TLS/SSL Management Issues Increase Healthcare Ransomware Risk

Recent Bitsight research shows that 76% of healthcare organizations may be at increased risk of ransomware attacks due to poor TLS/SSL configuration management.

TLS/SSL certificate and configuration management presents a considerable challenge. That’s because a typical healthcare organization may have hundreds or thousands of TLS/SSL certificates identifying specific Internet-connected devices. Plus, many lack an organization-wide framework for discovering, cataloging, and managing TLS/SSL configurations. Instead, management is conducted on an ad hoc basis, usually at a departmental level.

This is problematic, as expired certificates and poor configurations can result in system outages and increased access points for bad actors. The most notorious healthcare security incident related to TLS/SSL protocols, the Community Health Systems Inc. breach, occurred back in 2014. However, threats associated with poor TLS/SSL management persist today.

What We Learned

To rate TLS/SSL configuration management performance, we examined whether security protocol libraries support strong encryption standards when making connections to other machines. Incorrect or weak TLS/SSL configurations result in infrastructure becoming more vulnerable to potential attack.

To calculate the grades (A-F) associated with the TLS/SSL Certificate and Configuration Management risk vector, Bitsight examines a variety of parameters. These include, but are not limited to, the presence of insecure or obsolete protocols, the strength of encryption keys and hashing algorithms, and the presence of self-signed and/or expired certificates. 

As noted above, more than 76% of the Healthcare sector is at heightened risk of ransomware due to poor TLS/SSL configuration management. Only 25% of Healthcare sector organizations scored an “A” in TLS/SSL Configurations, making them less likely to experience a ransomware attack. 15% scored “B”, 28% scored “C”, and 33% were in the “D” or “F” range. Companies with a C grade or lower in TLS/SSL Configuration are nearly four times more likely to be a ransomware victim, concerning for over 50% of organizations in the healthcare sector.

Addressing TLS/SSL Management Risk

Last year, The National Institute of Standards and Technology (NIST) released a highly detailed report on TLS certificate management. According to the report:

To effectively address the risks and organizational challenges related to TLS server certificates and to ensure that they are a security asset instead of a liability, organizations should establish a formal TLS certificate management program with executive leadership, guidance, and support. The formal TLS certificate management program should include clearly defined policies, processes, and roles and responsibilities for the certificate owners and the Certificate Services team, as well as a central Certificate Service.

Additionally, the report offers actionable steps to address security risks associated with TLS/SSL certificate management, such as:

• Create a TLS inventory: Establish and maintain a single inventory of all TLS server certificates.
• Establish a certificate service: Support certificate owners in effectively managing their certificates.
• Establish a management interface portal: Provide an effective user interface to view and manage certificates.
• Automate discovery and import. Provide multiple options for automated certificate discovery import.
• Automated enrollment and installation: Eliminate errors associated with manually requesting, installing, and managing large numbers of certificates.
• Automate certificate lifecycle: Automate certificate lifecycle management whenever possible to decrease security and operational risks.
• Monitor certificate status: Continuously monitor TLS certificate status to prevent outages and security vulnerabilities.
• Develop reporting and analytics: Establish visibility across inventory to quickly identify TLS server certificate issues or vulnerabilities.

To learn more about protecting your healthcare organization, download our “Ransomware in the Healthcare Industry” eBook. For more insight into the potential risks living on our network, including TLS/SSL misconfigurations, request a Bitsight demo.