IT Security Luminary Mac McMillan: Time to Develop Comprehensive Risk Management Strategies Around Data Security

Oct. 4, 2016
Mac McMillan, CEO of the CynergisTek consulting firm, offered healthcare IT leaders a bracing view of the panoply of data security challenges cresting, wave-like, against the virtual walls of U.S. patient care organizations

This is part 2 of a two-part series on the presentation August 10 by Mac McMillan of the CynergisTek consulting firm, at the CHIME/AEHIS LEAD Forum event in Nashville. Part 1, which can be read here, covered the main portion of McMillan’s presentation in Nashville. This part covers the conclusion of McMillan’s speech, and his exclusive interview afterwards with HCI Editor-in-Chief Mark Hagland.

In his August 10 presentation to healthcare IT leaders at the CHIME/AEHIS Lead Forum event in Nashville, Mac McMillan, CEO of the CynergisTek consulting firm, spoke on the topic, “Developing and Managing an Ongoing Risk Management Program.” He told attendees that it was very important for healthcare and healthcare IT leaders to meet a cresting wave of cybersecurity threats by developing a comprehensive cybersecurity strategy, one that applies a risk management approach to the challenges facing patient care organizations right now.

One of the key elements in that, he told his audience, is that “It’s important to think about the metaphor of compartmentalization, and the way that battleships are built. They’re built in tight compartments, so that when one compartment is hit, the ship and go on,” he said. In that context, it is very important to hold regular cyber-drills, in order to prepare all staffers within patient care organizations to execute if and when breaches and other incidents and events occur. In that regard, he said, it is time to bring in expert outside consultants to do “monitoring, auditing, and analysis. “You always need outside help,” he stressed. That is particularly when sheer calculating ability is bringing the world to a new dawn of massive data and information processing capability.

“By 2025, we are going to have calculating ability to where laptops will process information at the 10 to the 9th power, or 10 trillion calculations a minute,” he noted. “What that means is that our industry will be turned on its head because of innovation; but security will be turned on its head, too. Ten years from now,” he predicted, “any system based on rules is going to be totally obsolete. Because when we have processing speeds that fast, and broader connections, any system that has to stop a packet and interrogate it to figure out if it’s good or bad is not going to be able to do it—unless vendors can figure out some new kind of artificial intelligence to do that. And I’m hearing that they’re nowhere near that. So we have to move away from rules-based technologies to behaviorally based technologies that detect anomalies in real time.”

In that regard, McMillan told his audience, “We’ll have to focus on anomalies. So we need to do a better job of managing our environments, of keeping our environments up to date. Obsolete systems, end-of-life systems that can’t be patched, do nothing for us, from a security perspective. And we need to make sure we’re hardening our systems and configuring them against all known risks, and keep them patched. So, 98 percent of attacks last year took advantage of a known vulnerability that was either a year or more old, meaning, there was a patch available for it, a configuration somebody could have made, a service someone could have used, but we didn’t.”

Mac McMillan

The hackers and cyber-criminals, he said, are “counting on our being too tired and too busy to keep up normal maintenance. It’s the same thing with our car, right? The warning light comes on and tells you that you need an oil change. In this case, the warning lights are there until somebody bad comes in. Those warning lights also tell you when you have an anomalous situation. If everything is hardened as it needs to be, you’ll recognize anomalies. We need to employ layers, protections at the endpoint, network, file layers, etc.—from our core all the way out to our endpoints, and even out to our cloud and SaaS providers, to allow us to carry those protections outwards. We definitely need to enhance our protected complimentary controls.”

Administrative privileges: a key point of weakness?

One of the key areas that McMillan wants healthcare IT leaders to look at is that around administrative privileges. “Look at any of the breaches that have happened out there, especially the advanced ones, and somewhere along the way, the bad guy out there has obtained administrative privileges, to turn certain controls off, to hide what they’re doing, toe exploit the environment and take advantage of it. Why? Because most of us are letting our administrators use their administrative access way too often. Number two, we’re not encrypting passwords and privileges on internal traffic, because somehow, we’re thinking we’re safe, and we’re not. And three, we have a reluctance to apply two-factor authentication to our processes.”

Given all this, McMillan said boldly, “I’ll say that anyone who doesn’t want to apply two-factor authentication is not long for his job. In fact, I would advocate that we change systems so that privileges expire automatically, so I have a much smaller footprint. We need to be smart about how we apply our protections, to understand that the attackers today are literally already inside our network, whether through phishing, some service or application; but we need to look at ourselves from the outside, not just the inside. And a PIN test—smart PIN testers test from the inside out, too. Someone does phishing, and if somebody has privileges already, inside your network, they can do things. The point is, most of us don’t know, because we don’t do that testing. And I’m suggesting that we have to quit trusting the inside of the environment, and test form the outside in, and from the inside, as well. Those are the kinds of things that we need to think about going forward.”

Finally, he noted, “We’re dealing with a much more sophisticated actor today. Even the less sophisticated criminals have the benefit of a web and black market that will teach them what they need to do. I sent my PIN testers to Black Hat,” he noted. “So we need to work smarter and harder,” he said, “not like Sisyphus. We need to understand our threat, how they come at us, understand what it takes to recognize what they’re doing. We need to educate our education and get everybody on board, and that it takes everybody to work together to do this. Within IT and security, we’re going to have to have some really specialized people who train to fight this battle, and who respond and react when these things happen. Because the organizing that’s doing a good job and can execute, will have to deal with problems from time to time, but won’t have to deal with a big breach.”

Where is all this headed? Some patient care organizations are definitely doing better than others, McMillan observed. “We see organizations that have a solid plan, have invested in good technology, have good processes, and can react successfully within hours, to limit damage. And that really is the best case we can hope for. This notion that we’re going to be able to stop everything before it gets in, is unrealistic, because we will never know where the next attack is going to come from.”

Shortly after the conclusion of his presentation, McMillan sat down with HCI’s Mark Hagland for an exclusive interview. Below are excerpts from that interview.

Just recently, the Banner Health breach has been in the news. It’s another large breach affecting many patients and patient records. What should we be thinking about this right now?

It’s a bit unfair to speculate about that particular recent breach, because, not knowing what they have or haven’t done, we don’t know what really happened. A couple of things: one thing that has been mentioned in recent incidents is that there might have been a nexus between their point-of-sale systems and clinical information systems. Some people instantly assume when the term “clinical systems” is mentioned that we’re talking about clinical systems like EHRs. That may not be the case. Most hospitals have segregated their PCI—payment card information—credit card services—away form clinical systems. So hackers could have gotten access to some servers inside the network.

And because financial systems handle billing and claims data, that could be how that breach went from a payment system to impacting clinical information as well. The medical record may not have been breached at all; we don’t know that. So it’s unfair to assume that. The clinical information could literally have been from a financial database. That said, they could possibly have gotten access to Social Security numbers and credit card numbers, right? So you just don’t know—you don’t know what level of investment Banner has made in security technology in the last couple of years. And after the breaches at the end of 2014 and into 2015, started investing in advanced malware detecting solutions. People buying DLP, advanced malware detection capabilities; etc.

It seems like there’s more awareness now of the risks of hacking and breaches, but that it also seems that people are feeling overwhelmed and daunted, and are lacking the resources, both human and financial, to address these challenges at scale.

Yes. What we’re seeing happening in healthcare today is similar to what we saw in banking in the 1990s. With online banking, the big banks could reach everyone in their home. All of a sudden, little neighborhood banks were in danger. In the old days, you went physically into your bank and you had relationships. But now, Bank of America has an ATM everywhere. So in the 1990s, the big banks bought the regional banks, and the regional banks bought the community banks. They gobbled up the smaller players who could not keep up with all the regulations coming out from the FDIC on data protection, or keep up with the technology. I think we are on the cusp of a wholesale change in healthcare as well. The only thing keeping critical-access hospitals alive today is that we still haven’t figured out how to get emergent care into some of those rural places. My theory is all of this regulation, all of these security issues, will make it harder and harder for the small guy to keep up, and at some point, they’ll either be acquired by the big systems, or the big systems will find the model to replace those small hospitals with telemedicine,, population health, etc. If you read any of the folks talking about the future, they talk about healthcare as being ripe for disruption. This is an industry where the model is going to change dramatically.

So in some ways, that’s going to work itself out through consolidation, then?

Yes. And don’t get me wrong; I love the little hospitals as much as anybody. They serve a very important purpose, and make a difference in people’s lives. But the fact of the matter is, when you’ve just got two pennies to rub together, and you’ve got to buy a $60,000 malware solution, you’re in trouble. And the fact is, the moment you connect to the Internet, you’re at risk—whether from purposeful threats, or even ones that are randomly out there. So being small doesn’t protect you anymore. There’s no invisible anymore.

Where are we now with CISO hiring, across U.S. healthcare?

My honest appraisal is that we’re making progress, but very slowly. The things that have happened recently that have caused security to become a more prominent issue, have sort of breathed new life into folks. We had a lot of folks with CISO titles, who had come into healthcare but were unhappy because of the lack of money, support, and prioritization, and they’d get frustrated and either give up and quit, or leave. We have quite a few folks who work for us. Our company’s growing constantly now. We have a lot of CISOs working for us as consultants who were at hospital systems. These are people who are really interested in doing a good job, and solving problems, and those kinds of things, and they get frustrated when they get no support. And It’s much easier sometimes to come in as a consultant, because at the end of the day, they’re not responsible for going and getting the budget to do it.  And so they’re contributing in their way.

And I believe the people who are working with us are trying to do a good job. The people who just want to check a box and do an audit, sometimes aren’t. We’re going to really help you create change; it’s a philosophical approach. So it’s getting easier to hire CISOs now, because the CISOs see there’s a real market for hiring and promotion. The challenge will be keeping them engaged. If they don’t come into a market where they feel that what they’re doing is appreciated, there’s a real chance they’ll go back out again. It’s one thing to get them, it’s another to hold onto them. We’re getting now, because the industry has a reputation now as being in trouble and needing CISOs. So the CISO community is interested.