September/October 2021
CISA Report Sounds the Alarm on Cyber Threats
By Susan Chapman, MA, MFA, PGYT
For The Record
Vol. 33 Vol. 5 P. 16
A summary on vulnerability trends spotlights the cracks in health care organizations’ cyber defenses.
A mere pup on the federal scene, the Cybersecurity and Infrastructure Security Agency (CISA) was established about two years ago. “We’re the nation’s risk management advisor,” says Josh Corman, who leads CISA’s COVID-19 Task Force. “We provide cyber security and risk management to the whole federal government and 16 critical infrastructures. We’re not your regulator or law enforcement. We’re the fire department and the emergency medical technicians. We have taxpayer-funded services to help an organization when an event happens.”
The agency routinely authors publications, some of which are high-level summaries from public reports, which it issues through Health and Human Services (HHS) and other intra-agency organizations.
In April, CISA released a summary of “vulnerability trends based on data from 192 Healthcare and Public Health (HPH) Sector entities enrolled in Cyber Hygiene Vulnerability Scanning during [fiscal year 2020] and 33 Cybersecurity Assessments performed by CISA for HPH entities during” fiscal years 2019 and 2021. The four most common external cyber risks that the summary cited were phishing, out-of-date patches, unsupported software and operating systems, and poorly configured internet-accessible ports on systems and devices.
Phishing
The practice of phishing involves malicious e-mails meant to entice receivers to click on a link, which then allows access to an individual’s or organization’s data. This practice is also carried out by phone, known as vishing, a process in which an unwitting individual potentially provides sensitive information, such as passwords, to a “threat actor.”
“In typical phishing, a threat actor sends an e-mail to a broad number of people, maybe millions, and anyone could fall for the scam,” explains Scott Wrobel, a partner at N1 Discovery. “Spear phishing is the type of phishing where these threat actors know who you are, and they are trying to get to you specifically. For instance, they know me, and they pretend to be someone else or someone I’m interested in and try to trick me or a whole company. It’s focused—not broad to the world—specific to a person or a group. Whale phishing is when a threat actor pursues a CEO or another high-level executive, such as the human resources director or the accounts payable director, because that person has a lot more information [at their disposal].”
According to the CISA summary, so-called remote penetration test teams were able “to bypass e-mail filtering controls to launch spear phishing in 96% of HPH assessments. In addition, [Phishing Campaign Assessments] for HPH entities had a 6.7% click rate and only a 1.5% report rate for phishing e-mails.”
Education is critical to prevent these types of external organizational threats. “You can significantly reduce the number of people who will click on a risky link through awareness training. If you do it right, you’re changing the company’s culture to be skeptical of questionable things. You’re trying to create a healthy culture to do what is right and safe,” notes Roger Grimes, a data-driven defense evangelist at KnowBe4.
By citing training and simulations as important mitigation tools, the CISA summary underscores Grimes’ recommendation.
Out-of-Date Patches
Much like a hole in a fence or a wall, software contains vulnerabilities that can potentially be discovered by threat actors. Patches are used to update an enterprise’s software to mitigate security risks. When it comes to patching an organization’s existing software, Grimes believes “the fundamental problem is that people are told that they have to fix everything, but they need to focus only on a few things better. Because they are so distracted, they’re not mitigating the vulnerabilities they need to worry about the most.
“That is the fundamental problem of computer security and risk management today. They are being told by source after source to be unfocused. For example, there are more than 18,000 new software and hardware vulnerabilities to worry about this year alone, but less than 2% of those are the ones you really have to worry about. The vast majority don’t even have exploit code associated with them and only 2% actually end up being used against anyone.”
Grimes notes that organizations may be flagged for a violation, such as lack of disk encryption, when failing to patch a vulnerability which can be exploited remotely is far riskier.
“The majority of health care organizations that try to do all the patching by themselves always wind up getting behind. They don’t always know which patches are good and which ones will complicate their systems,” Wrobel says. “For instance, if Microsoft says to download these patches but you have proprietary software, you don’t know how the latter will react. Adding to that, IT departments are overwhelmed. For smaller enterprises, they don’t have time. Our recommendation is that they look for a reputable, security-minded service provider to do the patching for them. They do it for thousands of clients and test the patches before they release them. They start with the most vulnerable ones and know the right vulnerabilities to patch.”
Robert LaMagna-Reiter, a vice president and chief information security officer at First National Technology Solutions, believes that the problem with patching—as well as with the other critical cyber risks in the CISA summary—stem from something much deeper.
“You have to know the users and how the business operates,” he says. “The challenge is that no one can really agree on how the work gets done, where the data are. That, at its core, is the issue. We need a standard process operationally, as well as folks who know where that information is supposed to reside. You can patch what you know, but you can’t patch what you don’t know. In my experience and opinion, it’s critical to get down to the basics—understand how the different business units interact and how the work gets done.”
Unsupported Software and Operating Systems
Threat actors often exploit vulnerabilities in unsupported software and operating systems. “Very often, unsupported software and operating systems lead to patching issues. So, those two critical issues are frequently linked,” Grimes notes.
“Many organizations don’t budget to upgrade their systems, and those systems are not supported anymore, like Windows 7 and XP,” Wrobel says. “So, it’s easy to get into those. Because they aren’t supported, the vendors won’t help when a vulnerability is exploited.”
Despite the risks, many enterprises continue to use unsupported software. “It could be because an application or a critical business process hasn’t been updated to take advantage of a new application,” LaMagna-Reiter says. “Or a small hospital is content with what they have. If the older software supports a core business operation, you can’t separate from it easily and readily.
“Organizations don’t know what they don’t know,” LaMagna-Reiter adds, underscoring his assertion that health care enterprises need to look more deeply into their processes in order to mitigate critical cyber risks. “Some of these organizations think they might have replaced all of the OS [operating system] and applications, which include medical devices that may not be patchable. If it’s not broken, they won’t fix it.”
LaMagna-Reiter believes that it’s difficult to quantify and communicate this type of risk. “There are solutions that are as simple as an endpoint installation. It won’t protect the application, but it will protect the operating system,” he says. “In addition, by limiting the communication to the unsupported or unpatched devices, you can reduce the likelihood that malware can communicate with them. But you have to know what you have in order to apply those compensating controls. Miscommunication may keep things from being updated.”
Staff resistance to change could be another contributing factor that keeps some health care organizations from updating their software and operating system. “That then falls to leadership to either be the teacher, or even be forceful, to implement change for the better of the organization and the patients they serve. We have to enable people to be successful. We have to have the patients’ well-being at heart,” LaMagna-Reiter says. “Individuals have to bridge disparate groups and bring them together, which is difficult while you’re also trying to save patients. However, the long-term ramifications of not doing that are critical.”
Poorly Configured Internet-Accessible Ports
Regarding poorly configured internet-accessible ports, the CISA summary states, “Potentially vulnerable risky services, like File Transfer Protocol (FTP), Remote Procedure Call (RPC), and Remote Desktop Protocol (RDP), that are exposed to the internet present possible entry and escalation points for attackers.” The agency recommends “[e]ntities . . . restrict, secure, and patch potentially risky services exposed to the internet and assess their legitimate business use cases.”
Wrobel explains this issue and a corresponding mitigation recommendation. “Every company should have a firewall, which is the ‘front door to the building.’ But when someone buys a firewall, turns it on, and doesn’t know how to configure it properly, there are a lot of holes in it,” he says. “A major software company will sell products that make things faster and more convenient, but not more secure with its default settings. On the firewall, there are ports that you’re hooking into your network that must be configured properly. There are rules that you can apply that act as your front-door security guard. Your security guard should know whom to trust. But when you have a firewall with a wide-open port with no controls, hackers walk right in. Companies may also temporarily open the firewall to bring in new software and then forget to lock it down.”
“You can craft your firewall rules more intelligently,” LaMagna-Reiter adds, “giving you the ability to detect if something inside your organization is talking to someone outside or on the internet.”
The Four Cyber Risks and Ransomware Attacks
Ransomware attacks on health care organizations are a viable threat and an ongoing problem, one Coleman describes as “the punchline of a bad joke.”
Initially, these attacks took place when threat actors accessed an enterprise’s system, encrypted the data, and demanded payment to release the information back to the organization. However, ransomware attacks have grown more sophisticated. “When hackers get into a system now, there is rarely ransomware for ransom only,” Wrobel explains. “Now, they get into the system and launch a whole bunch of malware, or ‘robots,’ looking for anything they can grab. When they’re done stealing everything, they launch the encryption. They have the data and have encrypted the system. If your organization is encrypted, it’s very likely the threat actors did everything they could to steal your data, personal records, large Excel spreadsheets, anything they can sell.”
Yet, according to Wrobel, once the ransom is paid, threat actors typically honor what they say they will do. “They typically won’t post the information on the Dark Web, and they may not give it away for free because they don’t want to ruin their reputations. If they were to do that, then no one would pay them in the future,” he says. “To threat actors, it’s business. Most of these companies are not in the US and have different rules. All the money is based on cryptocurrency, which is unregulated, and they may have shell companies to handle their money in some cases.”
According to Corman, the pivotal ransomware event occurred in 2016 at Hollywood Presbyterian Hospital, which was infiltrated by the SamSam virus. “That attack launched a feeding frenzy due to the hospital’s being target rich/cyber poor, and they had the money to pay,” he says. “The United Kingdom was hit with a ransomware attack about four years ago that affected about 40% of UK health care for that week. Other target rich/cyber poor industries got hit after that, including public school systems.”
During 2020, CISA, HHS, and the FBI issued a joint warning that there was a threat to multiple hospitals in the United States. “It got even more intense after the pandemic,” Corman says. “Attacks early in the pandemic were on health care delivery and nursing homes, as well as PPE [personal protective equipment] and ventilators. Toward October, that was the crescendo. This year is significantly worse than last year. All those seams and cracks that we have identified were further stressed during the pandemic.”
Still, CISA recommends not meeting the demands of threat actors. “We recognize organizations hit by ransomware are in a difficult position, but strongly discourage organizations from paying ransoms. Ransomware is an epidemic causing significant harm to American businesses and critical infrastructure, and paying ransoms only encourages this malicious activity. Further, paying a ransom provides no assurance that the victim’s data will be restored. We urge organizations affected by ransomware to contact law enforcement immediately and to contact CISA if incident response assistance is needed. The best way to protect against ransomware is to strengthen basic cyber hygiene and to urgently implement critical practices outlined in CISA and the FBI’s recent Joint Advisory.”
How CISA Can Help
“There is a security poverty line, as coined by Wendy Nather, and there are many organizations that live below the security poverty line. Health care has many that do,” Corman says. “There are the haves and the have-nots in this industry. Eighty-five percent of health care organizations do not have the resources to address some of these vulnerabilities. It’s a key service to identify and buy down risk for these resource-poor organizations. It gives us a broad longitudinal look for patient care.”
The information in CISA’s reports is anonymous and cannot be linked to the private sector. Therefore, Corman encourages organizations to avail themselves of CISA’s capabilities. “We have to be trusted and trustworthy so that organizations can get the help they desperately need without fear of consequences. This is how we can get beneficial information to the industry,” he explains. “We call it ‘cyber hygiene,’ which is vulnerability scanning on public-facing IP addresses for the health care industry. We want to spot new known vulnerabilities so that your enterprise can mitigate them. We do it across all 16 sectors and the federal government, which gives us good analytics. This allows us to spot anomalies as well. There was a drop over the summer, for instance, in patch work, because people were working remotely. We can spot things that are unique to a sector or across sectors. In that report are free services, antiphishing exercises, penetration tests—when someone is actively trying to use a common attack tool. We have more exotic services as well. Those give us some insight into the vulnerability in that sector relative to others. That informs if we need to add services or add more capacity for existing services.”
Many of CISA’s services are preventive, or “left of boom,” and some are designed for after an event has occurred. “For example, if you’re one of three manufacturers of the COVID vaccine and one gets compromised, we hunt for the threat to the other two,” Corman says. “It’s hard to invent a backup after harm. We can create partnerships to help after the fact. Some of it is preventable, and some is the autopsy. Can we trace it to a vulnerability in your virtual private network? We can also give guidance on segmentation isolation so that the whole hospital does not shut down, or on how to make security upgrades and implementations that have not been done yet.
“These events are not just a lapse in judgment,” Corman continues. “They’re security gaps for these target rich/cyber poor organizations. We want to help these resource-poor organizations stay resilient for the remainder of the COVID pandemic and beyond.”
— Susan Chapman, MA, MFA, PGYT, is a Los Angeles–based freelance writer and editor.