By now, most of us are familiar with the “WannaCry” ransomware attack. This attack exploited a weakness in Microsoft's Windows operating system to encrypt files and render computers useless until the demanded ransom was paid.
Keeping your network safe is a tall task that requires controlling all endpoints and workflows interfacing with the network, while understanding their configuration specifications and the unique patterns of normal as well as abnormal network behavior. Because of the difficulties involved in this, some degree of insecurity has always been accepted and taken for granted within medical operations.
However, the WannaCry attack served as a huge wake up call, forcing decision makers to carry out a wholesale review of their cybersecurity posture and to reconsider what they deemed "acceptable risk."
In light of this cyber awakening, many healthcare organizations have committed themselves to taking a much more aggressive approach to defense. Apropos of that commitment, this blog post will cover one of the most critical ways that hospitals can protect electronic Protected Health Information (ePHI) and make their networks and critical assets more secure.
Let’s Talk About Passwords
Passwords prevent unwanted visitors from accessing your virtual properties. When passwords are weak or easy to find/guess, you lay out a welcome mat, inviting intruders into your digital domain.
As more and more medical devices are connected to the Internet, hospital IT managers are struggling to keep up with stringent password policies, and as a result, many devices are left exposed.
One need only look at the growing number of ICS-CERT alerts that have been issued recently, warning of broad medical device vulnerabilities. Most of these alerts pertain to devices with default passwords that could be used by unauthorized individuals to access and potentially modify critical settings and firmware on these machines.
It should go without saying, but in the interest of being perfectly clear I'll risk stating the obvious: passwords are key to HIT network and medical data security. Better password management offers maximal impact for minimal effort. In fact, it's the absolute lowest hanging fruit for most healthcare operations intent on shoring up their cyber defenses.
So what exactly are the best practices for password management? It's a simple question and it deserves a simple answer.
User names and passwords (together referred to simply as "credentials") should be created by the device owner and consist a combination of letters (ideally in both upper and lower case), numbers, and symbols. If that string of characters can be random and meaningless, even better.
Unless you and your team are droids from the planet M4-78 that commit everything to memory, you're recording your credentials somewhere for reference. It's important that user names and passwords be stored out of public reach and shared only with duly authorized parties. (You should be vigilant, double checking the legitimacy of any request for you to share or even key in your credentials.)
Finally, you'll need to monitor the integrity of your credential storage system and the network as a whole. If either one is compromised in any way, you will need to change all your passwords immediately. Unauthorized access to your network, or even a single password, can potentially lead to a domino effect that exposes every endpoint and password.
On the flip side, if you abide by password management best practices, the chances of a successful password-based attack are negligible.
Maintaining good password management isn't very complicated. Despite this, in the context of a complex healthcare operation using thousands of devices each with its own passwords, good password management is seldom present across the board. With a shared digital infrastructure, there is a short distance to travel between insecurity anywhere to insecurity everywhere. That's why passwords are something you should probably be more passionate if not militant about.
When auditing your organization for proper password practices, it's often more helpful to look for what's being done the wrong way than it is to make sure that everything is in fact being done the right way. You can quickly scan over the whole body of evidence searching for what stands out rather than inspecting each grain to make sure it stands in line.
Indeed, the most common mistakes when it comes to bad passwords and poor password management practices break down into three basic categories. These are as follows:
1. Hard-coded credentials
2. Default credentials
3. Weak credentials
Passwords belonging to any of the above three classifications swing the door wide open to a successful attack.
But even strong passwords can be compromised. A hacker can use “social engineering”, for example, to trick you into handing over your credentials. Or he might resort to “brute force” — rapidly and systematically running through possible password combinations until stumbling onto your actual password. It's important to remember though that these techniques take a lot of time and effort and may not even work.
Since there's no shortage of softer targets, (i.e. poorly managed passwords) there's little reason for hackers to use those tactics. It makes a lot more sense to look for and attack network endpoints protected by default or easy to guess passwords. These attacks can be carried out quickly, without need for advanced hacking skills, and with great success rates.
Pesky Password Problems Pervasive
It's worth repeating that poor password management is not a small problem for hospitals and clinical networks. To the contrary, it's pervasive. Practically every hospital has at least some networked assets still configured with default passwords.
Even more concerning, it is not uncommon for devices to be pre-configured with network services that use default passwords. Sometimes these devices can work without network services, but even still, it's important that IT be aware of this potential line of network connectivity. Usually, they are not.
This creates an even larger vulnerability. Examples of such network services include:
- Web servers (programs using HTTP to present requested web pages)
- File Transfer Protocol (FTP)
- Telnet (used for remote device control)
- SQL server (Microsoft's relational database management system)
Having a default password in place for any one of your many devices' many network services can make the device and the whole network vulnerable.
Scott Erven presented the world with some potent examples of this type of vulnerability in his presentation at 2014's “Shakacon IT conference”. Erven discovered 30 different high severity vulnerabilities in GE medical devices. Some of these enabled remote root access over Telnet and FTP, while others exploited hard-coded or altogether absent passwords.
According to Erven, the most common GE medical device passwords proportionately reflected in this word cloud grant login access 85% of the time.
After the conference, the individual vulnerabilities were documented and formally disclosed through an ICS-CERT advisory.
Passwords & the Bigger Picture of Medical Data Security
The risk exposure from these types of vulnerabilities is significant, but in most cases it's also easily avoided. There's simply no justification for taking shortcuts and assuming that everything will be fine when you're playing with other people's safety and security.
Over time, default passwords are naturally shared and make their way into the public domain. That's a fact. And it's neither the device manufacturers' fault nor their problem. It's incumbent on hospital administrators to be responsible and conscientious. You need to change default passwords as soon as you deploy the device or service that the password is meant to protect.
If you're using terminal servers from Lantronix, Digi, or Moxa, for example, the time to act is now. The default credentials for services run on those devices are readily available on the internet. It's the logical place to start for any hacker looking to launch an attack.
When it comes to motivating people to act, the promise of quick and easy "wins" typically instills the most get-up-and-go. As it pertains to medical data security, there is simply no quicker or easier "win" than that achieved through improved password management. Once that's taken care of — and only once that's taken care of — should you begin tackling some of the more enduring challenges of healthcare cybersecurity.