The Unexpected Consequences of Security: Why Hospitals Need to Practice Failing
The relentless push for cybersecurity in healthcare, while undeniably crucial, is creating a paradox. As hospitals fortify their defenses against increasingly sophisticated attacks, they simultaneously risk introducing vulnerabilities born not from weakness, but from the very real pressures of delivering life-saving care. The recent revelation that a hospital participating in a routine “red teaming” exercise – a simulated cyberattack – was forced to confront the terrifying prospect of shutting down its internet access highlights this tension. It wasn’t a breach that exposed the flaw, but the response to a simulated one. This incident, recounted by Pieter Ceelen, product owner for Cobalt Strike and Outflank at Fortra, isn’t a cautionary tale about inadequate security, but a stark warning about the operational realities of security in a field where downtime isn’t an option.
Red teaming, as Ceelen explains, is fundamentally a “sparring match” – a controlled assault by ethical hackers designed to expose weaknesses in an organization’s defenses. Unlike vulnerability scans that identify known flaws, red teams mimic the tactics of actual attackers, employing techniques ranging from targeted phishing emails to advanced evasion methods utilizing tools like Outflank Security Tooling. The value isn’t simply finding vulnerabilities, but observing how an organization reacts under pressure. What many outside of the cybersecurity world don’t grasp is that these exercises frequently reveal that existing security protocols, while logically sound, are operationally untested. The hospital in question, for example, had a plan to disconnect from the internet in a crisis, but no established procedure for actually doing it, and crucially, no understanding of the cascading effects on patient care. This isn’t negligence; it’s a consequence of prioritizing continuous operation in an environment where even seconds of downtime can have devastating consequences.
Original reporting: healthcareitnews.com.
The incident underscores a critical point: detection and response capabilities often fall short not because of technological limitations, but because attackers are relentlessly seeking to bypass existing controls. As Ceelen points out, security measures are merely “barriers” to a determined adversary. Red teaming forces organizations to confront this reality, identifying risky workarounds – like password sharing or simplified logins – that emerge when staff are forced to choose between security and speed. This is particularly acute in healthcare, where clinicians are often performing time-critical tasks. Complex passwords or multi-factor authentication, while best practice in many industries, can be impractical when every second counts. The result, as the source material details, is often compromised credential hygiene, a vulnerability attackers readily exploit.
Beyond the immediate challenges of network security and credential management, legacy systems pose a significant, often overlooked risk. Medical devices like MRI scanners, with their long lifespans and complex software, frequently fall outside of standard corporate security protocols. These machines, vital for diagnosis and treatment, may not receive necessary security patches, making them attractive targets. Red teaming exercises can specifically identify whether these “internet of medical things” (IoMT) devices are properly isolated and assess the potential impact of a compromise. This isn’t a hypothetical concern; a compromised MRI scanner could disrupt hospital operations, potentially endangering patients. The challenge lies in balancing the need for security updates with the risk of disrupting critical medical services.
The question now isn’t simply whether hospitals should conduct red teaming exercises, but how to conduct them safely and effectively. Ceelen advocates for a layered approach, starting with preventative controls, detection and response tooling (like Endpoint Detection and Response and Extended Detection and Response), and well-defined incident response plans. Tabletop exercises, where staff walk through simulated scenarios, can test organizational preparedness without risking operational disruption. Announced IT tests with planned downtime can validate technical procedures in non-critical areas. Full-fledged red team engagements, while valuable, require meticulous planning and coordination to avoid unintended consequences. But perhaps the most important takeaway is the need for hospitals to proactively prepare for the possibility of failure – to practice disconnecting, to map the dependencies, and to understand the true cost of security in a world where attackers are always looking for a way in. The next step in research should focus on developing standardized “playbooks” for common security incidents, tailored to the unique constraints of the healthcare environment. Will hospitals prioritize this proactive preparation, or wait for a real attack to expose these vulnerabilities? The answer will determine not just the security of their networks, but the safety of their patients.
