How to Curb Security Threats
By Jason Worley, CIO, Adeptus Health's First Choice Emergency Room
Cyber-security Threats in a High-growth Environment
Cyber-security Threats in a High-growth Environment
Due to our high-growth healthcare environment, we face pronounced cyber-security challenges. We have grown from about 500 users to over 5,000 users in less than 36 months. During that process, we also did an IPO, and are therefore subject to Sarbanes-Oxley (“SOx”) and other regulations such as HIPAA. Managing our cybersecurity threats in this environment has proven a challenge. It’s a job that’s never done, and we’re constantly trying to improve our situation and readiness. Our biggest challenge remains end-user awareness and training. Due to the sheer number of new employees, even if we do a great job with cyber-security awareness, communication, and training, there are dozens of new employees every week that have not heard our message. Our most effective approach has been to integrate some cyber-security awareness and training during the employee onboarding process. However, this is just an introduction to the very basics, and continual reminders and messaging are required to keep security top-of-mind.
"We try to learn from others’ mistakes and misfortunes, as well as thought leaders in the industry"
Identify, then Prioritize Threats and How to Mitigate
Sounds simple, identify then mitigate security risks in order of most likely to least likely, using a traditional weighted scoring method of “likelihood multiplied by potential impact.”
I have found that in our environment, we have three primary threats:
1) End-user cyber-security awareness and training
2) Securing mobile/BYOD device and remote access
3) Finding and retaining the right security resources
User awareness and training were discussed in the previous section, but two other important areas are Bring- Your-Own-Device (“BYOD”) and/or mobile devices, and finding the right blend of internal and external security experts and resources.
Users expect consumer-level ease of access to enterprise data, email, and documents, on any device they want, anywhere, any time. Balancing this with proper security requires certain boundaries, and sometimes we have to say “no” to user requests, such as use of USB or other removable storage media, and we tightly control access to cloud-based storage such as Dropbox, Google Drive or similar.
Finding the right balance of security resources is difficult. Due to the high demand in the industry, and the constantly changing security landscape, we have found it best for us to have a very small team directly managing cyber-security, and utilize outside resources/contractors that have the most up-to-date skillsets and knowledge, and also have the benefit of seeing many other organizations, how they approach cyber-security, what works, what does not work, and help us learn from the mistakes or misfortunes of others.
There are not enough experienced cybersecurity professionals to fill demand, according to a study of US Bureau of Labor Statistics by Peninsula Press, a project of Stanford University Journalism:
This shortage is unlikely to be resolved in the next three to five years, so for smart people looking for a good career path, that is one I would recommend.
Changing Security Landscape
Traditional signature-based products, such as anti-virus, real-time scanners etc. still have a place, but the latest “bot-kits” and similar tools available to hackers make products based on a signature architecture less and less effective over time, and subject to the so-called “zero-day” exploits, where there is no “signature” yet developed for a new threat.
To combat this, we use a multi-tiered architecture, including some signature-based solutions at various levels, we utilize geo-blocking of certain websites, known bad-actors, and we severely limit users’ ability to download and install apps, especially with escalated privileges. In certain cases, with mission-critical radiology equipment for example, we completely remove internet access from those devices. This may not work in all organizations, but we take a “security first” perspective, and try to educate our users why we are doing so.
To balance the security vs convenience formula, we provide more open “guest wifi” and encourage our users to bring their own personal device for general/personal web browsing activity. We typically have these guest wifi circuits terminated to a dedicated and completely separate firewall and internet circuit, so that if there is an issue, it is physically isolated from our internal enterprise network traffic.
Distributed Denial of Service (“DDoS”) and botnet attacks such as Mirai, present an interesting problem, with significant barriers to resolve. Given recent DDoS outages at several big-name websites, it is clearly very difficult to successfully and quickly deal with these types of attacks. Some of these DDoS attacks were a result of vulnerabilities on Internet of Things (“IoT”) devices, with “baked in” vulnerabilities, with limited ability/interest/method to patch due to how their firmware is installed and sometimes limited connectivity options.
Next Steps to Mitigate New Threats
We have taken some aggressive steps to mitigate certain security concerns, such as using thin-client technology for most of our users (as opposed to PC’s or laptops with local operating systems and storage), and leveraging centralized/remote-desktop/Citrix-style end-user computing environments. This reduces the “surface area” of potential attacks and vulnerabilities, and allows all of our users to benefit from centralized, quickly-deployed security updates and other efforts.
Another approach we are just in the early stages of researching, and hope to deploy soon, are user-behavior modeling products. These products measure, analyze, and profile user behavior, and then identify and highlight unusual behavior. For example, if an average accounting user opens/updates/touches 15 to 20 network-based files in a day, but you have one user that accessed 500 files in one day, that might be cause for concern and/or further investigation; the user may be copying files for an illicit purpose, or there may be a very valid reason for that behavior.
We try to learn from others’ mistakes and misfortunes, as well as thought leaders in the industry. Several of our partner healthcare systems, for example, utilize user-profiling and modeling products to identify potential internal threats or users doing unusual activities. We try to communicate and learn from these partners and others, so we can leverage their experiences to improve our security situation.