Banner Health cyberattack brings layered security strategy into focus

While cybersecurity remains top of mind for healthcare organizations, the importance of safeguarding servers and computers is underscored in the face of large attacks. The recent cyberattack on Phoenix-based Banner Health, which is the largest reported breach to date affecting 3.7 million individuals, has health systems reexamining their cybersecurity defenses.

When hackers accessed the computer servers of Banner Health, they appear to have done so by first infiltrating the point-of-sale systems at the health system's food and beverage outlets. From there, they seem to have been able to access other systems, including ones housing protected health information and sensitive information about employees and providers. This lack of segmentation poses a significant security risk to organizations, as just one system vulnerability can lead to a breach in other linked systems.

Banner Health officials learned July 7 of the unauthorized access to computer systems processing payment card data at food and beverage outlets. Cards used at certain outlets between June 23 and July 7 may have been affected.

A few days later, on July 13, Banner learned the cyberattackers may have accessed patient information, health plan member and beneficiary information, and physician and healthcare provider information.

"From what I'm reading, it looks like the attackers were able to gain access to the POS systems and then used that foothold to reach the health record system," says Derek Jones, a senior advisor at Impact Advisors, a healthcare consulting firm.

Little information about the mechanisms of the attack have been revealed, but Mr. Jones says if this is the case with Banner Health, it is a cybersecurity approach he has seen elsewhere, but it's one that is a threat to security.

"I see payment systems, nurse workstations, payroll computers and infusion pumps all on the same network with no segregation, no filtering and no controls," Mr. Jones says. "It's easy and fast to just put it all on one network."

But putting all systems on one main network gives bad actors easy access to information. This type of "link" generally isn't intentional; rather, it's easy to fall into. Jeremy Molnar, vice president of technical compliance services for healthcare privacy, security and compliance consulting firm CynergisTek, echoed Mr. Jones' observation, as he also reports seeing a lack of segmentation between systems, or a "flat network."

When a network is set up this way, it permits cyberattackers easy access to any system once getting into the initial one, Mr. Molnar says. "Gaining access to a single, trusted system in a flat network gives an attacker the ability to attack any other system on the network without limitation," he says. "Depending on the trust relationships between systems, it's entirely possible that compromising a single system also gives an attacker access to a larger number of systems."

One way to mitigate this security risk is to implement a layered security strategy, one that offers protective barriers at multiple network borders. Mr. Jones outlined such an approach in a recent blog post for Impact Advisors.

A sound layered security strategy might involve three levels of protection. The first, "border protection," is the typical firewall installed enterprisewide that separates a corporate network from the internet. This is a company's first line of defense, according to the blog post. Mr. Jones calls the second layer "inside protection," which separates internal network segments from one another. "Much like a firewall in a building prevents fires from one part of a building from spreading to another part, your inside protection prevents the spread of security issues," he wrote.

The third line of protection is at the computer level, which protects workstations and servers. Mr. Jones writes common protections at the computer level include passwords, antivirus software and personal firewalls — safeguards preventing malware from infecting computers and ensuring authorized access by users.

Both Mr. Jones and Mr. Molnar say upfront administrative burden and costs tend to be reasons organizations forgo a layered security strategy and instead move forward with a flat network, but they both indicate taking the time to implement such a strategy pays off. Even if organizations cannot prevent all breaches, they can make the job harder for bad actors.

"Attacks will occur and will be successful. Appropriate segmentation or restrictions may have made it hard enough that the attack would have never made it past the initial breach. It also would have bought the organization more time in identifying and stopping the breach before it compromised other systems and data," Mr. Molnar says. "We want to make it as hard as possible for an attacker to get in, and in the event that an attacker does get in, make it as hard as possible to get around."

More articles on cybersecurity:

Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action 
Lack of cybersecurity talent leaves companies worldwide in a bind 
HHS to fund cybersecurity information sharing organization 

© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months