Readers Write: The Vulnerability Few Anticipated

The Vulnerability Few Anticipated
By Darcy Corcoran

Darcy Corcoran, MBA is principal consultant for cybersecurity at CereCore of Nashville, TN.

This healthcare IT security organization takes their job seriously. They secure perimeters, restrict IP addresses from their network (even for IPs that falsify their country of origin), multifactor authenticate access, and protect administrative login credentials. Their access controls are mature and have proven reliable. They’ve thought of everything, right?

Then why were hired hackers able to find their way onto this organization’s network in less than four hours?

It started with something so simple, so seemingly innocuous – and so convenient for so many – that no one even questioned it until the day they learned why they should.

Patient Advocate Olivia wants the best for patients and diligently works to do her part to create great patient experiences. That’s why when she realized that patients needed to contact several departments in the hospital to schedule appointments, ask billing questions, and find out where to park for an imaging appointment, she asked to have a link to the employee directory added to the website. Website Manager Liam added the link right away because he, too, is devoted to patients and wants to make their journey easier.

Days later, he was pleased to see site analytics that showed a few uses of the link. An easy mission accomplished.

Soon after, IT Director Mary received findings of her team’s latest cybersecurity external threat assessment, which alerted her to a publicly available website resource that showed first names, last names, departments, and phone numbers for key employees of the hospital – the employee directory. She acted quickly to have the directory restricted from the website, and network monitoring tools verified that there was no related suspicious activity to investigate.

Why did Mary take such swift action? The information in an employee directory, while convenient for some use cases, contains everything a malicious actor needs to begin a small to large-scale attack by doing any of the following:

• Contact the IT helpdesk to reset a user password or redirect the multifactor authentication to the hacker’s phone number, enabling them to reset the account password manually and gain access to the network.
• Contact the IT helpdesk, impersonating a provider to social engineer information with the aim of figuring out the helpdesk authentication techniques and procedures to better defeat the authentication processes in the future.
• Gather employee lists and emails that allow the hacker to continue to harvest credentials to engage in password spraying and brute force attacks that would assist in gaining access to a user level account or privileged user account.
• Contact a patient as though they are a facility employee in need of personal health information for an upcoming appointment.
• Contact a patient as though they are a member of the facility’s billing department in need of credit card or other information to process a payment
• Contact employees in hopes they will divulge additional seemingly innocuous but powerful information when it’s in the wrong hands, such as email format and locations.
• Gain physical access to the facility.

The people and organization in this story are fictitious, but the vulnerability depicted is a common one. Stories like these help us appreciate how cunning malicious actors can be and how little they need to know to learn more and wreak havoc. It also demonstrates how protecting the organization is difficult and getting harder, given all of the potential vulnerabilities and the numerous gaps to address. Organizations where boards and stakeholders understand, support, fund, and do their part to defend have the best chance in an environment where hackers are looking for their next opportunity.