Having a misconfigured network is the sure way for hackers to penetrate your hospital network. Taking a look at the latest attacks—including Equifax last year and the city of Atlanta a few months ago—every single attack was in some shape, way, or form rooted back to network mismanagement.
Anecdotal evidence—along with stacks of scholarly articles—have come to agree that external risks to networks stem from basic network vulnerabilities that could easily be fixed and remediated. Even more, over a third of all network vulnerabilities open the door to serious data continuity threats if left unresolved. Most cybersecurity experts recommend some sort of ransomware vulnerability assessment in addition to standard HIPAA risk assessments when evaluating your hospital’s network security because the consequences of a cyberattack can leave your hospital unable to support patients and ultimately in a compromised position that may bankrupt you and put you out of business.
One very real and very true story (names have been changed to protect the innocent):
Rick, the IT Director at a hospital had asked us to come in and perform a penetration test on their network as part of their ransomware vulnerability assessment. When we set up our test, we noticed we could brute force our way onto their RDP server with admin credentials, even with their firewall seemingly fully functional.
Their firewall was not obsolete by any means—it was a $45 thousand dollar piece of equipment that was very capable of handling a brute force attack—in our scenario we had only performed 1000 login attempts on the network until we were able to break through (a very low number of tries, considering criminals have automated bots forcing tens of logins every second).
On inspecting the router configurations, we found that the vendor had had put the RDP server outside of the firewall’s protection. RDP essentially allows someone remote access onto machines on a network. Bottom line: having this server easily accessible outside of a firewall (which should be the fortress around your network) is setting a hospital up for a major cyberattack (and an easy attack at that!).
Moral of this story? Vendors don’t always dot their I’s and cross their t’s and many—even those that are selling security options—don’t do security with aims of preventing attacks. Rather, they are in the business of creating theatrics to make you feel secure, when you’re actually not (which is the very worst situation to be in). It is often exceedingly hard to keep track of managing all of the crucial projects a hospital needs done while continuing to run day to day operations of an IT department in such a demanding environment. Management of IT infrastructure, particularly pieces done by outside vendors, often falls off the radar quickly (many of these pieces are critical to your business continuity and sustainability as an organization).
Security is typically reactionary. When your hospital comes to the decision that it needs security, it more often than not has experienced a data leak, breach, or attack which compromised patient data or the integrity of your systems to the point you need someone to remediate a problem.
The issue with this is that, unlike a termite infestation or some other remediable issue, ransomware and cyberattacks will leave a much lasting effect on your organization and your reputation.
When Your Hospital Is Shutdown By Ransomware Through No Fault Of Your Own, Will They Call You Stupid…Or Just Irresponsible?
It’s EXTREMELY unfair, isn’t it? Victims of other crimes – burglary, mugging, carjacking, theft – get sympathy from others. They are called “victims” and support comes flooding in.
If Your Hospital Is Attacked, You Will Not Get Such Sympathy. You Will Be Investigated and Questioned about what you did to prevent this.
A ransomware vulnerability assessment will help you identify where hackers will eventually find their way onto your network and how to proactively re-mediate serious cyber risks before they become attacks.