The things that go through a security professional’s head during a regular doctor’s visit, why they matter to the healthcare industry, and why they should matter to you.
Healthcare organizations are the stewards of troves of very private and personal information.
This makes them high-value targets of all sorts of attacks from malicious parties. Additionally, national regulations such as HIPAA call for harsh penalties to organizations that leak private health information (PHI).
Fines from HIPAA often reach into the millions of dollars.
There’s a lot at stake, most importantly the wellbeing of millions of people. Hospitals, doctor’s offices, and healthcare insurance agencies are all at immense risk. So, one would think that they all take the highest level of action to dissuade breaches, right?
Unfortunately, the past shows that this is not the case. Many healthcare-related breaches have already taken place in 2020. Security controls clearly aren’t as strict as one might hope.
Can we expect these attacks to end or decrease in number? Probably not, in fact, as reports show that events are only getting worse.
So, let’s talk about a different aspect of security that often gets overlooked, which an adversary with the right motives might easily exploit: physical security.
Disclaimer:
These thoughts may or may not have come off of the back of a recent doctor’s visit and are only intended to serve as a fresh point of view for healthcare IT personnel when they think about their entire security scope.
This is not the only place these recommendations have appeared and will not be the last.
Securing the physical perimeter
For IT professionals, it can often feel like there is a never-ending number of ways a threat actor may target you.
There’s the creeping feeling you might be forgetting something, the balancing act of using a budget wisely and driving results, not to mention the fear of the unknown. Physical security carries its own considerable number of risks to account for.
So, let’s try to strip away the anxiety and take a look at what an IT security professional’s physical security checklist might look like.
Restrict patients’ unattended access to healthcare assets
Regardless of the asset, access to healthcare devices and time are a bad combination. It’s easy to think about how this could be overlooked. I mean, the device is internal only, right?
And who would even really hack a computer during their doctor’s visit?
In reality, physical access to a computer is a huge advantage for an attacker. They can bypass all external defenses and hop straight into the internal network. This is bad news if internal monitoring and security controls are inadequate.
In addition to mitigating the amount of time that a patient is in a room with an unattended machine, there are a few practical controls that an organization can utilize to reduce risk, especially if unattended access to resources is unavoidable.
Enforce lockout timers on machines
Let’s say an employee welcomes a patient to their visit and logs into the room’s local computer. All of a sudden something comes up and the employee has to suddenly leave the room.
Some time passes and the patient gets restless, deciding to mess around on the unlocked computer. You probably see where I’m going with this.
Policies to implement lockout timers on machines can easily address this risk. In traditional Windows environments, a Group Policy Object (GPO) can be implemented to enforce lockouts domain-wide.
Require complex passwords
Chances are you have seen this recommendation countless times, but it is for a good reason. Complex passwords reduce the threat of brute-force login attempts, or in the case of physical security, someone watching an employee login and memorizing their password.
Secure device and building ports
Open USB and ethernet ports are an attacker’s best friend in a physical security attack.
One quick insertion of a malicious USB stick into a machine and someone can get complete control of it. Open ethernet ports can be hijacked to plant a malicious network device. It’s in any organization’s best interest to control these openings and regularly audit their security.
Train associated personnel on security best practices
Employees are the first line of defense and teaching them best practices can go a long way.
Locking a computer after they use it can prevent unauthorized access. Using complex passwords can stop someone from watching keystrokes and guessing a password.
Understanding phishing attacks will help them identify if they’re being targeted by a spear-phishing attack. Explaining what’s at risk can drive their sense of responsibility, ownership, and focus on security.
How Do We Move Forward?
Security professionals must think of every possible attack vector an adversary could take in an environment. When it comes to healthcare, this includes even entering the premises as innocently as by scheduling a doctor’s appointment.
It’s also important to remember what’s at stake here. Attackers manipulate exfiltrated data to cause headaches and harm to patients. Stolen information can be used by attackers to forge medical information, with listings going for as much as $500 apiece.
These attacks impact patients, and they can all start with one simple opening. Even if no internal damage is done, malicious actors have a lot to gain by taking advantage of security weaknesses.
Let’s Get Started
Are you interested in the services of a red team? Not sure where to start with penetration testing? Allow one of our world-class consultants to guide you by contacting us!
Also, if you’d like to know more about what goes on during a risk3sixty penetration test, check out our whitepaper, Pillars of Pentesting: A Guide to the Risk3sixty Attack Strategy.
This post reminds me of a friend who took his mother to the hospital for surgery (this was shortly after HIPAA went into affect). As he waited in the lobby, he spied a “guest computer” that allowed people to surf the internet while they waited for friends and family.
Not only was the computer on the same network/VLAN as the hospital’s network, it allowed you to download and save anything you wanted. “Joe” was able to download and save several hacking tools.
He also said he could see computers from the X-ray department on the network, and also those from finance.
He didn’t do anything; he just deleted the tools and logged off while praying that the doctors were better than the IT security team.