Securing the cloud in health care is a shared responsibility
March 19, 2018
By Wayne Reynolds
The market dynamics of the health care industry are continuously evolving due to disruptive new business models, digitalization, regulatory uncertainty and increasing patient care demands. To keep up with these shifts, health care systems are leveraging the cloud, as organizations are feeling the gravitational pull toward faster go-to-market strategies, flexibility, and pricing advantages versus legacy on-premise approaches to IT.
As the cloud becomes more prominent in health care IT systems, organizations are increasingly concerned with how to best migrate security and compliance controls to the cloud alongside their data and applications. To demonstrate how easily a health care organization can be targeted by cybercriminals, security researchers from Armor teamed with a third-party firm to construct a honeypot – decoy servers designed to lure attackers to record and analyze their activity – under the guise of a small doctor’s office.
The project deployed three different servers in the cloud: one insecure, one with only cloud-native security controls, and one fully secured using the Armor Anywhere managed security-as-a-service offering. The researchers created websites for the doctor’s office that ran at MetropolisPrimary.com and MetropolisMed.com, and migrated a variety of IP addresses, domains, and infrastructure to the cloud with the goal of mimicking a public cloud environment that would typically be run by a small or midsize health care system.
Unsurprisingly, vulnerable applications and the prospect of hitting a data goldmine captured the interest of hackers, and attacks began within minutes of server activation. More than 560 attempted attacks per week were launched against the server with cloud-native security, and hidden inside those numbers were hundreds of attempts to move deeper into the systems.
By the end of the project, hackers had attacked the unprotected server more than 19,000 times with roughly 2,500 attempts per week, throughout the course of roughly three months – approximately 391 percent more attacks per week than its fully secured counterpart. Overall, the server with only a native firewall experienced 11 percent more hits per week than the secured server protected by Armor Anywhere.
To better safeguard sensitive data within cloud environments, establishing additional layers of security on top of cloud providers' native security controls addresses the risks of an expanded attack surface. While the shared responsibility model allows health care organizations to offload a portion of accountability to cloud service providers, the price of failing to properly protect data is far greater than the upfront investment. According to a 2016 study by the Ponemon Institute, data breaches could be costing the U.S. health care industry billions, leaving an organization’s reputation damaged, and concerned patients in its wake.
The majority of attempts were SSH brute force authentication attacks, a method used by threat actors to gain access into servers by using an automated list of usernames and passwords, which constituted 79 percent of the attacks on the secure server and 71 percent in instances using minimum, cloud-native security. Similar to SSH attacks, the second largest group of attacks were MySQL authentication attacks, a method hackers use to gain access to databases by using brute force username and password combinations.
The data collected from this honeypot reinforces the importance of health care organizations implementing security standards and protections within their IT infrastructure. As health care IT platforms continue to transition to the cloud, health care organizations should take full advantage of what providers have to offer, and then some. Just because you’re able to offload responsibilities to the cloud does not mean you can rely solely on the security of the provider. Best practices for health care systems to proactively protect against attacks targeting cloud environments include:
• Keep your software up to date: This single step will help prevent a majority of exploit-based attack vectors. This means patching your operating systems, system utilities, and any code running on your server, such as application plugins and themes for CMS products.
• Restrict administrative control: For protocols such as RDP or SSH, consider adding Source IP-based restrictions. For CMS products, such as WordPress or Joomla, consider using configuration options to limit administrative login page access to trusted IPs
• Limit Access: Use a firewall to only expose the services you need to the outside world.
Additionally, below are two common cloud configuration errors and tips on how to remediate them:
• Using password-based authentication for administrative access: As the honeypot showed, brute force attacks are all too common. By limiting SSH access to key-based mechanisms this attack surface can largely be mitigated.
• Default or simple passwords for application components: Make sure that any systems or applications requiring a password to authenticate are using strong codes to do so. A quality and secure password is one that is unique and long - don’t worry too much about the old rule regarding letters, numbers, and symbols.
Concurrent with applying best practices, health care organizations should invest in complementary technologies and third-party expertise, such as consultants and managed security providers as a force multiplier. As illustrated in this honeypot experiment, although hyperscale cloud providers offer standard protections, third-party security technologies and expertise can make the difference between preventing an incident and paying to remediate one.
As the health care landscape evolves, the number of organizations transitioning to the cloud will continue to grow – as it should, considering the economic, operational and functional advantages the cloud provides. However, it is vital for health care organizations to remember that the responsibility for security does not fall solely on the shoulders of cloud providers, and it’s essential to bring multiple security countermeasures to the cloud.
About the author: Wayne Reynolds is head of security at Armor, where he manages the cyber and physical security operations. This unique, dual responsibility extends beyond the typical approach many cloud providers take in securing their own operations while leaving customers to fend for themselves.
The market dynamics of the health care industry are continuously evolving due to disruptive new business models, digitalization, regulatory uncertainty and increasing patient care demands. To keep up with these shifts, health care systems are leveraging the cloud, as organizations are feeling the gravitational pull toward faster go-to-market strategies, flexibility, and pricing advantages versus legacy on-premise approaches to IT.
As the cloud becomes more prominent in health care IT systems, organizations are increasingly concerned with how to best migrate security and compliance controls to the cloud alongside their data and applications. To demonstrate how easily a health care organization can be targeted by cybercriminals, security researchers from Armor teamed with a third-party firm to construct a honeypot – decoy servers designed to lure attackers to record and analyze their activity – under the guise of a small doctor’s office.
The project deployed three different servers in the cloud: one insecure, one with only cloud-native security controls, and one fully secured using the Armor Anywhere managed security-as-a-service offering. The researchers created websites for the doctor’s office that ran at MetropolisPrimary.com and MetropolisMed.com, and migrated a variety of IP addresses, domains, and infrastructure to the cloud with the goal of mimicking a public cloud environment that would typically be run by a small or midsize health care system.
Unsurprisingly, vulnerable applications and the prospect of hitting a data goldmine captured the interest of hackers, and attacks began within minutes of server activation. More than 560 attempted attacks per week were launched against the server with cloud-native security, and hidden inside those numbers were hundreds of attempts to move deeper into the systems.
By the end of the project, hackers had attacked the unprotected server more than 19,000 times with roughly 2,500 attempts per week, throughout the course of roughly three months – approximately 391 percent more attacks per week than its fully secured counterpart. Overall, the server with only a native firewall experienced 11 percent more hits per week than the secured server protected by Armor Anywhere.
To better safeguard sensitive data within cloud environments, establishing additional layers of security on top of cloud providers' native security controls addresses the risks of an expanded attack surface. While the shared responsibility model allows health care organizations to offload a portion of accountability to cloud service providers, the price of failing to properly protect data is far greater than the upfront investment. According to a 2016 study by the Ponemon Institute, data breaches could be costing the U.S. health care industry billions, leaving an organization’s reputation damaged, and concerned patients in its wake.
The majority of attempts were SSH brute force authentication attacks, a method used by threat actors to gain access into servers by using an automated list of usernames and passwords, which constituted 79 percent of the attacks on the secure server and 71 percent in instances using minimum, cloud-native security. Similar to SSH attacks, the second largest group of attacks were MySQL authentication attacks, a method hackers use to gain access to databases by using brute force username and password combinations.
The data collected from this honeypot reinforces the importance of health care organizations implementing security standards and protections within their IT infrastructure. As health care IT platforms continue to transition to the cloud, health care organizations should take full advantage of what providers have to offer, and then some. Just because you’re able to offload responsibilities to the cloud does not mean you can rely solely on the security of the provider. Best practices for health care systems to proactively protect against attacks targeting cloud environments include:
• Keep your software up to date: This single step will help prevent a majority of exploit-based attack vectors. This means patching your operating systems, system utilities, and any code running on your server, such as application plugins and themes for CMS products.
• Restrict administrative control: For protocols such as RDP or SSH, consider adding Source IP-based restrictions. For CMS products, such as WordPress or Joomla, consider using configuration options to limit administrative login page access to trusted IPs
• Limit Access: Use a firewall to only expose the services you need to the outside world.
Additionally, below are two common cloud configuration errors and tips on how to remediate them:
• Using password-based authentication for administrative access: As the honeypot showed, brute force attacks are all too common. By limiting SSH access to key-based mechanisms this attack surface can largely be mitigated.
• Default or simple passwords for application components: Make sure that any systems or applications requiring a password to authenticate are using strong codes to do so. A quality and secure password is one that is unique and long - don’t worry too much about the old rule regarding letters, numbers, and symbols.
Concurrent with applying best practices, health care organizations should invest in complementary technologies and third-party expertise, such as consultants and managed security providers as a force multiplier. As illustrated in this honeypot experiment, although hyperscale cloud providers offer standard protections, third-party security technologies and expertise can make the difference between preventing an incident and paying to remediate one.
Wayne Reynolds
About the author: Wayne Reynolds is head of security at Armor, where he manages the cyber and physical security operations. This unique, dual responsibility extends beyond the typical approach many cloud providers take in securing their own operations while leaving customers to fend for themselves.