Three weeks into 2018 we’ve already seen a healthcare system hacked. Hancock Health in Greenville, Indiana was hacked and ransomware installed on computer systems, locking critical files. The hospital ultimately agreed to pay the ransom (four Bitcoins), worth about $55,000.
How did the hackers do it? According to numerous news reports, the hackers gained access to the system by using the hospital’s remote-access portal, logging in with an outside vendor’s username and password. Read that again. The hospital system was compromised through a remote-access portal using a vendor’s username and password.
Why does this matter?
So, back to the original question. What does the Hancock Health hack tell us about remote vendor access? Just because your front door is secure doesn’t mean your back door is secure. In some recent research we conducted (and will share down the road), we found that many of our enterprise customers have maybe 20-50 employees with privileged access – but anywhere from 100 – 1,000 outside vendor reps that have some sort of remote access. Third-party remote access is a huge challenge that many organizations need to manage but don’t know how, and it is the back door into an organization – which creates problems for both the enterprise organization and the vendor.
Here are some numbers to put the Hancock Health hack in perspective. From a recent study by Ponemon Institute in 2017, 56 percent of respondents had experienced a third-party data breach — in simpler terms, more than 1 in 2. Another study shows that 63 percent of all data breaches can be attributed to a third-party vendor.
For healthcare organizations, in particular, the bullseye is even bigger. Another study by Trustwave shows that the value of healthcare data on the black market can be 50X more valuable than credit card data, painting a huge target on hospitals and other healthcare systems. In other words, this type of hack is going to happen again. And again. And again. Unless organizations and vendors both look to address the back-door issue of third-party remote access.
So, what can be done?
Hancock Health was, in many ways, lucky that no patient data was stolen. But it also points to the fact that hacking can be done by just about anyone just about anywhere – it’s mainstream. More sophisticated hackers might have stolen patient data, held the hospital to greater ransom, and wreaked even more havoc.
It’s imperative organizations look at ways to mitigate this type of situation. One place to start is looking at third-party access policies:
- Catalog ALL third-party technology vendors that require remote access to your
network. A surprising number of organizations lack a list of users, often with “anytime” access to privileged accounts.
- Tier your systems and vendors. Look at your current roster of vendors and determine which are the highest priority and which pose the greatest risk. Create different levels of access and accountability requirements that reduce risk and make vendor access easier to manage.
- Educate employees about security and phishing attacks, use 2-factor authentication, enforce reasonable password rules, and keep your software updated.
If you’re an organization that manages multiple vendors, read our 2018 Predictions for Enterprises whitepaper to get a deeper look at actions you can take to eliminate third-party remote access vulnerabilities. If you’re a vendor supporting organizations like Hancock Health, read our 2018 Predictions for Technology Vendors to see what you can do to reduce your exposure.
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.