Never mind all the data breaches, Anthem, Target, OPM, etc. These were targeted attacks against good secure networks right? Well we know that Target was compromised via its HVAC vendor, some security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem's breach. We also know that the Anthem attackers created a bogus domain name, "we11point.com," (based on WellPoint, the former name of Anthem) that may have been used in phishing-related attacks.
And OPM? According to CIO magazine, Michael Esser, OPM's assistant inspector general for audits, told lawmakers that the agency's "long history of systemic failures to properly manage its IT infrastructure" may have invited a pair of related hacking incidents that compromised more than 21 million current and former government employees' personal information. Some major contributing factors to the OPM breach were decentralized governance frameworks and weak technical security controls like authentication and configuration management.
But what if your company is doing everything correctly and perhaps even doing well on compliance?
Unfortunately, it’s still possible to miss a single XP machine that has not been retired and have it cause a serious data leak. As reported in Wired magazine on June 25,2014, two security researchers found just that. In one case, a large health care organization was leaking information about 68,000 systems connected to its network.
As it turns out it was an Internet-connected XP machine that was not patchable for a known exploit. “Now we know all the targeted info and we know that systems that are publicly connected to the Internet are vulnerable to the exploit,” says Scott Erven, one of the researchers, who discussed their findings at the Shakacon conference in Hawaii. “We can exploit them with no user interaction then pivot directly at the medical devices that you want to attack.”
The data leak that enabled hackers to locate vulnerable systems is the result of network administrators enabling Server Message Block, or SMB, on computers facing the Internet and configuring it in such a way that allows data to broadcast externally. SMB is a protocol commonly used by administrators to help quickly identify, locate and communicate with computers and equipment connected to an internal network. The researchers that discovered this hospitals huge data leakage, Erven, and Shawn Merdinger, went on to say that many healthcare organizations are sloppy in configuring their edge networks. They stated “they don’t take security seriously.”
Adding to the problem is the fact that HIPAA compliance alone won’t find these edge network data leakage issues unless you add comprehensive network discovery and scanning to the audit. This should be mandatory for HIPAA compliance but it’s not. HIPAA is mostly concerned with privacy and some security but it does not address patient safety issues like this.
The fact that an infusion pump is easily accessible to a hacker, with little or no strong authentication puts patients at risk. For example, the researchers found drug infusion pumps—for delivering morphine drips, chemotherapy and antibiotics—that could be remotely manipulated to change dosages delivered to patients; Bluetooth-enabled defibrillators that could be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; and temperature settings on refrigerators storing blood and drugs that could be reset to cause spoilage.
This particular healthcare organization which was not identified employed more than 12,000 employees, 3,000 physicians, and cardiovascular and neuroscience institutions associated with it.
Among the systems exposed: 32 Pacemaker systems, 21 Anesthesiology systems, 488 Cardiology systems, 323 PACS systems, Telemetry systems, for infant abduction prevention.