MDAdvisor Fall 2020

Let’s have a frank conversation . . . just between you and me. It is no secret that 2020 and the pandemic have turned the world upside down. We are living in a tumultuous time, and we are all sailing in uncharted waters. But let’s talk about your business, your practice and everything that you have spent your whole life building. You have more risk than you know, and it likely isn’t being addressed appropriately. If I have your attention now, that is a good thing, so we can move forward.

With the numerous changes you have had to implement in your business practice during the pandemic, it is likely that mistakes have been made, and holes in your security system have been left unplugged. While you scramble to do the best you can during this time of chaos, there are people out there eager to take advantage of those holes, prey on your distraction and hurt your business. Unfortunately, they are very good at what they do, and they are in business to hurt your business.

To breach your systems, attackers must get a small piece of software called a “payload” into your network. With this payload, they gain control over a machine—most of the time, a user’s workstation gets hit first. This remote control happens in the background, and the user cannot see this connection or the commands being run by attackers. It’s relatively easy to evade your virus scanning and firewall protections, and getting a user to click on something malicious has become child’s play.

You cannot stop a determined attacker from getting in. Attackers will get past your defenses. If you have been targeted by someone with even moderate skills, that hacker will find a way to get into your systems. Therefore, building a better system doesn’t mean building stronger perimeter defenses, but instead, building rapid methods of detection and limiting what attackers can do when they do get in.

There is good news. There are professionals who focus solely on making sure that you, your business and your patients are as safe as you can be while still being reasonable and cost conscious. In this article, you will learn the things you should look for, things you should ask and answers you should expect. Without getting overly technical, we will talk about the components you need in place to protect your practice.

Your New Mindset

Too many people put their faith in the wrong people or products and hope that system security breaches will happen to someone else. Unfortunately, “hope” is not a viable security strategy, so let’s adjust that decision-making paradigm right now.

While running your practice, you have a full plate. Because you may not have a lot of time for cybersecurity, you might say, “That’s why I have people in place, so I don’t have to worry about these things.” This is a mantra I come across all the time. Unfortunately, just because you have information technology (IT) people doesn’t mean they know anything about security; in fact, your average IT support person is woefully deficient in security skills. These people are gardeners you have hired, but you own the garden. Thus, the real responsibility for protecting your system lies with you. You can trust, but you must now verify, because blind faith will be your downfall.

“You do not need to know everything about security, computer networks or all the technical details to be able to make sure that all the parts and pieces you need are in place and working.”

You do not need to know everything about security, computer networks or all the technical details to be able to make sure that all the parts and pieces you need are in place and working. There are reports, questions with specific answers and concrete test results that you should be getting daily, weekly and monthly to ensure that what you have works, and that the people you hire to protect your system are doing what they should be doing.

All you need is a basic understanding of what you have, where you’re vulnerable and how to check that your team is progressing in making positive changes. It’s time for you to get more involved.

Protecting Your Electronic Health Records and Personal Health Information

The commodity that these attackers want is information—specifically, patient information. Names, Social Security numbers, Medicare numbers, payment information and insurance information all aid in identity theft. With this information, an attacker can submit fraudulent claims to acquire benefits like Medicare or Medicaid or obtain medical services or prescription medications. Therefore, millions of records are stolen each year. This is big business.

Of course, your patients’ personal health information should be protected, and all medical records should be secured in your electronic health record (EHR) system, which should be encrypted and require multiple forms of authentication. Now is a good time to verify that this is the case in your practice.

Critical Checklist Entry 1: Verify EHR Encryption

• Ask your EHR software manufacturer to provide information on how it has encrypted patient data and which fields are encrypted in your software databases. All critical fields, such as Social Security numbers, insurance information, payment information etc., should be encrypted; therefore, if the databases are accessed directly, the information cannot simply be read. Reputable EHR software vendors have this information readily available. Get a copy, read it and ask questions about what you don’t understand.
• Your staff should have to enter two different forms of authentication to get into your EHR system. A username and a password are one form; things like token systems, biometric scanning or key cards can be a second form of authentication. Using more than one method to verify access is called multifactor authentication. If you do not have multifactor authentication on all your critical systems, get your team to implement it now. A username and a password should not be the sole method of EHR access, as stolen credentials are easy to capture once an attacker has control of a system.

Critical Checklist Entry 2: Scan Your Network for Personal Health Information/Personally Identifiable Information

What happens when the configurations leave patient information outside your EHR system? How do you even know? When I put on my “attacker hat,” my goal is to find the low-hanging fruit once I’m in your system. Where did people put documents that have the information that I want without having to go after the EHR system? You must have the answers to these questions.

• Your IT staff or contracted outside IT support should be able to scan all machines, looking for unprotected personal health information/personally identifiable information (PHI/PII). That means all of the following should be investigated:
  • Word or Excel documents that are unprotected.
  • Local cached email files, such as PST or OST files for Outlook and offline cached exchange files.
  • My Documents for each user profile on local machines.
  • Shared drives on network servers.
  • Temp directories on local machines or terminal servers.
• Do not take NO for an answer. If your team says they can’t do this kind of thorough scan, for whatever reason, that is simply not acceptable. The process is not difficult and does not put a strain on the systems. Your team can easily scan workstations during the day but should scan file servers after hours or at the lowest times of activity to avoid slowdowns. If your IT team still says it’s too hard to do such a thorough scan, tell them to do a Google search for “Powershell and PII.” They will see numerous results of premade Microsoft scripts to get them started.
• If the result of this scan finds no PII, then the scan was most likely faulty. A good rule of thumb is that the larger you are and the longer you have been around, the more unprotected information you have scattered about. Your team needs to find these documents and get them removed from your network and into your EHR system.

You can test the results yourself: During the scan process, make a Word document with some fake Social Security information and maybe some made-up patient information. You know what your forms look like, so copy them. Save the document on your desktop and see if the scan finds it. If it does not, then tell your team what you did so they can adjust their scans and make them better. Your goal is to minimize patient information that is unprotected and outside your EHR system.

Your Remote Workforce

“Most business networks had some remote access capabilities, but most were not prepared for the volume of remote workers who were suddenly clamoring to get in.”

At the beginning of the pandemic in February 2020, everyone was looking for ways to allow employees to work remotely. Most business networks had some remote access capabilities, but most were not prepared for the volume of remote workers who were suddenly clamoring to get in. IT departments and IT support companies did the best they could during the emergency, but corners were often cut. Now it’s time to examine the key points to make sure that your remote workers are secure.

Critical Checklist Entry 3: Verify That Your Remote Workforce Is Secure

• Check use of VPN. Your remote workers should access your network through an encrypted virtual private network (VPN). Your firewall manufacturer most likely has a VPN client. Cisco, Fortinet, Palo Alto and the other major manufacturers all have encrypted VPN clients that you should be using.
• Check use of multifactor authentication by your remote workers. As an example, many VPN clients support a token-based system that can run on your smartphone. You enter your username and password and then enter a token code that’s generated by the app on your phone. Then the VPN connection is made.
• Remote access should be on company-owned machines only. If you had to scramble to find laptops when supply was limited, and you let your workers use their own home machines, that use should be discontinued as soon as possible. Using machines that are owned by the practice ensures that your company protections are in place on all systems touching your network.
• Remote access should be on company-owned and hardened workstations whenever possible. If you had to scramble to find laptops when supply was limited, and you let your workers use their own home machines, it is critical that the remote access solution be a secure one that uses multi-factor authentication. For example, employees who remotely access their work desktop using secure remote access platforms such as Citrix or VMWare Horizon can do so safely, despite their hardware. Only their keyboard strokes and mouse clicks traverse their encrypted connection to the office network.
• There must be a method to verify your workforce VPN connections. Whether this is an internal console that shows who logs in and when or a daily report of logon activity doesn’t matter. You should have a method in place to quickly review and verify VPN connections.

Look for logons from workers at times you don’t expect, from places you don’t recognize. Pay close attention to logons from workers who are on vacation. Look for access that doesn’t make sense based on people’s work habits and job descriptions.

• Many institutions skipped all of this and simply opened connectivity through the firewall to access internal servers through remote desktop services. If your employees just fire up the Microsoft RDP client and connect, you have a serious vulnerability that needs to be closed. Have your IT team close that access and institute the multifactor VPN solution that matches your firewall.
• Securely store all passwords. A password-protected spreadsheet such as Passwords.xls doesn’t cut it. Instead, everyone should be using one of the reliable password managers that are available. I recommend KeePass because it is free, it works, and you can synchronize it between your network and your smartphone.

Patching and Vulnerability Scans

“When things get busy and hectic (as they are for everyone right now), the regular, boring, day-to-day maintenance is often the first thing to be sacrificed.”

When things get busy and hectic (as they are for everyone right now), the regular, boring, day-to-day maintenance is often the first thing to be sacrificed. Yet probably the most important step in securing a network is a robust patching routine. Patches fix security issues and performance problems, and they provide enhancements to software and operating systems. For those reasons, you should install all available patches.

Keep in mind that just installing patches isn’t enough. Sometimes, the patch gets installed, and it needs configuration after the fact. Sometimes, patches show as installed, but the issue they were supposed to fix still exists because either the patch didn’t work or didn’t install properly. There will also be network configurations that need to be changed from time to time to close vulnerabilities. To find these issues, your team should use a vulnerability scanner. There are many commercial and open source scanners that work well, such as Nessus, RapidFire, OpenVAS and Tripwire.

Critical Checklist Entry 4: Verify Patching and Vulnerability Scanning Are Up to Date and Complete

• Patching should run weekly for Microsoft patches and daily for third-party software, such as Adobe Reader, Google Chrome, Mozilla Firefox and others. Your IT team or support company should already have a patching system in place. If they do not, that should be the first thing you address.
• You should get reports that include the following:
  • What patches were successfully installed on which machines and when.
  • What patches were not installed and are still missing. You want all available patches installed. Occasionally, a software vendor may say that a certain patch can’t install. When that happens, it should be documented as an accepted risk, but otherwise, install all patches.
• Vulnerability scans should be run on rotation. A quarterly internal scan of all workstations and servers, as well as an external scan of your firewalls, is a good starting point. Whether you purchase your own scanner software or use the one your support team already has in place, get that rotation set up.
• You will get vulnerability reports that, at first, will look like the whole world is ending, and that you are riddled with issues. Relax and take a breath. These reports are sometimes a bit misleading.
• Many times, you’ll see the same vulnerability listed more than once. For example, if you have Adobe Reader version 10.1 on your system, and the newest version is 15.0, there will be vulnerabilities that the scanner will see for versions 10, 11, 12, 13 and so on. You may see dozens of entries that all can be fixed by simply upgrading the software to the most recent version.
• You’ll see vulnerabilities with different severities. Critical, high, medium/moderate, low and informational are the common levels you’ll see on the report. You want your team to remediate all findings listed as critical and high, and be working on the medium/moderate vulnerabilities. Just like with patching, occasionally you’ll have a remediation setting that conflicts with software or a device that you run on the network. Document that accepted risk and exclude it from future reports. These exceptions should be few and far between, and most of the vulnerability remediations should be implemented.
• You may see vulnerabilities come back that were originally fixed. This is not uncommon and often happens when software is updated or patches are installed. Software vendors are not always diligent about security, and your teams may need to reapply certain fixes at various intervals.

Managed Service Provider Vendors

It is not uncommon to use external teams and consultants for software, network and security support. In fact, many practices and institutions have external support from a managed services provider (MSP), which is a good idea if they are up to the task. In the past, literally anyone could be an MSP and meet the needs of their clients. Now, the stakes are higher, and you need to evaluate the quality and level of the services. Security has become paramount as attacks on MSPs themselves are on the rise. If attackers breach an MSP, they then have access to the clients the MSP serves.

Review your MSP and verify that they have kept up with the security landscape. All MSPs use some sort of remote management platform. These platforms have software that the MSP installs on your machines, which gives them full control of all your servers and workstations. Many of these platforms keep constant remote access connections open to all your machines, which, for obvious reasons, is a bad thing.

MSPs have internal billing systems, remote management platforms, remote control software systems, password management systems and monitoring systems to provide the services you require. As MSPs also are now under attack, they should have the same multifactor authentication requirements for their platforms as recommended for your own VPN configurations and EHR access. Your MSP should provide documentation that shows that each of its systems has a unique multifactor capability that is enabled and active.

Just because your MSP team can handle remote work does not make them experts in security. Your vendor may have done a good job in the past and say they address cybersecurity, but cybersecurity is more than virus or ransomware protection. You need a company that knows how to detect and stop an attacker that has gained access to your network. An MSP is a managed service provider, and an MSSP is a managed security service provider. Although the names sound similar, the services are different and have a different focus. It is not uncommon that you may have an MSP for support and employ an MSSP to handle security services that the MSP does not offer.

Critical Checklist Entry 5: Evaluate Your Managed Service Provider

• If your MSP has remote sessions to all your machines open continuously, that needs to stop. All remote access into the system should only be done when work is required, have a ticket assigned to it and should start and end when the work is being performed.

You should get a weekly report of who from the MSP logged into which systems and when they disconnected. You should be able to compare that against service tickets. Any connections without an associated ticket should be questioned. Unauthorized access is a serious issue, and I have seen MSPs who have been fired for that reason.

• Ask your MSP for proof that their employees use a multifactor VPN for access to the MSP network. You want proof that your MSP has multifactor authentication on their internal systems. These systems should all have unique passwords and tokens for each system for all employees with access.
• Vulnerability scans of the MSP network and firewalls should be available upon request, along with the remediations of the findings.
• Asking the right questions will help you determine if your MSP can help with your security needs.
  • Have they offered vulnerability scans and remediation services?
  • Have they discussed with you the threats to your practice? Security discussions should include topics such as advanced persistent threats, detecting attackers after they have gotten in, incident response plans, security information event management (SIEMs) systems, penetration testing, reverse shells or system/network hardening. (A reverse shell is a command and control session that an attacker gets to a machine on your network. When they trick your users into clicking on something in an email or on a website, and the malicious payload downloads to the user’s machine, that payload then calls back out to the attacker. The attacker then has a session open with that machine to run commands, look for information, transfer files and move to other machines. Simply put, reverse shells are sessions where someone outside your network is controlling your machines without your knowledge, for nefarious purposes.)
  • Can they demonstrate their ability to write the attacks, gain a shell like an attacker would and then show how they detect this activity and act? (A shell is when the attacker gets a user inside the network to click on something that downloads and gives the attacker control of the machine. This shell is also referred to as command and control.)
• The best defenders know how to attack. They should be able to show you attack and defense to prove their understanding and their ability to protect your systems. If this is all new to you, and you have not heard these things from your provider, seek additional outside security help.

Your Internal System Security

“What should you have in place to make your systems more secure? Keep in mind that security is a process, not a product.”

What should you have in place to make your systems more secure? Keep in mind that security is a process, not a product. This means that it is more important to fully utilize what you already have before adding more. It is possible to detect, deter and stop attackers quickly without breaking the bank. Tell your team that before they buy anything else for your network, you want to ensure that they are using what you already own to its fullest extent.

The topic of internal systems security is too large to tackle in a single article. However, you should know the key components that should be discussed with your internal teams and external support companies. These include network hardening, fire walls, virus scanning and your internal logging system.

Network hardening. The topics surrounding network hardening are hallmarks of a well-secured network. Ask your teams to show you that you have network hardening configurations in place or have a plan to begin putting them in place. It is perfectly fine if the terms on the following list are foreign to you. This is where the learning process will begin when you talk to your team.

• Set audits through group policy (Microsoft Networks).
  • Advanced Auditing enabled to track all activity on workstations and servers all the way down to processes on workstations and who launched them.
  • Commandline Auditing enabled to see what commands are being executed.
  • Powershell Auditing and Transcription enabled to show scripts and what they are doing.
  • File Auditing enabled on servers with network shares.
• Implement SYSMON (From Microsoft) for additional logging capabilities. A few enhancements that SYSMON gives you include process tracking and their IP destinations for all personal computers (PCs) and servers and memory injections. The additional insight is vital.
• Use Group Policy to remove vulnerabilities.
  • Review security techniques that can be set in Group Policy to take away paths that attackers use once they have gotten into the network.
  • Examples include: disable local-link multicast name resolution (LLMNR), disable old versions of server message blocks (SMBs) and NTLM, disable WDigest and enable proper SMB signing between servers and workstations.
• Turn on the Windows built-in firewall on your client workstations to prevent an attacker who controls one machine from moving to others.
• Implement software restriction policies and Applocker policies to restrict non-administrative users from running processes they do not need, but could be used maliciously. Some examples are powershell.exe, cscript.exe and mshta.exe. (The list is extensive.)
• Implement multi-tiered administrative accounts for different levels of the network, each with only administrative rights over the assigned machines and nowhere else: workstations, terminal servers, databases, email servers and so forth.
• Remove excess permissions.
  • Remove administrative rights from regular users.
  • Clean up file permissions on network shares to allow users access only to what is needed for their position.

Firewalls. Your firewall is the barrier between your network and the Internet. Here is a list of the configurations that should be in place. Ask your teams to show you the level of configuration.

• Virus Scanning enabled.
• Intrusion Prevention/Intrusion Detection enabled.
• Application Filtering enabled.

Check for applications, masquerading as other applications, trying to talk out of the network (a common attacker technique to evade detection).

• SSL Inspection
  • The firewall should inspect HTTPS traffic leaving the network, looking for the command and control shells the attackers use.
  • HTTPS-enabled sites that are legitimate can be whitelisted from inspection to preserve privacy.

Virus scanning. Commercial virus scanning platforms have evolved considerably over the past few years. Things to have your team verify and report on include the following:

• Virus and malware detection in real time, as well as scheduled scans.
• Blocking of unauthorized encryption algorithms (ransomware blocking).
• Behavioral Analysis enabled.
• Endpoint protections to control USB usage.

Internal logging system/SIEM. There are a lot of logs to review, and there is no way any team can go to each machine to review them all. Consolidation of logs from all machines to a centralized system is called log aggregation. A log aggregation system that focuses on security is called a security information event management (SIEM) system.

These systems are often complex, and you need some expertise to set them up. Although there is no such thing as a SIEM system that works “out of the box,” a SIEM system is a powerful tool for detecting attackers. There are many open-source SIEM systems that are great starting points for your teams to consider before evaluating the commercial enterprise systems, which can be costly.

When an Attack Happens

When your security system is breached, and it will be, blame has no place in your reaction. People and companies work far better, and thus, you are far safer, when your approach to a breach is: “Ahh… they tried to get in and got to this point, but the tools and teams saw them early and acted.”

Too many times, fantastic teams become totally paralyzed by the fear that management will punish them because something went wrong. Those teams inevitably shut down and cease to function. Especially in the time of COVID-19, when there are lot of things to be concerned about, you do not need to foster that fear. Instead, sit everyone down and explain that you understand that there are increased attempts every day, and that even the best systems get breached. Let your team know that you want them to work together to foster an environment where you catch the attackers quickly and limit what they get.

Your Next Steps

The inevitable question is, “Where do I start?” As you move through the topics in this article, you will begin to better understand your own systems. Talk to your security team and make sure each member of your internal and external teams understands this goal:

We want to have a network that is secure and that can see an attack in progress. We want to have an environment that makes it so difficult for the attacker to move around in that they give up and move on to someone else.

Make sure your security team knows that you hold them accountable for getting the information you need and making the changes that need to be made. Have them explain the way things are set up, and if the explanations don’t make sense, keep talking until you get the insight you’re looking for. When you find things that need attention, plan with your team and set deadlines. Treat these changes and the security lockdowns like any other business project.

COVID-19 has turned the world upside down and is probably consuming much of your time and energy. That is no excuse for ignoring your security system. A physician once told me: “If you do not make time for your wellness, you will be forced to make time for your illness.” The same is true with your network and security. Either you will address this proactively, or you’ll clean up the mess after someone has stolen everything. It’s your choice. What are you going to do?