“Gasp” is rarely a word associated with a presentation during the week of the HIMSS conference. Keynotes and presentations can be informative, enlightening or surprising. Shock and awe are not descriptions that typically come to mind.
But truly, you could hear the breath being sucked out of CIOs during the opening keynote presentation at the 2017 CIO Forum, of the College of Healthcare Information Management Executives. You see, Kevin Mitnick was making mincemeat of fairly traditional IT security practices.
Over the course of 75 minutes or so, the vulnerability of IT systems was on full display, sliced and diced by Mitnick, an internationally recognized security consultant who works with Fortune 500 companies and governments around the world.
With an array of basic laptop computers, electronics and hacking acumen, Mitnick was able to easily circumvent many of the protections that ordinary citizens—and, yes, healthcare organizations—rely on to apply a layer of protection to their most private information. It was a sobering examination of the IT protection that we believed to be relatively safe.
For example, peer-to-peer file sharing networks are a key conduit for sharing (and leaking) information—whether on purpose or accidentally—into the wrong hands. They have become increasingly popular for younger Internet users who don’t always understand the risks involved.
For example, on one common file sharing site, Mitnick found a network diagram for the Department of Defense, complete with IP addresses for sub-networks and key nodes on the network. Yes, that was open for anyone to peruse and use, for whatever purpose a hacker might want.
Easily found and manipulated software can scan an organization’s networks to find vulnerable computers, Mitnick says. For example, in an engagement for American Express, he was able to identify an employee using a computer running Windows Vista and Microsoft Office and 2007, both no longer protected by updates. By identifying the user’s name from the hacking tool and sending an innocuous email with an attachment, it’s easy to take control of the computer remotely.
Another hack involves having victims plug a USB memory device into their computers. Laced with malware (that’s still in place even if the USB drive is reformatted) a hacker is able to do things like record keystrokes and hijack a computer to give a hacker access to the organization’s network.
Wifi networks are another way for hackers to get into a computer. Mitnick noted that many laptops default to using the nearest, strongest wireless network. A hacker, with electronics in a backpack can produce a wireless network that’s not password protected. Those connecting to that network have their device credentials accessed. Or that hacker can trick someone into installing an update with a persistent popup screen; after a user clicks on the update notice, malware is downloaded, leaving the device wide open to attack.
Mitnick also is hired to attempt to gain access to data centers. He demonstrated easy gambits for using electronics to pilfer codes from access cards commonly used by staff to gain entrance to facilities. The right electronics can pick up card numbers from as far away as three feet. At one conference, Mitnick was able to copy access data from 158 cards, which would have enabled him to make duplicate cards with the same codes.
Phone gambits are frequently used to gain sensitive network information from victims. A friendly voice on a phone call with a little bit of inside knowledge of an organization can disarm defenses of victims to sharing credentials or other network information that can be compromised. Email from spoofed addresses also can be used to pry information from unsuspecting recipients.
Healthcare organizations, as we know, are enticing targets, and Mitnick’s presentation deflated many of the notions that we believe about IT security. The important takeaway from the session was this—provider organizations need to take a realistic look at how the bad guys can attack, and gain access, to your networks.
The technology and electronic tools are out there. Hackers are not just guys in hoodies, but sophisticated in expertise and capable of attacking any network. Ransomware offers a chance for quick and easy profit from a cyber attack.
In closing, Mitnick encouraged organizations to improve their “human firewall,” by training and testing those who are most at risk of falling for a hacker’s gambit.
There’s only so much healthcare organizations can do to protect themselves, he says, but they must take those steps to protect themselves.
“You can always mature your security systems,” he says. “You can make it harder for bad guys to compromise your system by enforcing two-factor authentication and using a VPN. Make yourself a hard target, and then the hope is they’ll go elsewhere to find an easier target.”