Changing the cyber-security culture

Your Governments, Hospitals and University are failing you

It is no secret that ransomware and denial-of-service attacks make headlines when it comes to local government and hospital cyber-security, but internal cultural and technological vulnerabilities are often more to blame for an ongoing cycle of utility and healthcare data breaches.

Ransomware and malware attacks continue to plague Texas local governments, hospitals and institutions, scoring frequent and disruptive hits. Internal data breaches are commonplace. Risk-laden network links with external agencies and partners abound. Security weak spots are discovered in legacy systems and new applications alike. In particular clinicians working around medical device security protocols expose chinks of vulnerability in the IoMT (Internet of medical things).

Like Roll-Call, anyone building a picture of the state of cyber-security in government or healthcare globally would struggle to find encouragement for the beleaguered city or hospital CIO, with many organizations apparently unable to break out of a reactive cycle and shift to more proactive defense strategies.

Staggering and bold statistics do little to improve the anecdotal picture. In April, the U.S. Department of Health and Human Services reported 44 healthcare data breaches for the month, a record. The fact that the number of individuals affected fell by 29% from 963,794 to 686,953 compared with March was not exactly grounds for optimism, given the potential scale of the impact and the numerous lives destroyed in the wake of the breaches. 

“Cyber risk and privacy management specialist IT Governance” publishes a monthly blog of data breaches reported worldwide. The healthcare sector is well-represented and while these lists are a litany of phishing, ransomware and distributed denial-of-service (DDoS) attacks, they are also peppered with more banal cyber-security failures that hint at the cultural challenge of managing risk in many institutions. These range from unauthorized employees accessing patient records to coding errors that unwittingly expose records directly to the internet. 

Your health dollars hard at work

The June post referenced the accidental sharing of 37 patients’ email addresses in an invitation to a support group distributed by NHS Highland. Meanwhile in New York state, a member of the Independent Health Insurance company was emailed documents containing personal information on more than 7,600 fellow members. And a web advertising company helping law firms sign up possible clients exposed 150,000 records from an unsecured database, containing personal details of accidents, injuries and illnesses.

Your tax [theft] dollars hard at work

Also very high on the list provided by “Cyber risk and privacy management specialist IT Governance” are US based local and state governments. It is no secret that Roll-Call has been dealing with the fallout of the latest in breaches to Texas governments. Investigations of these breaches reveal significant short-comings to include (but certainly not limited too);

  • a litany of policy failures;

  • severe lack of governance or taxonomy;

  • aging and unsupportable legacy software and hardware;

  • incompetent IT staff or no IT staff at all;

  • misappropriation of funds slated for IT services;

  • incompetent government officials;

  • criminal behavior and intent among officials;

  • staggering lack of training;

  • and general internal complacency among government employees.

In August of 2019 the Texas Department of Information Resources (TDIR) was tasked on an emergency disaster recovery mission when nearly 23 (official report) state and local agencies were the victim of a coordinated ransomware attack that went off without a hitch. The TDIR refused to release the names and locations of the government agencies that were affected by the malicious breach. Roll-Call investigators were able to determine all of the affected agencies including the Round Rock Independent School district, the city of Lampasas and the Texas Department of Health and Human Services to name a few.

SODINOKIBI [.JSE strain] Ransomware blamed for incident

Initially, Roll-Call learned from a local source that the ransomware that infected the networks of the 23 local Texas governments encrypted files and then added the .JSE extension at the end.

We would like to note that Verizon’s 2019 Data Breach Investigations Report underlines the extent to which, when it comes to managing cyber-security risk, internal processes and policy enforcement failures (59%) are more likely than external threats (42%) to leak data. Despite this, leading cyber-security experts suggest there is cause for cautious optimism in the way some hospitals are building more proactive strategies despite their self-imposed complex culture and technological short-comings.

Signs of progress

George Sprague, co-founder and Chief Information Security Officer at Roll-Call Security & Communications (Roll-Call), says a number of the privately held healthcare clients in San Antonio and Austin Texas have made significant cultural adaptations and now do a much better job of cyber-security management. But this is not something that can be solved overnight by throwing more people and resources at it despite the overwhelming government mentality to spend spend spend.

Scott Scheidt, the Chief Cyber Strategy Officer at Roll-Call also noted that many of the universities that have approached him show signs of changing internal policy and methods to be more effective at preventing internal threats from causing leaks and breaches.

Sprague advocates recruiting people specifically to build sustainable programs that will help an institution move away from an infrastructure riddled with missing patches and reconfiguration. A more frequent patch management program for applications and systems is a core recommendation, alongside enhanced – and enforced – multi-functional password management. He says it is also vital for IT leaders to have two very critical things. First, they must be trained properly and follow core guidelines set forth by subject matters experts. Second, high visibility into their infrastructure, with comprehensive log management.

A very long way to go

Brandin Lea, founder of Roll-Call and its Chief Executive Officer stated that although there are signs of hope in healthcare and other private sector institutions he sees no light at the end of this tunnel for governments. Lea noted that the rise of the US Army’s Cyber command and Future’s Command in Austin, TX were a blessing and that the US defense strategy is taking cyber threats seriously. However he resigned himself to say that state and local governments show no signs at all of wanting to make the changes needed to protect their own constituency.

Elliott Frantz, CEO of Virtue Security, has previously spoken of the cyber-security weaknesses caused by hospitals running unnecessary IT services and, in particular, the vulnerability of applications in their run-time state. He agrees that system visibility is crucial to seeing and understanding the risk level at any given time. Proactively aiming to reduce the hospital’s overall risk and exposure is, he says, a more effective strategy than what has often seemed the default setting – an ongoing game of “crushing ants”!

“These are such highly connected environments,” he says. “A lot of employees need access to a lot of systems – and this creates inherent risks. Traditionally, a hospital has wrapped technology around its business, leading to multiple segregated pieces. Instead, they need to use technology to solve security by design. The positive sign is that a lot of new network and virtualization technology is helping to create less exposed infrastructures.”

For Jason Gillam, CIO at Secure Ideas, the main issues to be addressed are often more cultural than technological. He points out that low-level attacks and breaches are particularly successful – and do not necessary require sophisticated high-tech solutions. 

Soft [Easy] Targets

At the end of the day history shows the threats themselves remain relatively unchanged, and industries like healthcare, education or public sector is a soft target made softer by the nature of "businesses" that have never considered themselves to be technology companies. This often leads to lax technical competence when it comes to cyber-security or in the case of governments the “who cares we get paid anyway” mentality. Where a breach occurs because of an improperly configured server or database, it is generally because somebody did something at a relatively basic level without understanding the consequences for security.

Many have asked why would a hospital, university, school district or government office be an easy target? Why would they be a target at all?

The answer to those questions is simple and the same for each question. Guaranteed money. It is easy to imagine a team of professional “hackers” sitting in the basement of some dingy house hacking IBM or Wal-Mart. Going after the big corporations to skim from the top like in the movies.

Simply stated that is not very common. It is not to say that company’s like Wal-Mart and IBM do not get hacked, because they do. The difference is that being profit motivated means they spend the time, effort and money to make their systems secure, and have policies in place to keep them that way. If they don’t do this they risk loosing paying customers. A good example would be Target. These companies are Hard Targets, not impossible to hack, but often not worth the time or effort required.

Well this article certainly shows the major reasons behind why these places are soft targets. But the more nuanced reasons are not always as easy to point out. The motive of money should be obvious. Any 12 year old that watches a 1 hour video on YouTube can learn how to hack a school’s grade book system, the motive being the kid wants better grades or money to give other kids better grades. School districts notoriously have substandard legacy systems in place and grade-book systems are some of the easiest systems in the world to compromise. just ask any high school “computer geek.”

As for hospitals, the more subtle reasons they make such easy targets are the thousands upon thousands of technological invalids (also known as clinical staff) that march around demanding IT staff make it easier to manipulate patient data and easier for them to skirt cyber policies for reasons of personal convenience.

A very good example of this is the massive War that is raging within Baylor Scott & White (BSW), a once small hospital out of Temple TX that has grown to juggernaut levels with your tax money. The relatively inexperienced IT staff and adolescent cyber staff within BSW are loosing the war for proper cyber-security against the genuinely ignorant board of directors who take their orders directly from know-nothing prima donna doctors who threaten to leave the hospital if software is not made easier to access for them.

In healthcare security, they are taught above all else that life and limb are important. Given that it makes sense that data and personal information are not always the top priority, and this drives what happens. A lot of activity that might be considered suspicious in any other industry is overlooked. We need to make a cultural shift from cyber-security as a compliance “check-box” to doctors treating the protection of their patients’ personal data as a priority. Maybe even putting the consequences of prison time or financial loss directly on the clinical staff responsible.

Government has so many levels it is tough to discern were one level starts and the other stops. This is a major vulnerability in the cyber world. It makes attacks easy to jump from one system to another. Walk into any city government office and it becomes plain to see why local governments are such soft targets. When the average age of a city council is 72 years old it is highly unlikely they would know what a virtual machine is even if one jumped up and bit them in the rear end.

A good example are major city and county governments in the State of Texas. Texas is notorious for the “good-ole-boy” policies of the political left. Where they hire staff not based on expertise, knowledge of critical information or even skill sets pertaining to the position. Instead government from the Austin City Council to Llano county fill these bureaucratic appointments with friends, non-blood family, investment partners or anyone that they can benefit from. When you have a majority of your staff assigned to the IT department that have no experience or knowledge of managing IT systems and security, its no wonder ransomware gets in.

Lea noted that there have been major advances in securing the worlds data infrastructure but as fast as we secure our networks adversaries find ways into them just as fast. It is a constant battle that can only be won with proper policy, training and governance.