Which Gaps Did Log4j Expose in Your Cybersecurity Governance?

byEva Lorenz 0Comments

Everyone has an “Oops, I can’t believe I did that” story. Operating room assistants have tales of sponges that were left in patients; surgeons have related stories using different tools. 

Let’s face it. Accidents happen. Sometimes there is no effect. Other times, a sponge changes a patient’s life. And the secret? Years can pass before it becomes a real problem. 

Today, developers have their oops story. In the fast-paced world of getting software to market, they compiled Log4j into many code bases, including Java—ever since 2015! 

Embarrassment for them. Terror for healthcare, especially since Log4j is in many of the medical devices we use daily. Those little Internet of Medical Things (IoMT) solutions connecting devices to each other are our next nightmare. 

Log4j exposes business associates who collect payments and manage insurance claims. That exposes patients both physically and financially. The time is here for everyone to build or contract a team of experts. 

That “Oops” story becomes a “Yikes” story, doesn’t it? 

What To Do? 

The Department of Health and Human Services (HHS) is sending sector alerts. The National Institute of Standards and Technology (NIST) is tracking issues. Somehow, there is a new expectation that health-care workers figure out if their devices have this minor component inside their code and fix it—even if they do not have an IT department. 

Companies thought, because they are in the cloud, they were safe. They are not. Others thought because their applications have the backing of Big Tech like Microsoft, they were safe. They are not. 

For example, Microsoft did not write its cloud solution, Azure, in Java. Since Log4j is Java based, people should be fine, but they are not. 

To supply advanced data search features that speed up response, Microsoft integrated Elastic Search, a vendor program written in Java. 

So, even cloud solutions supplied by the best companies are vulnerable. 

To protect your data, there is only one way—your governance policy. It needs to be built with operational Key Performance Indicators (KPIs) and managed by folks who breathe cybersecurity every day. 

Governance: What to consider?  

Governance management is easy, especially if you design it well. It depends on three pillars based on the “Secure | Reliable | Resilient” Test. 

Good governance policy creates best practices such as segmenting—a process to keep intruders restricted to small sections of distinct types of data. Without segmentation, you will not be resilient. 

Policy covers vendors who manufacture IoT devices used by networks and applications. Without attention to all the pieces of healthcare data, you cannot claim you are reliable. 

Finally, being ready to address acts like ransomware is the third pillar: Are we secure? 

Ransomware has come of age with email and texting sophistication. Phishing is a fun sport for hackers now. They want to brag about how well they mimicked a sender’s address or how simple it was to write persuasive copy to convince an unsuspecting employee to let in a hacker’s malware just by creating enough urgency so that they click the link

It tempted harried workers to forget the first rule of managing their responses: “Is this urgent?” 

Too many times people, thinking they must answer all their emails quickly, forget that healthcare urgency works in only one direction – “If urgent call, don’t click!” That simple action and the environment that encourages employees to adopt it saves millions of dollars, and years of patient pain and suffering. 

Is there something that will make this easier? According to Executive Order (EO) 14028 there is. 

The Biden EO has directed NIST to create a zero-trust architecture, define what critical software is, and explain how to evaluate it. 

Among several components, the order recognizes the growth of IoT as both an opportunity for advancement and a challenge to secure. Healthcare and payments depend on IoT. 

Executive Order 14028 and Healthcare IoMT Governance 

The Executive Order (EO) states the NIST must align IoT critical components to a product safety program and include well-defined criteria to use it. Biden expects the creation of new contract language about information sharing, and concise standards to close back-doors to bad actors. 

Karen Evans, former CIO of the Department of Homeland Security, sees the new software bill of materials as a key to bringing the cyber-hacker out where we can see him. 

She believes that this executive order is applying the lessons learned from the Solar Winds attack. She agrees it’s going to be hard for vendors to respond fast enough, but they will have clear definitions of critical software. If they hope to sell their software, they will need to go through the scrutiny of obtaining a required certification status. 

For Tony Scott, the earlier CIO of Microsoft, and the US CIO, it is the creation of the review board. He knows we need a board to scale up, recommend and investigate just as the NTSB (National Transportation Safety Board) has done since 1926. He is glad to see a directive for a structure of both government and civilian members. For him, this will help us understand cyber security at scale. 

Both Evans and Scott agree that EO 14028 is a prescriptive order for agencies so that the country can bring their guidelines and frameworks together. It especially ties together the new roles and responsibilities of a CISO. 

In terms of Governance Policy, the expectation of IoMT certification will be a tremendous help. Just like the CSA mark means they have tested a product against applicable North American standards requirements, so too will the cybersecurity certification seal mean we can trust an IoMT to encrypt data in transit. 

Further, certification will mean a non-compliant manufacture will face product liability for failures, 

Finally, certification will mean there is a federal standard protecting patients and doctors from marketing campaigns for non-certified equipment, reducing risk and influencing insurance costs. 

Good governance policy separates what is convenient from what is needed. 

Digital Health in 2022 

Everyone still needs to up their game in 2022. 

While the FDA is working towards regulating devices, it is difficult. Their Medical Device Action Plan says the FDA “regulates over 190,000 different devices, which are manufactured by more than 18,000 firms in more than 21,000 medical device facilities worldwide.” 

That sounds good and should inspire hope, but it cannot. While we can’t tie SKUs to patents, we know that there were already 3.2 million devices deployed last year and by 2026 there will be 7 million.  

Currently, 456 million patients worldwide use IoMT devices to monitor sleep, cardiac rhythms, and diabetes, among others, whether they are worn or implanted. 

The annual growth rate is 16.8%. If we have another WannaCry attack in 2026, it will affect 115.7 million people. 

For over 15 years, the FDA has faced its own erosion. It can’t stay on top of this. We are living in a catch-up country which needs to pull Biden’s Executive Order on Cybersecurity out of politics and into public health. 

Neither will it be easy to deal with the healthcare fall-out from the huge cluster of millennials who have relied on these devices, let alone the rest of the population who are striving to support or improved their health as they age. 

There is a great deal of work to be done. 

The Agio Recommendation for Healthcare 

Our preferred approach comes from the data gathered by our own Carrie Bowers, Director of Agio’s Extended Detection and Response. This is what we know puts the real teeth into Governance Policy. 

For clients who use our cybersecurity services as a stand-alone, risk increases. When a client wants stand-alone services and we don’t manage their IT, Carrie knows it means her team will join with others in a war-room setting where other vendors, IT personnel, and external leadership, will each have roles fraught with natural delays. 

In their virtual war-room we will wait for others to report results. Risk of breaches will increase with every delayed report. External authorization that is not at once forthcoming provides a hacker with time to pick the locks. 

Clients who separate managed IT services from active cybersecurity increase exposure time to an average of 5 days. 

Risk Shrinks When Clients Combine Services. 

Combining both managed and cyber services simplify active monitoring and becomes the binding glue, reducing risk. Our operations center reduces risk because it generates real-time alerts for engineers who step-up and create internal teams to resolve incidents. 

In less than 24 hours on average, engineers trap and diffuse incidents—there is no wait for another vendor to find his playbook, make contact, write emails, etc. Specialists and analysts apply Agio standards and best practices to find configuration changes, server changes, IP intrusion attempts, user spoofs, and various access changes in every system within the umbrella. 

Clients who combine managed IT services with active cybersecurity decrease exposure time from 5 to only 1 day. 

Why Is That So? 

Carrie attributes this difference to several things, but the two highest are staff skill levels that all meet the Agio standard, and continuous monitoring with active and well tested “block and tackle” playbooks aligned to governance policy that executives manage with the input of our specialists. 

As a client’s virtual CISO, we are at the table with them to write their governance policy.  

Agio’s strategy—to augment human brilliance with predictive intelligence—is how we deliver secure, fast, and reliable cybersecurity support to clients 24x7x365. Talk to us, we can help.