How healthcare organizations can avoid repeating 2015's IT security failures

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/blog/how-healthcare-organizations-can-avoid-repeating-2015s-costly-it-security-failures

In 2015, it seems like barely a month goes by without another report of a
data breach suffered by a health care organization exposing personal
information about patients, employees and related health services
providers. HIPAA was intended to provide a framework for health care
organizations to improve their overall security posture from both a
technical and procedural standpoint, with the ultimate goal of preventing
these kinds of breaches from happening. Unfortunately, what we've seen this
year is quite the opposite.

As IT security professionals, we have been doing it wrong for years. We are
taught about castles and moats and building strong perimeters to keep the
outside at bay, but that just doesn't work anymore. Instead, we have to
start from the inside and work backwards from the core of our environment
in order to achieve better security. A few months ago, I wrote about
lessons healthcare organizations can learn from Ponemon's 2015 study on
Privacy & Data Security of Health Care Data report. Since then, I've often
been asked to further explain why healthcare organizations must focus more
on securing data closest to its source, in addition to traditional cyber
defenses such as external firewalls.

In this piece, I'll go into more details about how to use an inside-out
strategy for building a security program to help avoid repeating the same
security failures that plagued the industry in 2015.

Changing perspective
Security professionals have been taught for years to look out into the
vastness of the Internet, and identify the places where hackers and other
outsiders would try to break into their networks. This led to the
foundation of the defense-in-depth security strategy of building walls and
checkpoints to help mitigate the various places an attacker would try to
penetrate the various system in place and steal the target data they're
after.

First, firewalls are put in place to guard the perimeter. Then, network
access control comes into play to dictate where traffic can go once it's
past the firewall. Those systems which can be accessed are then hardened
with patch management programs for fixing broken code and eliminating known
points of exploit, and system configuration frameworks for avoiding poorly
managed settings which could allow too much access. Eventually, user names
and passwords come into play in order to access the core applications which
access the critical data housed in the deepest, most protected areas of the
network.

Somewhere along the way, a policy gets put into place outlining exactly
what the organization should be doing to protect its data, conveniently
structured to accommodate the technology and methodology that is already
been put in place.

The time is long since past that the IT security community give up this
notion of protecting the outside first and working outward. While the
castle and moat analogy gets used a lot, the truth is that we're not
building castles anymore, but interconnected webs with an ever-growing
number of connections that tie back to the center of the structure.

It has become imperative that IT security professionals working for
healthcare organizations stop viewing the world from the outside-in
perspective, and start looking at building our programs from the core data
at the center of our networks outward. All the layers are still needed, but
when we can build a strong core to begin with, the rest of the pieces begin
to deliver the fullest potential of their value by focusing in on the
security measure they're specifically designed for. Here are some
strategies for healthcare organizations to kick-start a center-focused IT
security strategy:

- Identify and classify critical assets and data. Healthcare organizations
must begin with the old adage, "You can't protect what you don't know you
have." An outside-perspective may look at the most common vulnerability an
attacker would use to get into a network. But that vulnerability being
present on a user's workstation is far less of an issue that it being
present on a business-critical database server. IT security teams need to
identify what assets are most critical in your environment and perform a
data classification study to understand where these important assets reside
and where they should prioritize their efforts.
- Actively manage the keys to the kingdom. There are a lot of security
tools out there that help protect critical assets, but all of them can
potentially be bypassed by an attacker who has the right credentials. IT
security professionals working in healthcare must have software in place
that can actively manage who has access to the most privileged credentials
(such as Domain Administrators, root accounts, etc.) in their environment,
as well as the ability to automatically change the passwords as often as
possible to neutralize an attackers ability to compromise these accounts.
- Create more control points for network access closer to the data center.
In today's connected world, trying to create a network perimeter control
point is nearly meaningless. Outsourced IT staff, cloud-based hosting
providers, B2B services, remote employees and more make the idea of
controlling access with a VPN, and then letting connected users go wherever
they want, absolutely unmanageable. Healthcare organizations must segregate
networks closer to critical assets, and more stringently control what users
and even systems are allowed to connect directly to them. Using a
combination of internal firewalls, routing access control, credential
management and proxying capabilities to not only enables better control of
who can access critical systems, but to also give attackers far fewer
points of entry.

Taken and implemented all together, healthcare organizations can vastly
improve the strength of each defense layer. For example, if account
credentials are better secured and cannot be compromised to access core
applications by an unauthorized party, then a network intrusion detection
systems can be more fine-tuned to look for anomalies, without having to
account for every credential, everywhere. Or, once critical systems are
identified, patch management efforts can be better prioritized to address
the vulnerabilities on those critical systems first, letting operations
team move more quickly and decisively on which issues to address in a
timely manner.

These improvements can result in more efficiency, better accuracy and
overall a much stronger security posture for the entire healthcare
organization.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!