With the outbreak of the novel coronavirus came shelter-in-place orders and the common sense desire to keep people away from potential virus hotspots. For hospitals, that's resulted in a very serious effort to move non-essential employees to a work-from-home model.
To facilitate remote workflows, a great many digital preparations must be made — old infrastructure must be adjusted, and new infrastructure must be set up. That means, among other things, providing a communication and collaboration toolkit, removing as many dependencies as possible, democratizing resources, and decentralizing processes.
The resulting increase in remote connectivity means a lot of new possible points of failure from a security perspective. Given that cybercriminals have been more active since the outbreak of the pandemic and healthcare organizations have been especially targeted, that represents a very real challenge.
A Widening Gap
Most people's homes aren't equipped with data infrastructure or packages on par with their work — especially when they work for enterprise-size organizations. Less bandwidth means slower throughput, which aside from contributing to inefficiencies can also create server and database transfer disruptions.
When connected work sessions are routed through VPNs or other access points that place additional burdens on infrastructure and tend to run at the speed of their lowest common denominator, small nuisances can quickly turn into big problems. Even worse, employees may seek to save a little bandwidth and help things along by circumventing standard procedures and security policies — for example by connecting without use of a VPN, turning off an antivirus, or swapping an approved app for an unapproved alternative.
What's more, personal devices may lack appropriate levels of built-in security, letting alone duly updated software or sandboxing technologies. Working on such devices poses considerable risk. In fact, in the context of a highly distributed network environment supporting a connected WFH business model, these sorts of risks can be hard to stop and harder to manage; with local transgressions bearing universal digital implications.
Indeed, healthcare personnel represent a well-established and dogged liability when it comes to security. The data tells a clear story of hospital staff widely lacking cyber awareness, discipline, or both. In an industry where more than 10% of all breaches could be traced back to lost or stolen devices and 1 in 4 organizations suffer mobile-based breaches, that can have a huge impact. And while insider threats have always been a pain point for hospitals — outpacing external threat actors 56% to 44% — it's about to get a lot worse.
Until now, the vast majority of work was done on-premise, allowing administrators to mitigate risk through strictly enforced BYOD policies along with centrally controlled and fundamentally secured resources. Now, that's no longer possible.
If hospital cyber awareness and discipline were poor before, it's surely not going to improve in the midst of crisis that has everyone exhausted, working from home, and with their focus pulled in a dozen different directions. Unfortunately, this extends even to IT and security personnel who have their hands full expanding telehealth offerings and building, on-the-fly, the digital infrastructure needed to support field-hospitals and improvised testing centers.
Work From Home Security Threats
A strong cyber posture is predicated on sustained cyber hygiene, which is itself predicated on training. Cyber training is always important, but in times like these, it's especially vital. Even if you have regularly scheduled training or brush-up sessions, it's a good idea to plan something special in light of the current circumstances. (More on that in the next section.)
The security challenges associated with healthcare staff working from home mainly revolve around three axes:
- Phishing lures
- Policy adherence
- Virtual private networks
With regard to phishing lures, the pandemic has brought with it a deluge of new attacks. In April, Google recorded an average of 18 million daily malware and phishing emails! In fact, Checkpoint has estimated that phishing accounts for upwards of 90% of all COVID-19 attacks.
It's not hard to understand why. Under normal circumstances, for example, you might never expect to receive an email from the CDC; in the midst of a pandemic, however, you might not think twice before opening the email and clicking its link.
People working from home are also likely to be somewhat more relaxed and, by extension, perhaps less vigilant about things like what emails they open. For many, the boundaries separating work and life are blurring as they routinely toggle back and forth between home tasks and activities and work tasks and activities. They may be using their personal devices for work purposes or their work devices for personal purposes. Either way, the outcome is the same — appropriate use is less strictly defined and fewer things are considered out-of-bounds.
When it comes to email, that translates to an erosion of healthy anti-phishing practices.
It’s vital that hospitals reinforce their employees’ critical thinking and sense of suspiciousness during these ominous times. Of course, this speaks to the more fundamental challenge of maintaining organizational policy adherence and prudent digital behavior throughout the crisis.
Here too, training is important. Staff need to know about additional policies created and/or informed by their new work-from-home security reality. They need to know how to approach newly enabled remote network access points, how processes previously reliant on physical access control now utilize credentialed RBAC, and where new layers of authentication have been introduced.
Even more importantly though — beyond the educational value — hospitals should lean into policy training during this work-from-home period for the emphasis value. The message should be communicated loudly and clearly that policies are still in effect and standard procedures are still expected to be followed.
They need to know that BYOD policies apply equally to their use of personal devices in a work context at home as they do at within the walls of the hospital; and they need to know that hospital-owned devices and technologies can only be used for appropriate and intended purposes. Furthermore, employees must be reassured that governance will still be centrally managed and validated.
Virtual Private Networks
A Virtual Private Network (VPN) connects endpoints to a private, internal network across public networks (like the internet). Although these remote users are not physically connected to the internal network, through the VPN they can access servers and other networked resources.
In the healthcare sector, use of VPNs is common and believed to be a key enabler of efficient and continuous hospital workflows. VPNs though are something of a paradox: a security best practice that at the same time is dangerous ground. Because of this, a lot of people mishandle VPNs.
The conventional wisdom around VPNs is that they can deliver the required connectivity without compromising any security. Vendors may use VPNs to remotely access hospital devices in order to install software updates and doctors may use VPNs to remotely access patient lab results and the like. To connect to a VPN, remote users submit to a process of authentication. Obviously, from a security perspective, authentication is a positive. At the same time, VPNs are far from the perfect solution.
VPN traffic is not always encrypted end-to-end and confidential medical information can sometimes be transmitted in a semi-exposed state. Even when traffic is fully encrypted though, VPNs can contain their own security vulnerabilities that leave them open to attack. Recently, many new VPN vulnerabilities have been disclosed. These vulnerabilities can allow attackers to bypass authentication to gain VPN access, execute remote code, and download system files.
Worse still, an uptick has been reported in sophisticated, state-sponsored hacking groups focusing their considerable resources on exploiting these VPN vulnerabilities. In fact, the threat is believed to be so acute in light of recent event that it prompted the NSA to issue an advisory and guidance document.
Even when the VPN itself isn't subject to security vulnerabilities, it provides external endpoints a gateway to the network — which is inherently risky. Remote users and their devices are not often subject to the same security policies and controls as their counterparts inside the hospital. As a result, an intruder or malicious file can hitch a ride with a remote user to gain entry into the hospital network. This is what happened when the “Heartbleed” vulnerability was leveraged to compromise Community Health Systems' VPN, breach their network, and expose 4.5 million patient data records.
While these problems clearly preceded the current crisis, they are also badly aggravated by it — with more remote connection fostering a greater reliance on VPNs and bad actors more motivated than ever before. Cybercriminals are even creating fake VPNs to masquerade as the real thing for the purpose of hiding malware in their installation packets.
What to Do
With so much of healthcare delivery organizations' operations shifting homebound, the network infrastructure has become much more complicated and the connectivity so much broader. Even under normal circumstances, hospitals struggle with so many of their devices being unmanaged — typically, hospitals field an equal number of managed and unmanaged devices. Now, they are struggling with connected environments that are unmanaged as well.
Add to that a soaring number of personal machines that offer limited SIEM visibility and little centralized control, and it becomes quite clear how this shift toward WFH vastly expands the attack surface and creates something of a golden opportunity for hackers.
To contend with the unique IT and security challenges that the pandemic presents for hospitals, it’s important that cyber awareness and training be maintained and even heightened across the organization.
With the data unambiguously showing that phishing attacks constitute the most prevalent threat, training needs to take that into account. Employees need to understand how malicious content is distributed and be taught to identify such ploys. They also need to know who to contact if they believe they've fallen for a phishing lure. They need to have SPAM filters in place and properly configured, and their devices need to be running up-to-date antivirus software.
Beyond that, training should revolve around boosting discipline so that good cyber hygiene can be achieved and sustained. That means drilling down, among other things, into credential management and access control best practices, the perils of browser misuse, and how to resist social engineering. It also means teaching employees how to secure their own Wi-Fi connections, not to use public Wi-Fi, etc. Obviously If the hospital does not already have a BYOD policy in place, one should be created. If there is one, it should be reviewed and likely revised in light of the new work-from-home security reality.
In either case, a very concerted effort must be made to communicate that policy across the entire organization and to bring everyone up to speed.
It's especially important that staff commit themselves to using strong, distinct passwords for all their devices and applications. In fact, dual factor identification should be used wherever possible. Passwords must not be shared and they must not be easily guessable — even for someone who knows you. Single sign-on services should be avoided and logins should be set to timeout within minutes of inactivity (i.e. no "keep me signed in"). Of course, additional precautions should be taken with any activities that are adjacent to sensitive organizational or patient data.
Even with a decentralized workforce though, only so much of the responsibility can be placed on staff. Security and administrative personnel should be seen as the primary bearers of responsibility for managing the digital risk associated with this new normal.
Bolster Work-From-Home Security By Following These Steps
In pursuing that mandate, consider the following best practice recommendations:
- Map workflows to the specific network features and remote connectivity technologies, you'll need to invest in/build out.
- Conduct a risk assessment of those new features and technologies. Where added risk is deemed unacceptable research, identify, and implement suitable mitigation regimes.
- If feasible, provide WFH staff with dedicated devices for work purposes.
- This will make it easier to control for the security of those devices and help to maintain work-home boundaries — obviating the basis for a fair amount of risky behavior.
- Configure dedicated WFH devices restrictively to block user downloads, non-whitelisted browsing, etc.
- Configure dedicated WFH devices for remote, centrally orchestrated update and security management.
- Clearly define and communicate security requirements (BYOD, access control, identity management, acceptable use, etc.) and operational expectations for work-from-home employees.
- To keep track of remote worker policy adherence, a centralized view of network interactions across all seven communication layers must be achieved and traffic must be continuously monitored.
- This centralized view should pull from and synthesize the local visibility and insights enabled by your different IT and security tools, i.e. CMMS, SIEM, cloud security dashboards, scanners, firewalls, NAC, IDS/IPS, etc.
- Security alerts should be built into this unified viewpoint and configured to deliver automated notifications to the relevant stakeholder, as defined by the circumstance.
- Leveraging this centralized visibility, consult with IT and clinical engineering departments to factor in knowledge of endpoint device types and their intended purposes or connectivity use cases to inject important context-awareness into your monitoring program. (This can also be achieved with the help of third-party tools.)
- Isolate any vulnerable externally facing assets that cannot be patched, de-networked, or decommissioned
- Again making use of centralized monitoring capabilities, conduct a baseline analysis over a period of one or two weeks in order to establish a clear understanding of healthy network traffic patterns and the significant thresholds for deviation therefrom.
- Make sure alerts for these baseline deviations are also built into your centralized network monitoring and alert system.
- Map network relationships to identify distinct use and risk groups within the network— plugging those groups into the network segmentation architecture
- Ensure that firewall rules, email rules, etc. are up-to-date and appropriately configured for the demands and sensitivities of each network segment.
- Make sure that newly identified suspicious and malicious domains or IP addresses are being regularly added to blacklists.
- Install advanced spam and malicious content filters wherever possible and standardize sandboxing.
- Make multi-factor authentication a prerequisite to accessing the hospital's network, digital resources, services, and systems.
- MFA should be incorporated into VPNs, RDP services, Citrix, EMR systems, Office 365, G-Suite, etc. and legacy authentication options should be fully disabled .
- Where single-factor identification remains in use, make sure that NIST password guidance is followed and that a would-be user is locked out after multiple failed login attempts.
- Routinely review remote access, MFA, server, AD/LDAP/CAS logs for signs of suspicious activity..
- Drill down into signs of suspicious behavior, such as multiple logins to multiple accounts from the same source IP, login attempts that fail at later stages of multi-factor authentication, etc.
- Create a framework for validating and enforcing security policies based on your centralized network monitoring and log reviews
- This enforcement regime should be designed in such a way that it holds staff personally accountable for violations. Even more importantly, that notion should be projected loudly and clearly.
- Implement active content inspection and intrusion detection/prevention techniques to patrol the network for attack indicators.
- Update signatures to detect and block malicious files or traffic
- Survey network to confirm that device compatible anti-viruses are installed and current for all relevant agents, especially remote devices.
- Survey the network for externally exposed IT assets.
- If there is not good reason for those assets to be externally exposed, restrict external communications.
- If there is good reason for those assets to be exposed, place them into a distinct network segment subject to more restrictive policies and tighter oversight.
- Wherever possible, restrict out-of-network communications to those managed and secured through legitimate, properly configured, fully patched, and encrypted virtual private networks.
- If out-of-network communications cannot be restricted to VPN-managed sessions, limit the access to these servers to only necessary connections.
- Use role-based authentication and allow only pre-approved IP address ranges to access the servers.
- Survey network to confirm that critical OS-level patches are in place for connected devices, especially remote devices.
- Survey network to confirm that all traffic is duly encrypted.
- To do this, send and record network traffic (using a tool like Wireshark). If data in transit is found to be unencrypted, switch VPN services, reconfigure communication protocols, or introduce additional encryption tooling as needed.
- Integrate the National Vulnerability Database (NVD) along with CISA's advisory and alert feeds into your security management apparatus and continuously cross-reference against your technology deployment.
- Pay particularly close attention to any vulnerabilities pertaining to VPNs.
- Immediately apply vendor-approved security updates or implement mitigations where official patches have not been made available.
- Reset the credentials associated with vulnerable VPNs — including the passwords used to access the VPN, the authentication keys, and any passwords used for accessing applications or network entities through the VPN.
Act Smart, Think Big
In the context of SARS-CoV-2, with non-essential personnel moving to a work-from-home model and much of the hospital’s on-premise capacity reserved for COVID-19 patients, widespread remote connectivity and networking become absolute operational requirements. At the same time, it presents a serious security challenge and an unprecedented threat in the face of uniquely motivated bad actors.
Going forward, hospitals are advised to not only take the specific steps outlined above, but to assume a general posture of vigilance and proactivity. It's important to understand that risk exposure cannot be altogether eliminated, but those risks can be smartly managed and their potential consequences limited.
It would be wise not to fixate excessively on the prospect of prevention while under-attending to the organization's response procedures and capabilities. It is fair to assume that at some point your defenses will be breached. The question you should be asking yourself is when that happens how quickly will the threat be identified, contained, and expunged.
At CyberMDX, we understand the challenge and know what's needed to overcome it. During this crisis, we are at your disposal and ready to help — whether in fortifying your security in the face of a newly remote workforce or anything else.