Securing Healthcare Data: Protecting Mainframes During COVID and Beyond
By Matt Phillion
Even pre-pandemic, hospitals were prime targets for hackers and other online threats. That condition has only grown worse over the past 18 months, with vaccine infrastructure becoming a tempting target for bad actors in addition to hospital systems’ continuing vulnerability to ransomware attacks.
Hospitals and other healthcare organizations must look for new ways to secure their data, but one area in their IT infrastructure is often overlooked: mainframe security. Ray Overby, co-founder and CTO of Key Resources, Inc., says that while the current healthcare environment has brought attention to the cybersecurity threats facing healthcare organizations, mainframes still fly under the radar. Mainframes are used to manage sensitive patient information, which means their security should be a top priority when it comes to staying compliant with HIPAA and other data regulators.
The challenges surrounding healthcare organization mainframes aren’t new, Overby says. They’re the same old problems, amplified and left unaddressed.
An overlooked part of the system
“Most of the people who look after mainframes these days are not experienced mainframe people,” says Overby. Moreover, there’s a pervading belief that mainframes can be managed with fewer people and less investment, which is not the case, he says.
“Every computer system requires due diligence,” says Overby. “You can’t be proactive about protecting your mainframe if you’re waiting for the phone to ring—you’re already behind the curve. And you’re only as secure as your weakest link.”
It only takes one weak link to open a window into your network, he says. Once that happens, it’s only a matter of time before hackers can get access to all kinds of things, including the mainframe.
“I stress to people all the time that you have to be proactive. One of the things I do is vulnerability analysis, looking for configuration vulnerabilities, if your security is out of date, and I look at the status of your patch management,” says Overby.
It’s a matter of asking the right questions: is the system configured properly? Has it been changed, either accidentally or maliciously? The system needs to be scanned continuously for new vulnerabilities or active threats.
“We talk about how the mainframe has integrity, and what we’re talking about is the controls, ensuring that they can’t be bypassed by end users,” says Overby. “Ensuring not just anyone can go into the root and manage those systems.”
One of the challenges with mainframe security, however, is that it’s not often publicly discussed because of privacy concerns. “The mainframe industry doesn’t report vulnerabilities,” says Overby. “The stuff I do, you never see it on the 5 o’clock news. But mainframes have vulnerabilities just like everything else.”
CISOs and C-level executives need to understand exactly what is required in terms of addressing those vulnerabilities. For example, Overby notes, they should realize the importance of a mainframe architect. “I run into major organizations who do not have a mainframe architect, or it’s a part-time job,” he says. “They often see it as a job where there’s not enough to do. And that only happens if you’re not doing your due diligence.”
Changes to the IT environment are happening faster and faster, with ever more fundamental security impacts. And yet mainframes aren’t mentioned in many organizations’ conversations about cybersecurity.
“If you used an ATM today, that transaction ran on a mainframe,” says Overby. “It does impact the overall system. It only takes one integrity vulnerability to compromise the entire box. Once [an attacker] is in that box, it doesn’t matter what the firewall is doing. Everything is interconnected.”
Everyone looks at the mainframe like a castle with a moat, he says. When talking to C-level executives, he may even hear about a policy to patch the mainframe software as little as possible.
Secrecy within the industry means that discretion prevents talking about successes in mainframe security as well. “It’s word of mouth,” says Overby. “The publicity side of it is really a disadvantage and creates an uphill battle for those trying to educate people.”
It’s not uncommon, Overby says, for organizations to strive simply to be more secure than the nearest competition in the hopes that hackers will go after them instead. “It’s a bad business practice. It’s not a matter of if, but when something happens,” says Overby. “Anyone with an internet presence is being attacked every day.”
Improving mainframe security
So how do we convince healthcare organizations to protect their mainframes and invest the necessary people and money into keeping them secure? In part, Overby says, the answer is education: overcoming the issue’s lack of publicity to get in front of the right executives, presenting them with the right scenarios and data to make them aware of the risks of overlooking their mainframes.
Once you’ve started down the road of better security, it will be important to improve configuration management and compliance checks, Overby says. “The mainframe environment is complicated as it is. It requires automated processes,” he says. “You have to get to a place where you can run compliance checks often enough to get it to that proactive state. I talk to security professionals all the time, and I tell them you’ve got to assume the bad guys are in your network today.”
Of particular concern, he notes, is excessive access. “How can you protect something like client data if you don’t know who has access and you can’t keep track of it?” says Overby. “Part of excessive access is managing that, but you also need to have an understanding of who is supposed to have what level of access—who has been provisioned for access versus what access you think they should have.”
Policy and procedure should also grant access only to the people who absolutely need it, and only for defined purposes, Overby says.
KRI conducted a survey with Forester asking C-level executives responsible for making decisions about mainframes whether they involved security in those decisions. “Almost 70% said yes, security is involved, no brainer,” says Overby. “But [in terms of] how many people in this survey asked the mainframe people about decisions that affect the mainframe, 15% said they do. It didn’t make any sense. But part of the problem is they don’t have a mainframe security architect in the first place.”
Overby has found that often, the security architect for the mainframe is on the operations side of the equation, and so the prevailing philosophy is “if it’s not broke, don’t fix it.” But that’s not appropriate—a security architect needs to be an innovator of change.
However, the “conspiracy of silence,” as Overby calls it, both prevents the industry from talking about hacks when they occur and puts organizations in a tough spot when trying to proactively defend their mainframes.
Overall, the key is to perform due diligence on your mainframes, Overby says. “Do your job, be proactive, invest in the right tools, and make sure you have the right people,” he says.
It’s likely an organization is not looking at excessive access and other proactive measures to keep the mainframes safe, which should be done now.
“Attackers are getting in through the IP node in the refrigerator in the break room,” says Overby. “As we get more connected, it gets more difficult for security teams to keep up.”
The industry also needs to move past old beliefs about mainframe security. “Many CISOs honestly believe that mainframes are inherently secure and that they don’t have the vulnerabilities of other environments,” says Overby. “It is the most securable environment, but it’s being attacked every day. Don’t wait for the phone call.”
Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at matthew.phillion@gmail.com.