Over the last few years, one thing has become clear.
Cybercriminals and attackers are no longer “hacking” to carry out their attacks—including the type that have left your hospital extremely vulnerable to ransomware and other viruses that have crippled hospital operations, billing and care.
Instead, these criminals are looking for the easy way in. Simply by logging in by exploiting weak, stolen, or otherwise compromised credentials, they are cracking more hospital networks than originally perceived.
Nearly 773 MILLION email addresses—21 million of which have been recently published on the Dark Web no longer surprises security experts. Many experts—including me—have been voicing for years that weak and common passwords are two of the biggest threats into hospital networks. And recently, we’ve seen this become the new normal in cyberattacks.
When I’m talking about passwords, I’m not referring to your weakest user—the one that might not understand why using the same password as Facebook or Gmail may not be the best idea when logging into your EHR platform or even onto your hospital network.
Passwords go past simply concerned about users keeping their credentials secure. I am NOT saying that protecting your users from weak passwords is a frivolous subject. We’ve dealt with countless breaches stemming from users making it all too easy for an attack to occur.
But what I want to bring to your attention today is that user credentials are only a piece of the puzzle when it comes to easy and very penetrating attacks on your network.
What passwords do many people forget when thinking about network security?
Firewall—nearly half of all the firewalls we’ve assessed [link] over the past three years have used default configurations. Defaults are the bane of IT. Nearly 36% of cyber incidents occur simply because default configurations and passwords are being used to protect your hospital network. Are hackers stealthily breaking through your cyber barriers simply because your equipment wasn’t set up properly? Are you willing to find out?
Administrator accounts—If you were to take a brief glimpse at all the users on your active directory (the server that tells you who is able to access what), I’m sure your head might heat up a little (at least this happens every time we go through our security reports with CEOs and CFOs of countless hospitals).
The problem with administrator accounts in hospitals is that many IT teams give too many privileges to too many vendors. Typically we see half dozen or more people or organizations with the keys to your kingdom. Should they have so much access? To all patient and staff records?
Passwords are not changing—I’m sure as an executive or administrator at your hospital, you are confident that passwords are changing regularly across your entire staff because you have to go through the painstaking job of updating your password and would just expect that everyone else is doing so, too.
The issue is that while many departments comply with password change demands, there are a few lingering departments that rarely change their passwords. One of the biggest offenders? IT department. We’ve looked at IT-related work accounts, many of which have complete administrative access to your network. What we see is that these account credentials typically are never changed.
What we see in hospitals like yours is a flavor of what I like to call “security theater”. Everyone else has to partake in changing passwords, but the people who actually are protecting your network are neglecting to follow through on basic security policies and procedures you’ve been complying to for probably years at this point.
Hackers are looking for the path of least resistance. Where they’re finding this?
Rural healthcare. Most of the time, rural hospitals and clinics think they’re safe—simply because they pass their Security Risk Assessment with flying colors. But in reality, these folks are still vulnerable because they have a false sense of security (and limited resources to devote to security problems).
Are compromised credentials still a problem?
Yes and no. Yes, they are part of the problem. But they’re only a part. Criminals are scanning your networks for vulnerabilities—these are the easy ones. Many of these are related to passwords and credentials, but many of your problems are not entirely related to users with weak or common passwords.
Even if you’ve passed your Risk Assessment, you might not be prepared for the latest attacks, simply because those assessment criteria were written years ago (hackers use latest technology and ideas to crack networks).
Are you sure where your password problems lie? Contact us for a ransomware vulnerability assessment to find out.
