Photo credit: Depositphotos
By David Trepp, BPM LLP
Many headline-grabbing healthcare hacks have involved overt attacks against healthcare organizations, such as the ongoing spate of ransomware breaches that involve attackers encrypting data then demanding ransom in order to provide a decryption key. But the most recent cybersecurity headlines have been dominated by the largest single hack in history. This hack was different from the more commonly documented ransomware breaches, in that it was stealthy, and carried on for at least six months without detection. In fact, if the attackers (widely believed to be a group sponsored by the Russian government) hadn’t made a large cybersecurity firm one of their high-value targets, we still might not know about this “Trojan.”
A Trojan is a piece of software that performs desired actions for the user, while also performing harmful actions without the user’s knowledge. This stealthy behavior allows a Trojan to operate for extended periods of time, persisting and escalating privileges and access as the attack proceeds.
The recent Trojan “backdoor” was encoded in to a popular IT monitoring and management software suite from SolarWinds. This widespread attack, referred to as the SUNBURST malware, resulted in access to restricted information assets at numerous public and private organizations, including: the US Attorney General’s office, Treasury, Commerce, and others. All of these organizations used the compromised SolarWinds toolset to manage computing infrastructure.
After an initial dormancy of up to two weeks, the SUNBURST Trojan begins malicious file access and related activities, all while masquerading as legitimate communications protocols. The full ramifications of this breach have not yet been assessed, and other applications built using a certain developer’s toolkit may yet reveal additional instances and variants of SUNBURST embedded in other applications.
So what does this mean for healthcare busines managers? After all, you don’t have the resources of the federal government; if they can get hacked by a stealthy Trojan, how are you expected to manage such risks at your organization?
Unfortunately, just because the recent Trojan attack targeted large, strategically important organizations does not mean future editions of this sort of attack won’t move down the food chain to smaller organizations, just as we’ve witnessed with ransomware attacks increasingly targeting smaller healthcare providers. Security by obscurity is no longer a valid alternative. If your organization’s systems are connected to the Internet, putting one’s head in the sand will not make the threat disappear.
While we can’t predict where the next there Trojan is going to appear or how it’s going to operate, we do know it will need to phone home to its command and control center. Stealthy attacks like SUNBURST are only effective if the stolen data can be returned to the attackers’ systems. So while we can’t count on preventive controls to stop the deployment of a Trojan on third party software or detective controls to discern the previously unrecognized embedded traffic used by SUNBURST, all organizations can invest in compensating, or corrective, controls. With compensating controls, the defender assumes an incident will occur (or already has occurred) and provides countermeasures to interrupt, halt, or otherwise minimize the impact of said breach.
For example, one compensating control activity that all healthcare organizations can undertake is to get serious about restricting outbound Internet traffic. Restricting, and then closely monitoring, egress to the Internet is an arduous, thankless, and costly task. We take for granted that users and applications need routine Internet access, and restricting it causes inconvenience, workflow delays, and even service interruptions.
And that’s just helpdesk headache part; the real issue is that restricting outbound Internet access requires time and money. Special protocol prohibitions, proxy, web filtering, deep packet inspection, and rate limiting tools must be purchased and configured. All the fancy tools an organization can buy are of limited utility, if there’s not expert personnel allocated sufficient time to actually make the controls function effectively. As a result, there are ongoing human resources that must be allocated to manage these systems. The combined costs of managing egress result in a significant budget increase for IT.
Additional preventative and detective controls that provide cost-effective cyber risk mitigation include: allocating sufficient resources to monitor both user and computer service account access to EHR data, plus periodic penetration test and risk assessment activities to determine where weaknesses exist in the organization’s digital, physical, and human attack surface areas.
As white-hat hackers who have performed thousands of penetration tests, we can confidently assert that, while many healthcare organizations have strong inbound firewall controls, few healthcare organizations invest in rigorous outbound Internet traffic controls. The combination of user displeasure and IT expense make egress restrictions an exceptionally unpopular cybersecurity tactic among both ordinary employees and leadership.
As organizations can’t hope to prevent all forms of stealthy attack, placing draconian limits on, and performing ongoing monitoring of, all outbound Internet traffic is one of the few security control solutions healthcare organizations can employ that has a measurable possibility of effectively curtailing the impact of, and occasionally even detecting, stealthy cyber attacks.