HEALTHTECH: What are areas of focus healthcare organizations can target immediately to bolster their security? What about areas that require long-term efforts?
QUINN: For both the short and long term, asset inventory and management is going to be one of the most effective things that you can do as an organization to make sure that you are protected. It’s not just knowing what devices you have but knowing where the devices live, both physically and on the network; knowing how many you have; what operating systems or firmware they're running; and when they were last updated.
This is an extensive project for a lot of hospitals. There’s a lot of gear shifting around all the time. All of this makes it incredibly tricky to track, and it makes asset inventory even more critical, because it can be so easy to lose track of what you have, and that can allow an attacker to potentially find untracked and unpatched devices and get further into the network.
In the long term, I would suggest investing in strong network segmentation. As a security or network engineer entering a healthcare organization, you will often notice that the network doesn’t have a lot of strong segmentation, and in some cases you may inherit a network that requires a lot of updating. Unfortunately, there isn’t always the funding to support large-scale infrastructure revisions, which can really impact things long-term. It can be costly to get a network into a completely segmented and safe position. But that's one of the biggest contributors to making sure that you are going to be safe as an organization.
Strong network segmentation can help mitigate the risks of any breaches that occur. With proper segmentation, for example, you can make sure that your dialysis machines are on their own network and segmented away from everything else. You can make sure that your lab equipment and similar devices are secured away, so that in the worst-case scenario, if you do get hit by ransomware, the ransomware will not deploy to those particular specific networks. That can save lives.
DISCOVER: Answer your questions about identity-related vulnerabilities and segmentation.
HEALTHTECH: Why should healthcare organizations conduct regular penetration testing? How should they approach pen testing? What are some common misconceptions?
QUINN: Healthcare organizations should conduct regular pen testing to find and cut off any paths that an attacker might be able to find within their networks. More and more, it’s a prerequisite that we assume that a breach has already occurred in our organization, regardless of whether it was accomplished through phishing, an exploit or an insider threat. It becomes imperative that we address the network as though it has already been compromised and that we find out how an attacker could compromise further systems or cause damage to the environment through such access.
One common misconception is that pen testing and vulnerability scanning are the same thing. The biggest differentiators that we have between pen testing and vulnerability scanning is that vulnerability scanning will find vulnerabilities within the network, but it won’t chain those together and create an attack path.
Say that you have a server that has a known exploit against it: The pen tester could actually exploit that vulnerability, chain that with other discovered misconfigurations or vulnerabilities, and gain access to systems that you believed would be secured. Meanwhile, a vulnerability scan will simply tell you about that vulnerability. That’s why it's important to do pen testing: to see what additional compromise can happen should a system become compromised.
It’s easy to review a vulnerability scan against our network and say that we’re all patched, we’re all up to date, we should be safe. But without that verification and manual testing, there could be additional vulnerabilities that an attacker can exploit to cause an extensive compromise of your environment. Active Directory in particular has quite a few misconfigurations and vulnerabilities that could lead to a compromise, and these don’t tend to be caught by the typical vulnerability scanner.
Pen testers are there to help. Many businesses see preparing for a pen test as preparing to either succeed or fail as a security team. But that’s not the approach that’s most conducive to a good test. What we should be trying to accomplish in pen testing is to have a known party find these vulnerabilities for you. You want them to find all of your vulnerabilities; you want them to find attack paths that could be abused. If we do not find them on our side, an attacker will, and the attacker is not going to have the same mindset that we have when we approach it. They are going to be looking to cause damage. They’re going to be looking to exploit those systems to extort anything they can get from you or bring you down.