Treating the Root Cause: Security in Healthcare

Security is healthcare, and it’s apparent even in the language we use to describe malicious software. Viruses, worms and the like have long been examples of malware so-called because they propagate as disease, but more relevantly to us – they are also treated as such.

Symptomatic treatment is any medical therapy of a disease that only affects its symptoms, not its cause, i.e., its etiology. It is usually aimed at reducing the signs and symptoms for the comfort and well-being of the patient. In many diseases, even in those whose etiologies are known (most viruses such as influenza), symptomatic treatment is the only one available so far. And so largely, we’ve been doing the same thing in security. Firewalls stop intrusions, endpoint protection systems detect malware and sometimes attempt to remove it from systems, and incident responders do follow up investigations, often looking for the same malware on a different system, just to make sure the symptoms are gone.

Yet, the root causes of our conditions are well known. Josh Corman, Director of the Cyber Statecraft Initiative for the Atlantic Council, highlighted healthcare security as a critical issue as part of the Congressional Task Force on Cybersecurity . He shared five critical uncomfortable truths:

(1) Known Vulnerabilities Epidemic

Over 1,400 vulnerabilities in just one legacy medical technology. The sheer volume of vulnerabilities makes prioritization of the backlog an arduous, and often uncertain task; compounded by the difficulty of remediation in the healthcare space.

(2) Vulnerabilities Impact Patient Care

Hollywood Presbyterian and UK Hospitals patient care was shut down by one security compromise, implying that the impact of a “denial of service” is much greater in the healthcare setting than a priori.

(3) Premature/Over-Connectivity

“Meaningful Use” requirements drove hyper-connectivity without secure design and implementation, meaning remote code execution vulnerabilities are prevalent throughout healthcare environments.

(4) Legacy Equipment

Equipment is running old, often unsupported and vulnerable operating systems such as Windows XP.

(5) Severe Lack of Security Talent

The majority of health delivery organizations lack full time security personnel, meaning that the responsibility falls to large organizations to address not only their own vulnerability backlog, but also measure and mitigate third party risk (learn more from the 6th Annual HIMSS Security Survey).

The reality is that we know a lot more about malware and machines than we know about the human body. To stick with the analogy, we know the etiology of malware quite well. Malware is any kind of program or application designed to cause any type of damage to a machine who either by error, or carelessness, or unwittingly runs it on her system. On the other hand, we have Exploits, which can be defined as programs created specifically to exploit a vulnerability, in other words—simply trying to take advantage of an error in the design or programming of a system or application. And so, while this doesn’t hold true for every instance of malware (sometimes we haven’t studied or reverse engineered it, sometimes it is installed on a machine by the user) – the causal chain goes as such: Software is written, a vulnerability is introduced, an exploit may be written for that vulnerability, and a piece of malware might utilize that exploit code in order to gain control or abuse a system.

Stated in this direction, this all seems very uncertain, using words such as “may” or “might”. But looked at backwards, it is wildly insightful. As of today, over the last 4 years Kenna Security has seen 8,057,924,077 successful exploitations of vulnerabilities. These are individual machines being exploited by a particular vulnerability, sometimes more than once, sometimes with no effect and sometimes resulting in serious financial damage.

Of the 8 trillion successful exploitations over the past years, 46,266,667 are attributed to 28,540 different malware samples which ReversingLabs has analyzed. Keep in mind that these are only the ones we know about, there are other effective variants of the same malware families that are generating incidents. In the endpoint protection and incident response worlds, this is a great deal of work – not only does one have to keep track of all the hashes, update signature and rulesets on devices, and conduct follow up investigations – but even if you treat the pain of those 28,540 malware variants and feel the comfort associated – the root cause is still there. Put differently, let’s start treating the cause:

The chart above shows the breakdown of those 28,540 malware samples by the vulnerability that the malware uses in order to propagate. The color, ranging from green to blue, shows the vulnerabilities which have resulted in the greatest number of successful exploitations over the past 4 years. A few insights become immediately apparent:

First, 299 CVEs are responsible for 44 million attacks. In the incident response paradigm, you can deal with 44 million attacks by monitoring and remediating around 30,000 malware samples, and see as those samples mutate and generate new strains. Or, you can remediate 299 CVEs, and never worry about those strands again. Kenna Security’s new partnership with ReversingLabs will let you easily identify those vulnerabilities in your environment, and if they’re high risk vulnerabilities, we’ll supply you with the MD5, SHA1 and SHA256 hashes to clean up the current infections. Root cause, addressed.

Second, and more interestingly, if those 299 CVEs are looked at through the lens of the risk meter – that is, through the lens of volume and velocity of successful exploitation, one can easily see that only a handful of them are responsible for over 90% of the successful exploitations (remediate blue above first, then move on to the rest). This kind of granular prioritization is what can make managing millions of incidents and tens of thousands of strains of malware less painful.

Through analysis of large volumes of data, both attack and vulnerability samples in the millions, we can begin to understand the root causes of epidemics, and address them one CVE at a time. While there are system problems in healthcare security spanning decades, many of them uncover an insight about our vulnerability management practices as well: remediate vulnerabilities in legacy devices, tailor risk assessments to the specific applications in your environment, automate vulnerability assessments such that none are brushed over, automate decision making such that the monumental task at hand can be managed. Most importantly; use the data at hand to inform all of the above. After all, isn’t this exactly what evidence based medicine is all about?