4 top cybersecurity vulnerabilities and what to do about them

In 2024, Kodiak’s IT and cybersecurity team partnered with Cyber Security Solutions and took a deep dive into several healthcare provider customers’ cybersecurity environments. Using FBI, CIA, and Department of Defense class tools, the team found significant holes in the organizations’ cyber defenses. 

Although the results were not encouraging, the insights can serve as a catalyst for organizations to identify and begin addressing key cybersecurity vulnerabilities. Here, we discuss the top four findings identified and provide strategies for how you can begin bringing your organization’s cyber environment up to the level it needs to be at to close vulnerability gaps. 

Top cybersecurity vulnerabilities in healthcare 

No. 1: Unsecured protected information 

What we found: 

Unsecured protected information, meaning all personally identifiable information, protected health information, and payment cardholder data, was just about everywhere in the organizations’ environments. Exclusive of data in the organizations’ EHRs, protected health information was unencrypted and unsecured on computer hard drives (C drives), network drives, removable hard drives, memory sticks, and on cloud-based platforms like SharePoint and OneDrive. Sensitive data was also on spreadsheets, Word documents, PDFs, and employees’ personal databases. 

This protected information was not only found everywhere, but it was also in an unsecured, unencrypted format. And it was on the move. Our tools found protected data moving inside and outside organizations’ enterprise networks and across the Internet, making it easy for hackers to find and grab. 

What your organization can do: 

• Implement strong data governance. Your organization needs to know where your data is, where it is going, who is accessing it, and why they are accessing it. 
• Put controls in place to contain placement and movement of data. The controls should account for when and where the data is created, who has access to it, how it is being secured, and when it moves. 
• Fully audit those controls. 

No. 2: IT operations process weaknesses 

What we found: 

Our deep dive into the organizations’ cyber environments uncovered numerous areas of weaknesses within their IT operations and processes. Two stood out as particularly troubling. 

First, although all the organizations studied had formal processes in place for their cybersecurity patch management activities, they also all had several process weaknesses that left IT systems without patches to known vulnerabilities that cyber criminals can exploit if they gain access to the environment. Improperly patched systems are the main vehicle for cyber criminals to access an organization’s cyber environment, making this finding especially worrying. 

The second most concerning IT operations weakness identified across the board related to change management. We found evidence of large numbers of undocumented changes to the cyber environments of the organizations studied, including servers, the network, endpoints, and biomed devices. Undocumented systems are difficult to maintain, analyze for cyber activity, and troubleshoot. Furthermore, organizations can’t fix or secure a system when they don’t even know how it is configured. It’s no surprise, then, that lack of documentation of system changes leads to most cybersecurity problems. 

What your organization can do: 

• Fully audit patch management. You must conduct thorough audits of security patches against known vulnerabilities and against your defined—and documented—baseline. All exceptions should have full documentation. 
• Set up an IT change management compliance program. C-suite, operations, and other leaders should work with IT leadership to set up the program. In addition, leaders from all relevant areas, including IT, should participate in the organization’s change advisory board to make sure changes to the cyber environment are discussed frequently. 

No. 3: Misconfigured hardware and cyber tools

What we found: 

When studying the organizations’ IT hardware, we discovered numerous network implementation issues. We found open ports everywhere, setting the stage for cyber criminals to come right in. Notably, closing down unused ports is a required control in the new HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information.  

We also found a lack of meaningful firewall rules. For example, in one instance we found a server configured in such a way that would allow a hacker to shut down the organization’s entire IT environment in 10 keystrokes or less. We also found an astounding lack of documentation about how any of the systems were configured. It is nearly impossible to secure a network that is improperly set up and/or undocumented. 

Most organizations had a lot of cyber tools in-house. But many were under-installed and/or misconfigured, meaning they were not functioning optimally to accomplish threat recognition or alerts. And, again, little to no documentation existed about how the cyber tools were configured. Not only are these missteps dangerous, but they are a waste of valuable resources.  

What your organization can do: 

• Audit your network setup against known practices and requirements, such as the National Institute of Standards and Technology and HIPAA controls and operational requirements. 
• Deeply audit the implementation of cyber tools. Again, most of the organizations studied had plenty of cyber tools. But the quantity of tools is not an indicator of cybersecurity. In fact, in our experience, the more tools an environment has, the less likely they are to be fully using those tools—or using them well. 

No. 4: Broken incident response 

What we found: 

Incident response is the actions taken when there is an active cyber threat to an organization’s environment. To test the organizations’ incident response processes for this study, we used deep-scan technology to exercise their cyber tools as if we were a cybercriminal. 

Although all the customers had passable HIPAA and penetration assessments, our study found that the cyber systems in place were not working. After conducting 1,100-plus probes into the customers’ cyber environments, we reviewed the cyber tools’ logs and found that all our attempts were verified as completed in the organizations’ systems and cyber logs. Yet, we found: 

• 54% of the cyber tools did not recognize a threat. 
• 29% of the tools recognized a threat but did not raise an alert. 
• 17% of the cyber tools raised an alert, but the organization’s IT team did not see or react to it. 
• An incident was only raised four times out of the 1,100-plus times our testing team simulated a threat incident. 

What your organization can do: 

• Seek deeper, more comprehensive assessments. Most organizations that have experienced a cyberattack have had a passable set of assessments in place. They simply are not strong enough. 
• Perform assessments more regularly. Don’t take an ad hoc approach to conducting a comprehensive look at all your systems and log data. 
• Review your organization’s cyber and IT spend regularly. Look for areas to optimize and opportunities to create efficiencies that result in a more stable, safe, and secure IT environment. 

Strengthen your cyber environment 

The results of this cybersecurity deep dive—and Kodiak’s years of experience in healthcare IT—show us that most organizations’ cyber controls and processes are not getting the job done. Too many organizations are at risk of breaches in today’s increasingly volatile cybersecurity environment. And with new regulations on the horizon proposing substantial cybersecurity regulatory reporting requirements—and threatening equally substantial penalties—the stakes are becoming even higher for healthcare organizations. 

Kodiak can help you identify your organization’s IT vulnerabilities—and how to fix them. Contact us today to learn more about the information in this article and how to get started on improving your organization’s cyber environment. There has never been a better time to strengthen your defenses.