E-News Exclusive

Health Care’s Historical Hurts — How Outdated Systems and Software Make Health Care a Target

By John Nye

In well over a decade of testing and assessing networks and their constituent systems, the rarest finding has always been a well-managed network with patched systems. A perfect storm of circumstances and industry necessities has led to a deep-seated and difficult-to-fix culture of insecure networks. For example, at any given time in most hospitals—between contractors, patients, and visitors—half the people neither work there nor know or follow security procedures.

Another common cause of outdated systems are those unknown or not controlled by the organization, such as biomedical devices and anything in the imaging suite. The health care industry struggles as a whole to manage system inventories and patching in far too many cases.

A few major, ingrained issues have led to the current state of HIT, including the following:

• Physicians and researchers shadow IT. Many physicians and researchers have the leeway (or simply take it) to choose what type of computers they use and often choose whatever software they prefer as well.

• Old systems. This is one of the biggest issues in the health care world—systems that are either “too expensive” or “too difficult” to replace with a modern equivalent. Good examples here are industrial control systems and medical imaging devices.

• Missing updates and unpatchable systems. Many health care organizations have decided to keep Windows XP, Server 2003, Windows 7, and other old Windows Server versions past their deprecation dates. This makes them vulnerable to attack and the only protections available are insufficient “Band-Aids.”

What Can Be Done?
Fixes of these problems are surprisingly simple, but unfortunately there are some deep-rooted ideas and habits that will be difficult to completely break. For this reason, there will be some level of pushback until the more experienced and entrenched employees retire.

When any organization asks what they can do to improve their security and maturity, there is one resource that is universally helpful: the Center for Internet Security’s top 20 critical controls. While 20 new controls might be overwhelming, an organization that implements this framework will majorly improve their overall security posture.

The first and most important critical control will quickly make strides to fix the shadow IT issue and make major improvements toward getting old systems out and current ones patched. The first control, “Inventory and Control of Hardware Assets,” is simple, as it states to “actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.”

Despite its basic and commonsense nature, it is exceedingly rare for any organization to have a solid handle on this control. If an organization lacks a solid inventory system, then this critical control should be given top priority.

Known Systems, Unknown Software
Once an organization has a handle on hardware inventories, there will be a complete list of all systems on the network. This list will reveal the deprecated systems, which is the perfect place to begin the process of replacing or retiring end-of-life systems (or at a very minimum, moving them to a secure enclave in the form of restricted subnets).

In addition to understanding the hardware on the network, the completed list of hardware can be used to audit the software and operating systems on those systems. This leads directly into the second critical control, “Inventory and Control of Software Assets,” which is similar to hardware inventories but will result in an even more comprehensive list of assets that includes software and operating systems in use on the network. This information can be used to further secure the network.

Vulnerability Monitoring
The missing patches issue will be partly dealt with when the software and hardware inventories are in place but it is nevertheless important to implement the third critical control, “Continuous Vulnerability Management.”

At the point when an organization finally has hardware and software inventories, it can begin a vulnerability management program. The goal of such a program is to scan all the systems on the network for vulnerable software or missing patches. If the inventories are accurate, updating the systems will be a relatively simple process.

Conclusion
Overall, a cultural shift is required to move health care organizations toward a more secure network model. No longer is it okay to keep a system because it might be too expensive or difficult to update or replace it; these are exactly the oversights that criminal attackers are looking for—and precisely the reason that health care is such a prime target.

— John Nye is senior director of cybersecurity research and communications at CynergisTek.