Bots and trojans and spyware, oh my! New threats arrive daily to exploit vulnerable healthcare networks. Here’s how to protect yours.
Healthcare organizations, like most other IT-dependent groups, continue to be challenged by cyber threats that result from an Internet-connected IT infrastructure. While most healthcare IT professionals understand the importance of desktop management and security, the network itself is sometimes overlooked as an effective vehicle through which the risks of Internet-connected end-stations can be mitigated.
Bots and trojans and spyware, oh my! New threats arrive daily to exploit vulnerable healthcare networks. Here’s how to protect yours.
Mike Paquette is chief strategy officer at
Top Layer Networks.
Contact him at
[email protected].
Healthcare organizations, like most other IT-dependent groups, continue to be challenged by cyber threats that result from an Internet-connected IT infrastructure. While most healthcare IT professionals understand the importance of desktop management and security, the network itself is sometimes overlooked as an effective vehicle through which the risks of Internet-connected end-stations can be mitigated.
From the IT security perspective, network-based cyber threats can be placed into three major categories: undesired access, rate-based attacks and malicious content. Almost every cyber threat or cyber crime publicized over the past 10 years falls into one of these major threat categories.
Undesired access includes access policy violations, unauthorized access to systems or data, and spoofed access attacks that can allow an individual or computing device to gain inappropriate access to information that should be restricted.
Rate-based attacks include Denial of Service (DoS) attacks caused by SYN floods, UDP floods, ICMP floods or application transaction floods, which essentially make applications unavailable to their intended users, potentially causing a more critical denial of patient services.
Malicious content—perhaps the most well-known threat category—includes: remote exploits of system vulnerabilities, e-mail viruses, spyware, trojan horse programs, application-level attacks, and protocol abuse that can cause slow operation of the desktop or application server at best, or lead to leakage or loss of protected health information (PHI) in the worst case.
Unfortunately, the IT forecast calls for the threat from malicious content to increase over the next couple of years due to the continued discovery of operating system vulnerabilities, new viruses, device driver exploits, rootkits, advanced spyware and VoIP (Voice over Internet Protocol) threats.
Familiar Problems
Recent security vendor reports claim that up to 70 percent of all enterprise computers with Internet access are infected with some kind of spyware, and that keystroke logging variants are becoming commonplace. Can this happen to your network? Easily. Here is a real-world situation involving a healthcare employee and a basic computer interaction commonplace in almost any professional setting.
Jane, a director of patient services at a college healthcare center in Massachusetts, finishes entering her notes into the electronic medical record (EMR) software on her office computer. It is her last appointment of the week, so she decides to check her e-mail before going home for the weekend. An employee on family leave has sent a few photos of her newborn in an e-mail message. Jane opens and views the photos, and then sends them to others in the office. The next e-mail in her inbox also contains photos and although she does not recognize the sender, she double-clicks on it to open the attachments. However, the photos do not open, so she deletes the e-mail message, closes her e-mail program and logs off the computer.
Unbeknownst to Jane, the second e-mail contained a specially crafted JPEG file that exploits an unpatched vulnerability in her Microsoft Windows operating system. It infects her computer with a malicious program that turns Jane’s computer into a “bot,” short for robot, that waits for commands from a master station, hidden somewhere on the Internet.
Suppose Jane’s computer was infected not with a simple “bot” program, but with a keystroke logger. Specialized spyware programs such as this routinely exploit vulnerable systems. Once installed, they capture user keystrokes and enter them into locally stored files, which then get sent over the Internet to master computers that collect the data, possibly without their owners’ knowledge. Later, the thieves sift through the files searching for bank account numbers and PINs that can be used to fraudulently steal money.
On Monday morning, Jane logs onto the network, opens the EMR software and gets to work. When her first office visit appointment arrives, Jane pulls up the patient’s medical record by typing the patient’s last name and starts entering notes about the patient’s condition. All the while the keystroke logger is capturing the patient’s personal and confidential information, which will be delivered outside of the healthcare center to the Internet later that morning. Since Jane did not type any bank account or credit card information, there may not be any fraudulent activities—this time. However, some confidential PHI has been leaked. Would this be a violation of HIPAA regulations? Probably.
Managing Risk
The problem is by no means limited to healthcare management. Healthcare organizations should take special steps to protect the confidential PHI accessed by their associates on their computers. Avoiding such problems must be the shared responsibility of healthcare associates, IT departments and an organization’s risk management office.
From a risk management point of view, this entails basic security versus necessity/convenience trade-offs. Does Jane really need e-mail access on the same computer she uses for accessing patient EMR data? Does she need the ability to send and receive images by e-mail? Have all associates been told that Internet e-mail is not secure and to never open attachments from unknown e-mail senders? Have they been instructed to never send PHI in Internet e-mail without following approved procedures?
From an IT management point of view, this is not just a “desktop management” problem. Most healthcare organization networks have a firewall installed between the network and Internet connection, and some have firewalls to isolate various healthcare departments from the rest of the IT infrastructure. Some organizations also are designating and training an IT specialist within the practice area to help lead their team with regard to security issues.
Jane’s IT department patched her operating system with software that was not vulnerable, but in this case, it was too late. It is nearly impossible for large organizations to stay ahead of patches that prevent these types of threats. However, IT departments can do more.
Technology Solutions
Security experts agree that reducing risk requires IT technology at the desktop and in the IP network. Technologies exist that can reduce the risk of spyware and other malicious content infecting desktops, and perhaps more importantly, reduce the likelihood that infected computers will deliver confidential data outside an organization’s network. They include:
- Anti-spam/anti-spyware firewalls. These specialized security devices perform rigorous inspection of all e-mail into or out of the organization to make sure that it does not contain malicious attachments that could be executed and infect computers. Further, these devices can eliminate unsolicited commercial e-mail, commonly referred to as spam.
- Network intrusion prevention systems (IPS). Installed on the network in addition to the firewall, these devices inspect all network transactions including e-mail and Web browsing and block transactions that are harmful and/or malicious. These devices reduce the risk of spyware infecting computers by blocking transactions that could exploit vulnerabilities to install the malicious code onto vulnerable desktops or application servers. Perhaps more importantly, they can block the communications from infected machines to their Internet destinations. In addition, they notify IT staff if computers on the network have been infected, so more rapid remediation can take place
Installation
Both technologies—anti-spam/anti-spyware firewalls and network IPS—are relatively straightforward to install. During scheduled maintenance, the device is placed online at the appropriate location on the network and enabled for operation. For most anti-spam/anti-spyware firewalls, the IT staff may need to change some e-mail settings and perhaps some DNS and/or router settings to ensure that the e-mail traffic is delivered properly to the device. Most network IPS devices can be deployed transparently with no changes to the routing infrastructure.
Both types of devices generate security events, which can be delivered over a standard network protocol, called Syslog, to the IT department’s centralized event-logging system. In addition, a user interface on the device provides a dashboard screen that can be easily monitored and managed by the IT security team, which would initiate their incident response plan if an attack or other significant event occurs.
Since threat information constantly changes, both types of devices need occasional (or frequent) updates from the vendor to keep lists and signatures up to date. Some devices have fully automated update systems, while others will require the IT staff to intervene to apply the updates. IT staff should inquire about the operation of the update function before selecting their vendor.
Benefits
A properly installed anti-spam/anti-spyware firewall or network IPS will reduce the likelihood of infected desktop computers “leaking” PHI out of the system. If desktops become infected, their outbound communications also can be blocked. Additionally, the number of IT hours devoted to remediation of systems infected by viruses, worms and spyware are reduced, allowing IT staff to tend to other matters. Application “system” downtime also is reduced.
Deploying these technologies in the healthcare network may qualify as taking “reasonable care” in protecting confidential data, which can be instrumental in demonstrating compliance to healthcare regulations, such as HIPAA, as well as commercial regulations such as the Payment Card Industry Data Security Standard.
For more information on network intrusion prevention systems from Top Layer Networks,
www.rsleads.com/612ht-209