of mind knowing MEDHOST has taken complex steps in its journey to protect against the ever-increasing complexity of ransomware.
Our next blog will discuss recovery and required hosting capabilities to ensure hospital business continuity and patient safety.
To learn more about how MEDHOST can help protect your patient data and business operations, please reach out to us at inquiries@medhost.com or call 1.800.383.6278.
On October 28, 2020, the CISA, the FBI, and HHS released an advisory noting potentially hundreds of medical centers and hospitals would be targeted for ransomware encryption.
Although ransomware has been a serious threat for the past five years, the risk of an operational outage or a breach is ever expanding.
Ransomware has evolved over the last 5 years increasing its impact and ability to crush hospital systems. 2015 was the year of ransomware with the emergence of CryptoWall. The attack began with phishing to gain initial access to an endpoint. It would encrypt the drive and present the user with ransomware instructions. The machine then joined a botnet to spread the malware, repeating the phishing cycle. Individual computers were then targeted. Large companies including hospitals fell victim, but it was rare for hospitals systems to be targeted.
The next large evolution in ransomware occurred in 2017. A group of exploits (EternalBlue) allowed for remote compromise of Windows devices. Ransomware kits began to add EternalBlue vulnerabilities. This allowed for programmatic compromise of large networks lacking mature patch management. Hospitals were now seen as an easy target.
The latest evolution in ransomware is the incorporation of techniques once reserved for nation states. One of the latest groups to receive notoriety is UNC1878 or 2020 Wizard Spider. By combining phishing, credential harvesting, privilege escalation, data exfiltration, and ransomware, the threat is a worst-case scenario for a medical system. The impact is both a large continued operational outage and a potential breach scenario. By combining automation with human interaction, the malware can be spread quickly across systems. Re-imaging an endpoint can be ineffective as compromised credentials allow for quick reinfection and encryption. Even more devastating, attackers can exfiltrate and hold sensitive regulatory data hostage.
Prior to this attack, fending off ransomware included security awareness, email filtering, patching, and worst-case, restoration of data. But now because an attack can incorporate privilege escalation and lateral movement, the security department must also evaluate local administrative privileges, password entropy, service accounts with authority, domain administrator accounts, insecure protocols, and methods to identify the exfiltration of data. Attackers understand it can take years and massive capital to deprecate programs, service accounts, and protocols that a company has operationally relied on for years. When you consider expensive biomedical devices such as MRI machines, it is easy to understand why hospitals are targeted. In addition, the security department must have the visibility and training to detect lateral movement including log aggregation and correlation. That can be a specialized skillset.
If you are a medical facility or a hospital, where do you get started?
Want to learn more about how MEDHOST protects its systems and customers utilizing its solutions with enhanced security measures, reach out to us inquiries@medhost.com or 1.800.383.6278
