Check Point Software Technologies research indicates that the healthcare sector experienced an average of 1,684 cyber-attacks per week during the first quarter of 2023 – a year-on-year increase of 22%. IBM, meanwhile, reports that healthcare was the industry hardest hit by cyber-attacks in the year ending in March 2023, with an average cost of $11 million per breach.
The healthcare industry presents an attractive cyber target. Healthcare organizations represent huge repositories of sensitive and valuable information. Patient identity data, payment records, detailed medical information, and insurance information all represent high value targets. Complicating issues include requirements that resources be accessible to large numbers of users, may be widely geographically distributed, are regularly interconnected to outside entities, and are often manipulated by very complex, poorly understood sub-systems and applications.
The May 2023 Johns Hopkins Medical MOVEit application compromise demonstrates once again systemic weaknesses in the industry approach to healthcare data security. The compromise highlights the consequences of integration and subsequent dependance on very complex, highly integrated, and feature rich applications.
Applications like MOVEit are vulnerable in large part due to the very features that make them so popular. MOVEit’s features, for example, encompass everything an organization might require to implement file transfer and data management, including secure file transfer, access authentication and authorization, audit/compliance, encryption, and threat detection and prevention. The inclusion of so many features dictates control and access to resources across the system. Unfortunately, compromise of MOVEit enables much of the functionality required to implement a successful, system wide cyber-attack. Failure to analyze and mitigate the security impact of adopting feature rich applications like MOVEit represents a failure to address Cyber Security First Principles.
Cyber Security First Principles represent foundational elements of IT and cyber security. They are industry guidelines for implementing and operating secure information systems. Basic principle concepts include Zero Trust, Least Privilege, Access Control, Defense in Depth, Security by Design, and Segmentation.
Integrating complex applications like MOVEit without detailed review of First Principles and implementation of mitigating processes represents a systemic weakness in the healthcare industry approach to cyber security. System architects, engineers, and administrators must review and analyze potential consequences of adopting any complex application. Analysis must address two basic questions: Does application implementation compromise Cyber Security First Principles’? How are security issues best mitigated to limit the impact of any compromise?
Consider the security impact of implementing the MOVEit application on just two, tightly coupled, Cyber Security First Principles, Segmentation and Least Privilege. Segmentationdivides networks and system resources into isolated, protected segments and attempts to limit the number of resources impacted by a potential compromise. Segmentation supports granular security policies, uniquely addressing each asset’s requirements and minimizing the potential attack surface. It limits asset access and attempts to contain a compromise in a single segment.
Feature rich applications like MOVEit, by design, violate segmentation security concepts. MOVEit exercises tremendous control of resources across the system with access to a huge amount of system data.
Least privilege limits access and privilege, mitigating the damage caused by a potential breach. Very complex, highly integrated, and feature rich applications often have access to and control of sensitive resources across systems. Least privilege limits user, processes, and application access and permissions to the minimum required to perform specific system tasks or functions. Key goals of least privilege include limiting and restricting access, limiting privilege, preventing privilege escalation, and providing for granular access control. Least privilege is meant to limit the cybersecurity cyber-attack surface and mitigate the potential consequences of any compromise.
Again, applications like MOVEit compromise the basic concepts of least privilege. MOVEit has access and control of the data and functionality managing resources across the system. Implementation of MOVEit like applications limits the system administrators’ ability to restrict privilege, limit access, and apply granular access control (e.g. defining execution rights, read-only access, write access etc.).
Development of cyber security mitigation approaches requires detailed analysis of applications and review of the Cyber Security First Principle consequence of implementation. Mitigation processes must result in making system compromise as difficult as possible and significantly limiting the impact of any successful compromise. Approaches include limiting access, compartmentalizing system data and functionality, simplifying and distributing functionality across multiple applications, and minimizing application control. Where possible, functionality should be distributed across many simple, proven, well understood applications.
Clearly, the correlation between complexity and cybersecurity vulnerability is well understood. Moreover, the healthcare industry recognizes that cyberattacks and compromises will continue. Administrators and managers appreciate the complex trades associated with usability and security.
That said, the adoption of complex, feature rich applications without comprehensive analysis and risk mitigation is constraining the industry’s ability to limit the impact of cyber compromises. Systems can be “hardened” and the impact of compromise limited. But analysis and risk mitigation must be performed before adopting complex, feature rich, third-party applications.
Mike Doyle is the Chief Technology Officer at BCR Cyber. Established in 2017, BCR Cyber is dedicated to delivering exceptional training solutions to both government and commercial clients. BCR Cyber has trained thousands of individuals and successfully placed over 83% into employment. The BCR Cyber Range is the first such facility in the world specifically dedicated to workforce development in the cybersecurity sector. BCR Cyber provides trainees with the most advanced cybersecurity strategies and techniques in an environment that simulates real threats in real-time. The range's hands-on training encompasses cyber threat detection, compromise mitigation, and system remediation, and is complemented by placement services. For more information, visit baltimorecyberrange.com.