The Healthcare industry by its very nature is populated with some amazing people who are devoted to those in need of physical and mental care. Given this noble cause, it was perfectly understandable for them to ask “Why would someone attack us?” when WannaCry hit their sector. In my opinion, the WannaCry compromise was the crescendo of almost a decade’s worth of neglect. Unpatched servers, legacy applications, forgotten risk registers and discarded business cases for investment all played their part. However, it did answer the million-dollar-question asked of all security teams: “What is the real risk of us being attacked?” At the time of the attack, security teams across the country were rallying to resolve the issue, with many (I’m sure) searching for evidence that they had once warned their organisation of the dangers of poor cyber-response arrangements and poor patch management. Dare we ask how many servers compromised by WannaCry only required a reboot to enable the patch – denied only because no agreement could be reached to arrange a maintenance window? As sad and as controversial it sounds, sometimes it takes an incident of this magnitude and publicity for organisations to remember the basics. Despite the irresistible urge for some to shout “I told you so,” we must understand how we can improve now that we have the attention of executive management who wish to avoid the implications of another WannaCry. In recent years, I spent less time on policy and more on advising on change – mostly trying to mediate between innovation and security. In adapting my thinking to include transformation and change, I have identified five key areas I believe all security (and IT) professionals should be considering:
1. The ‘Gig Economy’
Organisations want to try new things and do not want to be bogged down with procedures and policy. However, we must be mindful of integration and support. Get the right contracts in place; secure robust support agreements and software assurance. Do not become dependent on a third-party application. We all know solutions with security flaws with vendors having no appetite to fix them. Finally, be prepared to forgo the usual third-party assessments for these smaller firms. Streamline it, and document exceptions!
2. Digital Transformation
The right digital plan must be established. It must be designed with a care plan/business strategy at its heart and underpinned by robust architectural designs and operational basics. Base your security strategy around this, and you will not go far wrong. (It also makes asking for investment far easier!)
3. Data, Data, Data
If you cannot extract data from a solution to demonstrate value and outcomes, why bother with it? And critically, look for a common integration and data extraction tool rather than a swathe of bespoke interfaces known only to the developer who left the organisation two years ago.
4. A Retirement Plan
Support functions cannot be expected to support operating systems that are no longer supported by the vendor. Like the financial sector, it will only be a matter of time that the healthcare sector will be required to provide decommissioning plans and timelines. Be proactive with your hardware; refresh and ensure your third-party vendors are contracted to ensure their applications are supported by the latest technology and operating systems.
5. Courage
Finally, we must have the courage to stand up for what we know is the right thing to do: do not be swayed by pressure to adopt bad practice or technology. Whilst saying “No” is never really an option, the transferral of risk certainly is.
How Tripwire Can Help
All healthcare organizations need to take steps to strengthen the security of their systems so that they can ensure the availability of critical medical services and protect their patients’ data. Such measures are especially important in the case of defending against vulnerabilities like EternalBlue, the Microsoft SMB flaw which WannaCry exploited in 2017. CVSS risk scoring is a good start. But in these types of instances, such low-medium-high scoring is not of any use because the vulnerability will show up as “high” in every part of the business where critical systems/assets that provide the “business as usual” state are in the same category as non-critical systems. This is where Tripwire IP360 can assist. Tripwire not only provides the CVSS risk scoring but also adds a unique way the assets are weighted depending on criticality to the business, amongst other criteria. This creates a way for limited resources to apply patches quickly to the critical systems, thereby providing the secure “business as usual” state for the business. In the meantime, Tripwire Enterprise can be utilised to monitor the network for any changes or drifts of compliance and policies, providing real-time notification to the resources on anything that is detrimental to the estate so they can address them immediately.
About the Author: Adam Griffin has been the Head of Information Security and Digital Forensics at St. Andrew’s for nearly three years. During this time, he has overseen a significant shift from the traditional security model to a least-restrictive approach that empowers rather than dictates. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.