Hospital Resilience in the Face of Cybercrime (Guest Blog)

Guest blog by Justin Armstrong CISSP – Security Architect, System Technology Division – MEDITECH

“The only constant is change” has never been more true than it is today. Technology has advanced rapidly in recent years; adoption of technology has increased dramatically; and meanwhile, regulatory bodies struggle to catch up. Hacking has also changed. In the early days, it was mainly students fooling around. Over time, criminal organizations and nation-states have adopted hacking as an effective tool. Plus, the dark web allows for anonymity and the creation of hacking marketplaces. The barrier for entry has lowered as criminals sell hacking as a service (or “crime as a service”).

How can an organization continue to modernize and move ahead while securing itself against the increasing threats? New technology brings new concerns, and with legacy systems being kept around, they can become highly vulnerable and exploitable. It can certainly be overwhelming. However…

The More Things Change, The More They Stay The Same

When I read Cliff Stoll’s book “The Cuckoo’s Egg” — most likely the first documented case of a computer hacking incident (1986) — I was struck by the fact that the same techniques continue to be successful today. The hacker used default passwords to get into many of the systems, exploited an unpatched vulnerability in a commonly-used software package, and guessed commonly-used passwords. The truth is that little has changed in 30-plus years; these continue to be the weak points in cybersecurity.

While technology has improved to some degree, the human factor continues to contribute the most to hacking incidents. The 2014 Cyber Security Intelligence Index (IBM Security Services) stated that “over 95 percent of all incidents investigated recognize ‘human error’ as a contributing factor.” Human error does not include just poor security practices, misconfiguration, and other such mistakes, but also social engineering and phishing. Kevin Mandia, founder of Security firm Mandiant, stated, “You will never bring phishing down to zero; someone will always click.” Noted security expert Bruce Schneier put it nicely: “Amateurs hack systems; professionals hack people.”

What To Do?

Rather than buying the next “silver bullet” technology that promises to solve all of our problems, it’s important to focus on the areas that actually contribute to most of the hacks. We must expect that systems will fail, people will be tricked, and mistakes will be made. With that in mind, our goal is to achieve organizational resilience. Systems should not fail spectacularly when people make a mistake. Additionally, we cannot expect that every system can be perfectly secured all of the time. There must be layers of defense, a defense-in-depth strategy. Some technology purchases may still be required, but a risk-based approach and a focus on resilient systems can lead us to invest wisely.

If you attend the MUSE Inspire conference, these topics will be covered in two separate presentations:

• Mitigate Cybersecurity Threats Across Your Environment (Thursday, May 30, at 1:45pm)
• Securing the Modern Healthcare Organization While Boldly Moving Ahead (Wednesday, May 29, at 2:30pm)

I hope you’ll join us at MUSE, May 28 to 31 in Nashville, Tennessee, to discuss this and other issues facing health IT professionals today.

Justin is responsible for the security of MEDITECH applications and platforms, including coordinating critical updates to MEDITECH software and communicating with customers when questions arise about MEDITECH’s security stance. Justin stays up to date on evolving security standards and regulations, best practices, threats, and software vulnerabilities by remaining active in the security community inside and outside of MEDITECH. He is a Certified Information Systems Security Professional (CISSP) and a proud member of the FBI’s InfraGard program as well as (ISC)2, ISSA, the Cyber Health Working Group (CHWG), OWASP, EHRA Privacy and Security Workgroup, and the H-ISAC. His experience with security incidents at hospitals across MEDITECH’s 2,300+ customer base has enabled Justin to gain a firm grasp on the challenges to the cybersecurity of Hospitals of all sizes. Justin earned a Bachelor of Science in Physics and a Bachelor of Arts in Mathematics from the University of Massachusetts at Amherst. He obtained his Masters in Information Security Leadership at Brandeis University. He traces his interest in security back to the fourth grade when he found a copy of “The Codebreakers” in the school library.