In 2018, health system Sentara Healthcare adopted a consumerization and digital transformation strategy – a top organizational goal. Patients today are skilled at using technology for accessing numerous retail services – and now use their mobile phones for self-diagnosis and to seek healthcare services.
“The good news is that telehealth adoption, home health, wearables and fitness apps are exploding,” said Dan Bowden, CISO at Sentara Healthcare. “The challenge for longstanding health systems [appears in the form of] the new, asymmetric competitors who specialize in hooking consumers to their platforms. These companies believe they can provide healthcare, too.”
The proliferation of apps, devices and data will become overwhelming very soon, he added. Every CISO will say that more apps, devices and data mean more threat surface to manage, he said.
“The 24/7 connected culture we live in adds to the challenge,” he noted. “The great news for Sentara is that our new digital platforms with telehealth services were a huge win for our patients when the COVID-19 pandemic started. But the massive-scale cyberattacks in healthcare at the end of 2020 have been a sobering reminder that managing threats to our digital assets becomes even more important.”
As CISO, it’s Bowden’s job to make sure that Sentara innovates and matures its security services in step with the organization’s digital transformation journey. Not only is it assumed the CISO’s team is developing and releasing secure systems, it is hoped that they do not “get in the way” of progress and speed to market.
“This is the real trick,” Bowden said. “It’s not hard to develop security strategies, but it often means restricting the systems and development in some way. My focus has been to not only secure the systems, providing efficacy of the security, but [also keep] the integration and delivery pace in step with the organization’s ambitious plans.”
Sentara’s digital transformation strategy relies heavily on public cloud, application migrations, web apps and new APIs. Securing the web apps and protecting the Internet-facing assets are among the CISO’s biggest challenges.
“When using public cloud for your developed web applications and core infrastructure, the first thing to understand is the division of responsibilities among your organization, the cloud platform vendor and any application vendors involved,” Bowden explained. “Many people assume that the web-app security is handled by the cloud-platform provider. The first reality you need to know is that this is not the case.”
A healthcare organization will be running a shared-governance model where the cloud provider will be responsible for securing and patching their environment, he said. But the apps the organization or third parties develop, or those legacy apps lifted to the cloud, are the healthcare organization’s responsibility. A cloud environment will not fix application flaws. Therefore, application-vulnerability testing and remediation are the healthcare organization’s problems.
“The second thing we think about for web apps is WAF – web-app-firewalls,” Bowden noted. “These are a critical layer of defense, as their role is to detect incoming bad traffic and block it. However, WAFs are notorious for being hard to tune, and post-implementation their configurations age. They start to disrupt legitimate traffic, and most WAF installations become ineffective and degraded within the first year.”
“Even if an app doesn’t present with a discoverable vulnerability today, we know that one day it will, and when that happens we know we can respond quicker with a shield while we work on a code fix or patch behind the scenes.”
Dan Bowden, Sentara Healthcare
A primary concern for the CISO is hiring large teams of developers they do not know, who are writing code faster than ever before. Although CISOs have complete trust in the teams, this is new for CISOs as a business, and therefore a new risk domain, Bowden said.
“When presenting the identified risk to the executive team, I had to be clear on two risks that I felt needed to be addressed,” he said. “First, what is the likelihood of us patching every Internet-facing system, always? And second, what is the likelihood of us developing perfect code without a single bug?
“The history of software and the Internet tells us that it’s almost guaranteed that at some point we, or one of our vendors and third parties, will have a bug discovered in their code. Code that may be declared secure today can have a new vulnerability discovered in it tomorrow,” he continued. “Therefore, at some point it is almost certain that we will have a vulnerability in our systems.”
In the healthcare-system sector, CISOs discuss nearly all risks in terms of likelihood and impact, whether in protecting patients or in electronic resources, he added.
“In early 2018, our trusted advisors at Virtis showed us a new innovation from one of their strategic partners, RedShield,” he recalled. “RedShield has been developed over years from a team of pen-testers and security researchers as a solution to the growing WAF problem. The WAF problem is that, despite a multi-billion dollar WAF market, there are millions of vulnerabilities exposed on the Internet, and breaches are on the rise.”
Blocking bad traffic does not resolve the vulnerability problem. RedShield’s proposal was to provide Sentara with both the knowledge and capability to keep the healthcare organization’s web apps vulnerability-free forever.
“What interested me was that they have a blend of truly unique technology, wrapped in an expert service,” Bowden explained. “Their tech takes WAF to another level. They do initially block attacks and bad traffic heading to our web apps, just like a WAF, but then add a fully programmable layer where they can insert fully functional code in front of the apps.”
So the technology not only blocks bad requests, but also modify requests and responses and even add new functionality, all to remediate discovered security flaws, he added.
“They openly take the challenge to shield any web app or API vulnerability to the point where it is undiscoverable and/or unexploitable,” he said. “What I really loved, however, was not just the technical capability. What I wanted was the managed service component. We’d built up our dev and cloud teams at Sentara, but we didn’t have the scale or experience in the team to run deep and complex web-app security tools, too.”
RedShield’s offering was to wrap their whole system in a measurable, outcome-driven way, he added.
“The proposal was that we would put RedShield in-path, in front of the apps, and RedShield could block or modify any inbound requests or outbound responses,” he explained. “Beyond that we, and they, would perform ongoing pen-testing and vulnerability scanning, and RedShield would shield all discovered vulnerabilities.”
It is this last point that was the winner for Bowden. RedShield already had a library of thousands of shields, and the ability to create any new shields Sentara needed. But it was RedShield that created, tested, checked and monitored the shields. From Bowden’s perspective, it immediately gave the Sentara team a choice: As soon as a vulnerability is discovered, then does Sentara fix it in code or shield it?
MEETING THE CHALLENGE
Sentara Healthcare started using RedShield on just a few of its newly developed apps and a few outsource-hosted apps.
“It was great for the security team to know we had a fast path to vulnerability remediation so we could discover, shield and retest vulnerabilities,” Bowden said. “At first, the development team was skeptical, as their desire, quite correctly, is to always fix the code. However, it became obvious very quickly that many of the apps we would be moving to the cloud were not newly developed apps with active CI/CD pipelines.”
Sentara’s cloud provider is Microsoft. Much of Sentara’s work was to transform legacy and third-party apps into Microsoft Azure, or possibly opening up APIs in legacy apps to communicate and interact with the new cloud-based apps.
“We very quickly ran into the time-old problem where no one wants to pen-test their old legacy or third-party apps, as there is no easy or clear path to remediation,” Bowden said. “However, we had to test these apps, as patient safety and privacy must be managed. This is where RedShield started to really shine.”
Sentara would start feeding RedShield vulnerabilities from its scanning tools and pen-tests on apps the team did not have source code for, and the vulnerabilities would vanish through shielding.
“We quickly moved from ‘shield our priority, risky apps’ to the model that we have today, which is ‘nothing is published or moved to the cloud unless it’s shielded,'” he said. “Even if an app doesn’t present with a discoverable vulnerability today, we know that one day it will, and when that happens, we know we can respond quicker with a shield while we work on a code fix or patch behind the scenes.”
From an integration perspective, it has been easy, he added, to feed RedShield vulnerabilities. “Sentara is a big Tenable user and, as a result, can feed RedShield raw Tenable scan results as input,” he said. “They shield and we retest. It’s that simple.”
The two most critical results for Sentara have been the efficiency and speed of cloud migration and the external-facing security posture achieved.
“Speaking to our team at Microsoft, they said Sentara has been one of the most sophisticated adopters of Azure in the U.S. healthcare sector,” Bowden reported. “That is a huge result for us, and speaks to one of my primary goals as CISO, which was get out of the way and don’t slow us down with draconian security.”
One of Sentara’s key wins has been its ability to shield not only newly developed apps, but also legacy and third-party apps.
“If we didn’t have shielding with RedShield as an option, I’m sure we would have delayed our digital transformation several times over, and would have been in that all too common space where as a business you have to make risk-acceptance choices, balancing the severity and likelihood of a security flaw being exploited against the business value of the system,” Bowden stated.
“With RedShield, we avoided that problem by shielding every vulnerability, while we then decided if and how to fix,” he continued. “This process has been instrumental in our seamless move to the cloud and digital-transformation program. We now don’t move anything to the cloud without shielding it.”
The other measures for any CISO are the security metrics and target benchmarks.
“This is where one example is our RiskRecon score, which has several measures of scoring based on our Internet-facing perimeter,” Bowden explained. “At the start of our program of work, we had a middle-of-the-road score for U.S. healthcare, which I desperately wanted us to improve. By using RedShield for our digital transformation and cloud migration, we now have one of the best RiskRecon scores in U.S. healthcare.”
To be able to achieve speed, ease of use, ongoing management and a high level of effectiveness is what every CISO strives for, he added.
ADVICE FOR OTHERS
“As healthcare CISOs, we have such a broad scope of responsibility and such a wide surface area of technology,” Bowden observed. “We’re looking at the security of medical devices in our facilities that now are all Internet-connected. We have compliance requirements for HIPAA, digital transformation goals, remote working, remote diagnosis and remote patient management.”
COVID-19 drastically shifted views of speed and scale while preserving security, he added.
“We can’t be experts in everything and risk falling prey to tool overload,” he said. “In my career, and I’d say this is the same for many CISOs, you end up with so many security tools, apps, systems and hardware that it’s almost impossible to know which are actually needed, working and effective. There are tools for user management, device management, system management, cloud security, app security, threat hunting, security event monitoring – I could go on forever.”
Security no longer is a tool problem, Bowden stated.
“Just walk for an hour on the floor at RSA and you’ll see that the world isn’t short of cybersecurity tools,” he said. “What we are missing are the people and processes able to implement, set up and configure the tools. Then, keeping those tools tuned, relevant, managed and measurably effective. So my advice to all CISOs looking at their accelerated and urgent business drivers of work is to use the existing risk frameworks and work with the business to understand what is required from the security program.”
It may be device management, remote-user management or Internet-perimeter security, he noted. For each portfolio, as soon as one is evaluating tools, decide how to measure their effectiveness and look for tools, processes and people to make those outcomes happen.
“For me, moving apps to the cloud like never before, I didn’t want just a vulnerability scanner and a WAF tool. I wanted ‘measurably vulnerability-free perimeter at speed,'” he concluded. “Being able to engage a vendor with the knowledge, capability and clear measures of outcome and success has been so important to the success.”