Nov 01 2023

Attack Surface Management: Visibility in an Era of Evolving Risk

Healthcare organizations must develop better visibility into their internet-connected assets and networks to ensure their attack surfaces are adequately protected.

The digital transformation healthcare providers are undergoing requires them to keep sensitive data, like protected health information, secure across an expanding surface of touchpoints and cloud-connected networks.

The high rate of publicly exposed data environments, which are often misconfigured and vulnerable, give attackers an opportunity to establish a foothold into the organization’s network.

This can lead to data breaches, unauthorized access or even medical device failures. To guard against these risks, healthcare organizations must ensure they are implementing adequate attack surface management measures.

This process focuses on continuously identifying, monitoring and managing all external internet-connected assets for potential attack vectors and exposures.

A recent report from Palo Alto Networks found cloud-based IT infrastructure is in a constant state of flux among healthcare organizations as they often add or change cloud services.

DISCOVER: Learn about Palo Alto Networks’ integrated security solutions for healthcare.

Visibility Needed to Protect Health IT Networks

Nearly 50 percent of high-risk, cloud-hosted exposures in a given month were observed on newly introduced services not present on their organization’s attack surface in the month prior, according to the report.

Matt Kraning, CTO of Cortex at Palo Alto Networks, says without continuous visibility, it is easy to lose track of accidental misconfigurations and the steady spread of shadow IT within an organization.

“Without needing information from companies, what Cortex Xpanse is able to do is look at the internet as an attacker would and figure out all of the systems a company has online — not just the ones they know about,” he says. “Then we determine which ones are vulnerable to exploitation.”

Kraning explains that it’s foundational for healthcare organizations to have continuous visibility over all of their IT assets.

“Without complete, current and accurate visibility, all your reporting, all of your security technologies are not protecting all of your organization, they’re only protecting the parts you know about,” he says.

Click the banner below to explore zero trust and its benefits for healthcare.

He points out there is a broad variety of medical technologies and medical IT that gets deployed.

“Networked computing devices that are specific to the medical industry — such as equipment directly hooked up to patients, or medical imaging servers — tend to not be directly deployed on the public internet, especially for larger and better funded organizations,” Kraning notes.

However, there are multiple IT systems, including medical administration systems, that modern healthcare providers use to run their businesses.

That’s where Kraning sees the highest risk: Through these systems, which are less directly centered on patients, attackers can break in and eventually obtain access to more sensitive systems containing patient data.

The risk lies not in the system that directly houses, for example, all patient imaging and all electronic medical records, but instead can be found in what Kraning calls “side doors,” through which attackers can enter the network.

“Once they’re on the inside, they will move laterally and get into these more sensitive systems,” he explains. “For the healthcare sector in particular, there are a lot of these side doors that attackers know how to take advantage of.”

The Importance of Getting Health IT Basics “Right”

Kraning says very few organizations can track everything they have centrally. This is especially true for a large multiregional hospital network.

“They’ve grown through acquisitions, and when you do acquisitions, there will likely be redundancies and reductions of IT staff,” he says. “If you had a large hospital with a substantial IT staff, they were probably tracking a fair amount of IT services, but usually this entire enterprise process is done at a static point in time through spreadsheets and email.”

When most of those people are let go, he says, that knowledge often goes with them. The enlarged organization likely will never know where all the IT is located or what its current state is, and it “definitely” is not going to be tracked in a central way.

“Therefore, over time, old systems don’t get recognized as such, and if companies have security policies and technologies, they might be deployed on only 60 percent of their assets because they didn’t know about the other 40 percent,” Kraning says.

EXPLORE: Read tips for securing the Internet of Medical Things.

What became apparent through the Palo Alto report, he explains, is that the attack surface management failures begin with many of the more standard “nuts and bolts” IT management strategies on which any organization must focus.

“For organizations as important as healthcare, you need to get the IT basics right,” he says. “I think they get a lot of the medical IoT basics done quite well with respect to not being directly exposed on the internet. But, unfortunately, they’re giving the attackers a side door because a lot of the IT basics are not being taken care of.”

From Kraning’s perspective, the most important steps a healthcare organization can take is first improving visibility over all networks and potential access points, then prioritizing remediation, which means developing systems for scoring risk severity and understanding when something is vulnerable.

“Not only do you need continuous visibility over all your assets, but you also need the ability to remediate quickly and understand what you have and if it’s vulnerable,” he says.

Brought to you by:

alengo/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT