Q&A: Penetration Tester Shares Where to Make Healthcare Security Improvements

Cybersecurity incidents continue to grab headlines this year, from the MOVEit file-transfer vulnerability to LockBit ransomware attacks.

As the threat landscape has grown in recent years, healthcare organizations have increasingly felt its damaging impacts. In Germany, for instance, a 2020 ransomware attack on a hospital redirected a patient away from the nearest hospital, resulting in a fatal outcome.

“Hospitals have historically been seen as out of scope for threat groups in the past,” says Anna Quinn, security analyst and penetration tester at Rapid7. “Ransomware as a Service is picking up. Threat groups are becoming much less discriminating about who they attack. We’re not safe in our bubble anymore.”

Healthcare organizations must also prepare for more targeted attacks from nation-state actors and other politically motivated groups, she adds.

What can healthcare organizations do to improve their cybersecurity strategies? One immediate step: Turn on multifactor authentication, which has also been recommended by the Cybersecurity and Infrastructure Security Agency during Cybersecurity Awareness Month. Rapid7’s 2023 Mid-Year Threat Review found that 39 percent of incidents observed by the company’s managed services team were from missing or careless MFA.

Quinn spoke to HealthTech about the importance of network segmentation, how to take advantage of pen testing and how physical security is connected to cybersecurity.

Click the banner to get the expertise you need to strengthen your ransomware protection.

HEALTHTECH: What are areas of focus healthcare organizations can target immediately to bolster their security? What about areas that require long-term efforts?

QUINN: For both the short and long term, asset inventory and management is going to be one of the most effective things that you can do as an organization to make sure that you are protected. It’s not just knowing what devices you have but knowing where the devices live, both physically and on the network; knowing how many you have; what operating systems or firmware they're running; and when they were last updated.

This is an extensive project for a lot of hospitals. There’s a lot of gear shifting around all the time. All of this makes it incredibly tricky to track, and it makes asset inventory even more critical, because it can be so easy to lose track of what you have, and that can allow an attacker to potentially find untracked and unpatched devices and get further into the network.

In the long term, I would suggest investing in strong network segmentation. As a security or network engineer entering a healthcare organization, you will often notice that the network doesn’t have a lot of strong segmentation, and in some cases you may inherit a network that requires a lot of updating. Unfortunately, there isn’t always the funding to support large-scale infrastructure revisions, which can really impact things long-term. It can be costly to get a network into a completely segmented and safe position. But that's one of the biggest contributors to making sure that you are going to be safe as an organization.

Strong network segmentation can help mitigate the risks of any breaches that occur. With proper segmentation, for example, you can make sure that your dialysis machines are on their own network and segmented away from everything else. You can make sure that your lab equipment and similar devices are secured away, so that in the worst-case scenario, if you do get hit by ransomware, the ransomware will not deploy to those particular specific networks. That can save lives.

DISCOVER: Answer your questions about identity-related vulnerabilities and segmentation.

HEALTHTECH: Why should healthcare organizations conduct regular penetration testing? How should they approach pen testing? What are some common misconceptions?

QUINN: Healthcare organizations should conduct regular pen testing to find and cut off any paths that an attacker might be able to find within their networks. More and more, it’s a prerequisite that we assume that a breach has already occurred in our organization, regardless of whether it was accomplished through phishing, an exploit or an insider threat. It becomes imperative that we address the network as though it has already been compromised and that we find out how an attacker could compromise further systems or cause damage to the environment through such access.

One common misconception is that pen testing and vulnerability scanning are the same thing. The biggest differentiators that we have between pen testing and vulnerability scanning is that vulnerability scanning will find vulnerabilities within the network, but it won’t chain those together and create an attack path.

Say that you have a server that has a known exploit against it: The pen tester could actually exploit that vulnerability, chain that with other discovered misconfigurations or vulnerabilities, and gain access to systems that you believed would be secured. Meanwhile, a vulnerability scan will simply tell you about that vulnerability. That’s why it's important to do pen testing: to see what additional compromise can happen should a system become compromised.

It’s easy to review a vulnerability scan against our network and say that we’re all patched, we’re all up to date, we should be safe. But without that verification and manual testing, there could be additional vulnerabilities that an attacker can exploit to cause an extensive compromise of your environment. Active Directory in particular has quite a few misconfigurations and vulnerabilities that could lead to a compromise, and these don’t tend to be caught by the typical vulnerability scanner.

Pen testers are there to help. Many businesses see preparing for a pen test as preparing to either succeed or fail as a security team. But that’s not the approach that’s most conducive to a good test. What we should be trying to accomplish in pen testing is to have a known party find these vulnerabilities for you. You want them to find all of your vulnerabilities; you want them to find attack paths that could be abused. If we do not find them on our side, an attacker will, and the attacker is not going to have the same mindset that we have when we approach it. They are going to be looking to cause damage. They’re going to be looking to exploit those systems to extort anything they can get from you or bring you down.

HEALTHTECH: What are the top lessons you’ve learned in your experience as a pen tester that you can share with other healthcare organizations?

QUINN: A flat network, as we call it, could be something where, if I had gotten onto a workstation, I could contact most other servers or devices on that network, and I could attack those. It makes it incredibly easy for an attacker to move around the network.

I’ve had healthcare facilities that I’ve tested that had relatively flat networks. In one case, I was able to get into the virtual sitter systems and view patients in their rooms. I could access patient data because the computers on the floor did not have adequate segmentation. This allowed me to sign in with breached credentials, and I was able to get into their Epic system and access patient data.

In addition to that, MFA is a massive security factor that needs to be implemented. Implementing MFA, while it can be a bit of a cost to a company, can drastically decrease the risk of breach.

Last, I would say that cybersecurity and physical security are actually very closely linked. And it’s not just whether you can get to critical systems. It’s whether an actor can get to a network jack that hasn’t been properly decommissioned, and in doing so, connect to the network and gain access through that. It is whether an attacker can get into your facility and potentially implant devices to call back to C2 servers and compromise your network. Having strong physical security controls and access restrictions in the hospital is incredibly important.

Strong physical security and policies around device removal can also prevent access to sensitive wireless networks, which may otherwise be properly secured. One of our lead researchers, Deral Heiland, recently performed extensive tests against medical pumps, discovering that many of them still contained Wi-Fi passwords for medical centers around the country after being decommissioned and recycled. If an attacker can gain access to such passwords, they can get onto protected medical device networks and cause a significant operational impact.

READ MORE: How can healthcare organizations grow with smarter backup strategies?

HEALTHTECH: When it comes to conversations about combating ransomware in healthcare, what do you think is missing from the conversation? Where should people focus?

QUINN: It’s funding. It can be quite costly to perform some of the actions that I’ve recommended here, especially when you’re doing network or infrastructure upgrades at scale. It can be costly as well to increase your workforce for security, whether physical or cyber. It is a difficult battle at times for security teams to justify making such sizable cost investments when executives and board members don’t see the work put in to prevent significant cyberattacks. It’s definitely a pain point for a lot of organizations that I’ve worked with. I’ve worked with a few facilities that have skeleton crews of two or three people doing the best that they can. We need more people for stronger security. We need funding and we need people to help fight on these front lines. The goal is to help people and to save lives, and we all need to invest in that if we truly believe in that mission.