Hack of Banner systems highlights the need for more firewalls

Too many information systems in hospitals remain unprotected, and when they’re linked to a main network, overall vulnerability rises.


The cyber attack at Banner Health that provided access to the information of 3.7 million individuals is a wake-up call to other provider organizations because of how Banner’s information systems were accessed, says Derek Jones, a senior advisor at consulting firm Impact Advisors.

Last week, Banner Health reported that it had suffered a massive cyberattack potentially affecting patients, health plan members and beneficiaries, providers, and even those who bought food and beverages with a payment card.

In the incident, hackers hit a “limited” number of computer services as well as the computer systems that process food and beverage purchases. Phoenix-based Banner said the attack was discovered on July 13, and it believes hackers originally gained access on June 17.

Banner on behalf of providers is notifying the Drug Enforcement Agency and providers’ licensing boards.

Many hospitals only have a perimeter firewall used to provide protection for moving in and out of the core network, with no other firewalls protecting internal systems, says Jones. At Banner, the food and beverage system in the café that was used to ring up sales, often made with a credit or debit card, was attacked, and that opened the gate to the system’s network.

That’s why multiple firewalls across organizations—to the greatest extent possible, given available resources—need to be deployed, Jones advises.

“Layered security is important because we can’t trust the Internet of Things. All these devices that get plugged into the network, like security cameras, cash registers and biomedical devices, are a risk to our security,” Jones adds. “Network access makes it easier to use the devices, but we often forget they are mini-computers and must be protected. Since we can’t install antivirus and apply patches to these devices, isolating them and controlling access to them is our best method of securing them.”

That means putting a firewall on cash registers—which essentially operate as small computers—and other systems where protected health information is stored. Typically, a food service vendor comes in a hospital, installs registers, plugs them in to the network, and the IT department may not even know it.

Jones further counsels that hospitals use Cisco software to automate anti-virus and system updates, including all the personal firewalls that are part of the computers that all employees use.

“Windows comes with a built-in firewall, and people think that is adequate, so they don’t add more advanced software with better scanning and reporting features,” Jones says. A more sophisticated firewall will remove the Windows firewall, which does not permit a network administrator to know that security holes have been opened by malware on a computer, or that an employee is installing a game on their computer, which could be infected with malware.

Consequently, “inside protection” firewalls can separate areas of the business from each other and keep problems in one area from spreading to the rest of the business.

Volunteer work areas are another significant vulnerability, according to Jones. Volunteers need workstations, which are often on the network but typically unprotected, so access to a volunteer’s computer also can take a hacker anywhere in the organization.

Another danger is that an attacker doesn’t even need to get inside the building to do damage. “Hackers can sit outside your office and connect to your Wi-Fi, or borrow an empty conference room and just plug in” to an Ethernet port, Jones asserts.

Jones also suggests using “border protection,” which is a firewall separating the corporate network from the Internet. The firewall fends off outside attacks and controls which users and servers can access the public Internet.

Finally, the IT department needs to look at all devices it does not control and consider getting them isolated or at least updated, Jones says.

More for you

Loading data for hdm_tax_topic #care-team-experience...