Last week, a California-based Healthcare system with hospitals, clinics and outpatient care facilities in several U.S. states was struck with a ransomware attack, which forced them to take their networks offline with an unknown time window for a return to normal operations.
This is not the first time that the medical industry has been targeted, and it certainly won’t be the last. The threat is common enough that in December 2022, Section 3305 of the Consolidated Appropriations Act of 2023 was signed, authorizing the Food and Drug Administration (FDA) to establish cybersecurity standards for medical devices. While a cyberattack in most industries causes financial harm and disrupts operations, an attack on medical systems can also cause significant harm (or worse) to patients receiving critical care.
There are lessons to take away from this attack, no matter the industry in which you work.
The first is the focus on medical devices. Monitors of all types, defibrillators, infusion machines, x-ray machines, lab equipment, cameras, and many other specialized devices operate using a combination of common and proprietary software, and they are connected to the network. Any of these devices – part of the “Internet of Things” or “IoT” – provide a potential access point for hackers.
The software itself offers points of vulnerability. Up to 96% of commercial and proprietary software utilized at least some open-source code, which consists of many components and libraries. Any one of these components or libraries may be obsolete or contain some other form of vulnerability. The Log4j exploit in 2021 that enabled hackers to install malware on systems is one of the best-known examples.
One of the fundamental responses to these ongoing cyberattacks is the introduction of Software Bills of Materials (or SBOMs) for cybersecurity purposes. The SBOM, which is provided by the software’s publisher, contains an ingredients list of all components and libraries that make up a software application. Tools like Eracent’s ICSP Application Risk Management module can analyze the contents of each list and associate them to software installed on a network. If NIST or other standards organizations publish new vulnerability information for an application, component or library, customers are immediately notified if they have any installed software applications that may be impacted. They can instantly see exactly where that software is installed. This enables proactive patching or updates to prevent a malicious attack.
More strategic initiatives are in place as well, such as the growing call for the implementation of Zero Trust Architecture. With this concept, everything on the network is under suspicion until proven to be innocent. An effective Zero Trust program requires more than installing tactical cyber tools and crossing your fingers. It requires detailed process management to ensure that everything on the network is included and that all preventive processes and mitigation steps have accountable owners. Eracent’s ICSP Zero Trust Resource Planning module provides automated and repeatable management and reporting to ensure that these implementations are successful at providing thorough protection.
Hackers are always looking for new access points to your network for financial gain. While the magnitude and severity of an operational disruption may vary, there is always a cost. Taking the time to be aware of the latest forms of prevention is always a worthwhile investment in your organization’s security.
– by Terry Divelbliss
Terry Divelbliss is Eracent’s Sr. VP of Marketing & Technical Alliances. He has almost 20 years of experience in the ITAM and SAM industry in product management and customer solution implementation roles, and he is a regular speaker at industry conferences and events.
