That’s how long it takes for bad actors to access a health system’s data and begin lateral movement, according to a CrowdStrike report, which is significantly faster than in years past.
For CISOs and other leaders, “It’s a constant cat-and-mouse game” — not necessarily to prevent access, but to limit the damage cybercriminals can do once they’ve gained entrance.
“There are so many layers,” said Todd Felker, Executive Healthcare Strategist with CrowdStrike during a panel discussion. And so much pressure. “We have to be right 100 percent of the time; the adversary just has to get it right once.”
As healthcare organizations drive toward digital transformation, it hasn’t just made it more challenging to safeguard data; it has created a “perfect storm,” Felker noted. “Healthcare is very targeted. There’s a huge demand for data, margins are getting squeezed, and staffing has been a challenge.” What’s more, cybercriminals have the technical knowledge — and resources — to stay one step ahead of leaders.
“They continue to evolve,” he added. “As we’re building our security programs, they’re coming up with new and better ways to get around our defenses.” The latest target are VMware hypervisors, which can host alarmingly high numbers of guest operating systems, therefore putting EHR data at risk. “They can launch a single script to go after all of the guest VMs on a particular hypervisor environment,” said Felker, who spent many years on the provider side before joining CrowdStrike in 2021. “And it’s very efficient for them. They can do a lot of shock and awe and a lot of damage very quickly and efficiently,” particularly in terms of access and lateral movement. “It’s devastating.”
As a result, health IT and cybersecurity leaders have stepped up their game as well, and are constantly looking for ways to keep pace with bad actors. “You have to create layers that we never had before,” said Tonthat, VP, associate CIO & CISO with Texas Children’s Hospital. During the webinar, she and Chris Paravate, CIO with Northeast Georgia Health System, shared insights on how the rapidly-evolving threat landscape is affecting their organizations, and the steps they’re taking to stave off attacks.
Security by Design
One of those steps, according to Tonthat, is what she termed, ‘security by design,’ which means that “nothing goes live without first going through the architecture board and going through risk assessment.” It may sound like a basic premise, but as any security leader can attest, “there are things that fall through the cracks,” she noted. “That’s where it’s critical having 24 by 7 monitoring, specifically of third-party services and cloud technologies.”
Another key step? Conducting ongoing scanning and validation within data centers, and ensuring security is well-represented in the IT architecture. “We have other architects who are familiar with data, interfaces, network and cloud, but the lead is a cybersecurity professional,” she said.
In addition, Texas Children’s has designated vendor risk management committees that review ISO certifications and conduct annual risk assessments. These types of measures have become tablestakes; as the environment becomes increasingly complex, leaders are finding that they need to take it a step further.
“More than Just an Alert”
One avenue is threat intelligence, which is a key component of CrowdStrike’s strategy, according to its website. The idea is that if organizations are armed with consumable information, “they can understand the adversary, learn from attacks, and take action on indicators to improve their overall defenses.”
To make an impact, however, threat intelligence must be more than just another alert, said Tonthat. “You can sign up for Health-ISAC and get emails all day long. But if you don’t have a process to monitor that and make sense of the IOCs or TTPs being used, it’s all for naught.”
At Texas Children’s, her team has invested heavily not just in threat intelligence, but in the processes used to ingest the data, as well as ensuring all security technologies are “updated with the latest and greatest IOCs,” she noted.
Another critical piece, noted Paravate, is having security partners who can monitor and filter intelligence. “We have a dedicated team that’s looking at those items and prioritizing them based on the situation to determine whether there’s a vulnerability,” and if so, understand the nature of the threat.
Tonthat concurred, adding that it takes “a combination of automation and people” to get the most of threat intelligence tools. “We can’t do it alone,” she said. In addition to dedicated cybersecurity professionals, her team also includes a mix of managed service providers specializing in analytics and incident response. As a result, when a threat is detected, “based on the technologies that we use and the partnership that we have, all of our technologies are updated immediately within 24 hours.”
6 Critical Steps
While these practices are certainly valuable, there’s more to the art of cybersecurity. Below, the panelists shared some nuggets based on their own experiences.
- More apps, bigger attack surface. If it were solely up to the business side, the digital technology portfolio would include thousands of solutions, which increases the attack surface, according to Tonthat. “Most IT organizations already have an arsenal of very robust solutions that operations can leverage. Instead of asking which technologies they want to enable, we need to understand the problems. We’re the experts in that area; we can provide them with something that’s already deployed in our data center, completely secure with our technologies and layers of defense.”
- Align with the business. As with so many aspects of health IT and security leadership, staying in lockstep with business leaders is vital. “We need to anticipate what needs exist and work alongside the business to provide solutions,” said Paravate. To that end, Northeast Georgia has reorganized the IT enterprise around the consumer, not technology, to better anticipate user needs.
- Focus on the architecture. It’s inevitable that solutions will be added, but before that happens, the overall architecture must be carefully considered, he noted. “Whether you’re virtualizing servers or starting to migrate toward cloud solutions, you need to take a step back and look at how the architecture is being built and how to narrow the attack surface. How do you contain those units? What’s your encryption strategy? What are your standards?”
- Oversight pays dividends. Similarly, Tonthat stated that ensuring any new technology aligns with technical standards is a must. “It’s part of our operational excellence and disciplinary processes. It must be baked into the process.” And that means going beyond pen testing and assessments and investing in capabilities to enable ongoing security validation. “We know it’s people, process, and technology. It doesn’t happen 100 percent of the time that the default password is changed appropriately, or the service account is bolted in the right place. Having that governance and compliance level of oversight will pay dividends.”
- It takes an orchestra. Protecting against cyberattacks is not — and should never be — a solo endeavor, said Felker, noting that CrowdStrike is building an extended detection and response ecosystem. The organization is partnering with several other security vendors to exchange data. “We’re going to share threat intelligence so we can have a clearer picture of what’s happening in the environment and generate automated responses.” The reality, he added, is that no matter how much health systems spend, there’s no silver bullet when it comes to cybersecurity. “The more relationship building we do with third parties to make sure they’re consuming all the right updates and are heavily invested in cybersecurity, the more it helps mitigate the risk of an impact.”
- Master the basics. No matter how complex an organization might be, good cybersecurity hygiene starts with the basics, said Felker. And that means ensuring a guaranteed response time, conducting tabletop drills, having difficult conversations with the board, and making sure the entire organization is prepared to respond to an incident. Paravate agreed, “There will be different attack vectors and different methods, but the theme is still the same. This is our reality, and we need to continue to thread it into our strategic plan.”
Finally, leaders must be willing to beat the cybersecurity drum for as long as it takes, said Tonthat. “Our program has no end date. With the emerging threats and the evolution of the sophistication of cybercriminals, there’s no sign-off,” which she has consistently communicated throughout the organization. “We’re very fortunate that we have support from the top down in making sure our digital technologies remain resilient and available so that we can continue to provide care to our patients.”
To view the archive of this webinar — Virtualization in the Crosshairs: Leveraging Threat Intelligence to Enhance Your Cybersecurity Posture — please click here.