The May 2023 cyberattack on Johns Hopkins Medical’s MOVEit application again demonstrates the systemic weaknesses in the industry approach to health care data security and cybersecurity in general.
The cyberattack obviously shows the consequences of integration and subsequent dependance on very complex, highly integrated, and feature-rich applications. The information of more than 300,000 individuals was compromised in the attack.
Unfortunately, Hopkins was not the only victim. Emsisoft has estimated 600+ organizations were targeted by the MOVEit attack, compromising the information of more than 40 million individuals. Beyond patients, failure to adequately address health care cyber threats impacts operations, presents both liability and regulatory challenges, and can have significant financial repercussions.
Health care organizations present an attractive cyber target. These organizations concentrate a great deal of sensitive and valuable information in a single, integrated target. Patient identity data, payment records, detailed medical information, and insurance information all represent high-value targets.
Complicating this are requirements that health care resources must be accessible to large numbers of users, may be widely distributed geographically, are regularly interconnected to outside entities, and are often manipulated by very complex, poorly understood sub-systems and applications.
The exploitation of MOVEit vulnerabilities is just the latest in a long list of major application compromises, including attacks targeting Kaseya VSA, SolarWinds Orion, and Microsoft Exchange Server.
Conceptually, these compromises all begin with the identification of application vulnerabilities. The attackers then identify targets, establish access, and identify required control and data exfiltration mechanisms.
Compromise activities and requirements vary with the target, application, and attack goals. Some ransomware attacks, for example, simply deny access to system information by encrypting stored data. An encryption process is required, but data exfiltration is not.
Targeted applications are vulnerable in part because they tend to be very complex, highly integrated, provide many functions, and often exercise a great deal of system control.
Targeted applications are also typically very expensive to develop and market. Business realities often limit resources available for security testing and drive developers to provide as many features as possible.
MOVEit’s features, for example, encompass everything an organization might require to support file transfer and data management, including Secure File Transfer, Authentication and Authorization, Audit / Compliance, Encryption, and Threat Detection and Prevention. As a result, MOVEit also implements many key requirements of a successful cyberattack.
Integrating complex applications without detailed analysis, security impact review, and implementation of mitigating processes represents a systemic weakness in the industrywide approach to cybersecurity.
System architects, engineers, and administrators should analyze and review potential consequences of adopting any complex, feature-rich application. That analysis must address two basic questions: Does application implementation compromise cybersecurity’s “first-principles”? How are security issues best mitigated to limit the impact of any compromise?
Consider a single cybersecurity first-principle: segmentation. Segmentation divides networks and system resources into isolated, protected segments and attempts to limit the number of resources impacted by a potential compromise.
Segmentation supports granular security policies, uniquely addressing each asset’s requirements and minimizing the potential attack surface. It limits asset access and attempts to contain a compromise in a single segment.
By design, feature-rich applications like MOVEit violate segmentation security concepts. Again, MOVEit functionality includes data management, file transfer, data encryption, authentication/authorization, and threat detection and prevention. As a result, it provides asset access across the system and exercises tremendous control.
In developing security mitigation approaches, it is important to understand the goals. The industry understands cyberattacks and compromises will continue. Security mitigation should result in making system compromise as difficult as possible and significantly limiting the impact of any successful compromise.
Approaches include limiting access, simplifying and distributing functionality across multiple applications, and minimizing application control.
Consider data risk mitigation associated with data transfer. Prohibit MOVEit direct access to the system data and instead allow MOVEit access to only a data buffer. Transfer data is staged in the buffer by a less complex, perhaps stand-alone application.
Instead of relying on MOVEit encryption functionality, encrypt the buffer data with an independent application before providing MOVEit access.
The correlation between complexity and cybersecurity vulnerability is well understood. Where possible, distribute functionality across many simple, well-understood applications. Constrain and restrict MOVEit control of data assets exclusively to the buffer data and leave communications tasks to other applications.
Systemic issues are restricting the industry’s ability to limit the impact of cyber compromises. Comprehensive analysis and risk mitigation can “harden” systems and limit the information being compromised. The analysis must simply be implemented before adopting complex, feature-rich, third-party applications.
Mike Doyle is the chief technology officer at BCR Cyber.