Semperis' Hybrid Identity Protection (HIP) conference last week in New Orleans touched on ransomware, cyber resilience and national security. Yet one topic stood out: How best to protect identities and personal information in the healthcare industry.
"Healthcare is an identity nightmare," said Henrique Teixeira, senior VP of strategy at Saviynt, during his presentation last Thursday. "For example, you have doctors who work for one entity and have visiting rights at another."
That's a common situation in healthcare. Doctors may be independent contractors who can operate freely within a hospital or may work for an entirely different company. For example, a patient treated at New York-Presbyterian Hospital in New York City would pay one bill to the hospital for the use of its facilities and pay another bill to Weill Cornell Medicine for physician services.
James Bowie, the CISO at Tampa General Hospital, admitted that the identity-security environment at a hospital can be challenging. But said his organization had a simple way to handle visiting physicians.
"They get an Active Directory account," like all other users, Bowie said. "But they have to get vetted. They have to apply the same policy, the same rules. It gets tough. Our user base is twice what our employee count is because of that."
Repelling a (fake) hospital ransomware attack
The red team had several tools and methods at its disposal, many valuable targets to choose among, and a few different ways to exert leverage, from combing through LinkedIn profiles and password dumps for information on administrators to using stolen health records for blackmail and fraud.
The hospital had EDR protections and a segmented network, but the attackers countered those defenses by going after the imaging (X-ray, MRI and CAT scans) systems, which often involve legacy devices on which you can't install EDR software.
They overrode multi-factor authentication on an admin account by social-engineering the help desk, posing as an employee who just had a baby and needed to access the account from home. They even played recorded crying-infant sounds in the background of the call.
The red team also caused internal chaos by revoking all of the hospital's TLS/SSL secure-connection certificates and Office 365 licenses.
"Diabolical," said one of the blue-team members.
The blue team, which like the red team was made up of cybersecurity professionals who had volunteered for the exercise, constantly found itself a step behind. In the end, it could defend the hospital from attack only by shutting down the network entirely.
"No one won," said one participant.
Hanging up on password-reset callers
In a tabletop simulated attack exercise, adversaries got in by convincing a help-desk employee to disable the MFA settings on an administrative account — the same method used by the attackers who attacked and forced a network shutdown at MGM Resorts International in August 2023.
Bowie, however, told us that his healthcare organization had largely neutralized that possible attack vector.
"We don't let the help desk reset passwords," he told us. "Humans are humans, and no matter what policies we put in place, they'd end up wanting to help."
"It's not anything that the help desk did wrong," Bowie added. "Ninety-nine-point-nine percent of their mission is to help people. They want to be helpful. So when you put in a policy that makes them have to be stern and not helpful, you're going to get someone who wants to help anyway. It's not their fault."
Instead, he explained, the help desk must hang up on the caller, then file a password-reset request ticket. The cybersecurity team handles the rest, using detection and alert tools to spot suspicious requests and calling the requesting user at a known number.
Protecting health records
Before the blue team shut down the fictional targeted hospital's network in the tabletop exercise, the red team in the tabletop exercise deliberately exfiltrated electronic medical records, which being mostly text-based were small enough in file size to not trip data-loss-prevention systems.
Medical records are an extremely rich source of personal information, containing not only names, addresses and dates of birth, but medical histories, notes and test results, insurance and financial information and sometimes Social Security numbers.
The members of the red team discussed how they would be able to blackmail or threaten prominent local politicians and officials based on their stolen medical records, or even use the identities of newborns to commit fraud.
Asked how his organization protected medical records, Bowie replied, "That's the whole trick of the business."
"It takes a whole team," he added. "It takes the entire organization, really. The health records themselves, you've got to store them securely, make sure your permissions are correct, make sure you're not oversharing, make sure that you're cataloguing and you're classifying your data so you know where it went."
But, he added, identity security was at the core of protecting all the hospital's assets.
"It comes down to the user and identity," Bowie said. "You can do all the fancy networking stuff you want in the world, but if the user gets compromised, or they get the identity of something and can chain that attack or chain those permissions in, they can do whatever they want."
Moving forward with healthcare identity protections
What's the future of identity protection in the healthcare industry? For Bowie, it's about determining how to remotely verify individuals, to "really confirm and identify who we're talking to virtually."
Heather Costa, director of technology resilience at the Mayo Clinic, said in a panel discussion Thursday about cyber resilience that "the goal is to be better tomorrow than we are today."
She defined cyber resilience as minimal impacts on business processes in the wake of an incident: "When the disruption happens, the clients or patients don't know. The business can continue on effectively and we haven't harmed anyone."
But a discussion Thursday among three healthcare IT experts from CDW focused on passwordless authentication as a potential game-changer in the industry, something that would speed up verifying identities and streamlining processes.
"The increasing use of passwordless and biometrics makes things easier for physicians," said Eli Tarlow, director of healthcare strategy at CDW. "I will bet with all of you [in the audience] that within two years, there will be some form of passwordless authentication within your organizations."
Nelson Carreira, a healthcare strategist at CDW, said that in his opinion, "there have been only two tech innovations that helped the healthcare workflow -- tap 'n' go and passwordless."
"Passwordless also helps you future-proof a system," said Bryce Thomson, also Healthcare Strategist at CDW. "You're able to add more MFA to strengthen the security of every user."
However, Costa asked a pertinent question from the audience.
"There's so much tech debt in healthcare, and so many systems that aren't compatible with passwordless," she pointed out. "What kind of passwordless can the healthcare industry use?"
Tarlow backed up her question by pointing out that physicians wearing surgical masks often can't use facial recognition and can't use their thumbprints while they're wearing surgical gloves.
Carreira responded that there are now facial-recognition technologies being developed that can identify you even if you have a surgical mask on, potentially getting around one of those obstacles.
And Thomson hoped that another form of passwordless authentication might become available to healthcare workers, citing his own experience with a hardware key.
"I tried to use a Yubikey and I had to pair it with every account," he said. "That's tremendously complicated. We're not looking for that kind of thing in healthcare security. Maybe a wristband would work better."
