The Attack Surface of the Healthcare Industry
- 2. •CEO, Bit Discovery
•20 years in Information Security
•Founder of WhiteHat Security
•Black Belt in Brazilian Jiu-Jitsu
JEREMIAH
GROSSMAN
- 3. Coalition serves over 25,000 small
and midsize organizations across
every sector of the US and Canada.
Report covers not just “breaches,” but
breaches resulting in material harm.
- 9. Bit Discovery 2020
USE-CASES
ASSET INVENTORY
• Vulnerability & Patch Management
• Third-Party Risk Management
• Mergers & Acquisition
• Cyber-Insurance
• Policy & Compliance
• Security Ratings
• Incident Response
• Sales & Marketing Enablement
• Investments
- 11. Bit Discovery 2020
INTERNET
“COPY” OF THE
• Generated by Bit Discovery + 400 data sources.
• WHOIS databases, domain names, ASN, ports,
service banners, technology stack, website index
page(s), full TLS certificate info, email addresses,
password dumps, etc.
• Each asset has potentially 115 unique data points.
• Each data point updated daily-to-monthly.
• Hundreds of snapshots collected over 5 years.
Largest Data-Set
Of It’s Kind
*missing ~30% of the Internet*
4.5 Billion DNS Entries
200+
INTERNET
SNAPSHOTS
515
DATA SOURCES
115
DATA COLUMNS
150
YEARS OF
CPU TIME
- 13. Bit Discovery 2020
INSIGHTS
What do you want to know?
• How many websites, VPNs, mail servers, DNS
servers, SSH servers, etc.?
• How many of what assets are “in the cloud”
or use a particular CDN?
• How many assets have expired or soon-to-be
expired TLS certificates?
• What asset are using or NOT using PHP,
Drupal, Citrix, F5, Wordpress, etc.?
• In what countries are assets located?
• What assets or services should probably not
be externally exposed (RDP, MySQL, Dev/
Staging)?
By Organization
By Industry
Your Inventory
- 14. Bit Discovery 2020
ASSET
as·set | ˈaset |
noun
a domain name, subdomain, or IP
addresses and/or combination
thereof of a device connected to
the Internet or internal network.
• (an asset) may include, but not
limited to, web servers, name
servers, IoT devices, or network
printers.
- 15. Total Assets (hospitals & health)
The total number of Internet-connected assets globally.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 30,000 60,000 90,000 120,000
1,897
1,883
183
10,594
749
10,594
356
3,506
788
1,910
104,605
- 16. Total Assets (Healthcare)
The total number of Internet-connected assets globally.
Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 30,000 60,000 90,000 120,000
21,360
108,759
18,645
6,360
43,153
19,900
22,819
70,645
10,020
- 17. Domain Names
The total number of registered domain names.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 1,500 3,000 4,500 6,000
107
90
3
1,286
50
1,286
36
307
38
123
5,264 Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 1,500 3,000 4,500 6,000
808
5,615
204
404
953
1,434
1,086
663
523
Hospitals & Health Healthcare
- 18. Cloud Assets
The percentage of Internet-accessible and cloud-hosted assets. Cloud providers
include Amazon Web Services, Microsoft Azure, Google App Engine, and others.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 0 0 0 1
15.40%
16.78%
24.59%
15.40%
7.88%
15.40%
14.04%
32.94%
0.63%
5.18%
53.70% Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 0 0 1 1
8.54%
6.26%
83.91%
15.30%
1.17%
10.82%
5.01%
2.83%
44.26%
Hospitals & Health Healthcare
- 19. CDN Assets
The percentage of Internet-accessible assets being served by a well-known
Content Delivery Network. CDNs include Akamai, Cloudflare, Fastly, and others.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 0 0 0 0
1.05%
0.74%
0.00%
8.14%
0.27%
8.14%
0.00%
1.23%
4.06%
1.36%
0.19% Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 0 0 0 0
1.59%
3.38%
0.19%
1.45%
0.33%
0.02%
10.54%
0.59%
2.94%
Hospitals & Health Healthcare
- 20. Certificate Authorities
The number of unique Certificate Authorities seen across the Internet-accessible assets.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 13 25 38 50
22
19
4
27
7
27
5
25
9
27
46 Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 28 55 83 110
47
106
24
37
42
45
60
48
50
Hospitals & Health Healthcare
- 21. Expired TLS Certs
The number of expired TLS Certificates seen across the Internet-accessible assets.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 30 60 90 120
59
55
5
103
10
103
1
81
17
63
97 Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 175 350 525 700
243
433
14
556
107
88
614
221
264
Hospitals & Health Healthcare
- 22. Countries Hosting
The number of countries hosting Internet-accessible assets.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 4 8 12 16
6
3
4
9
2
9
3
8
4
8
16 Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 6 12 18 24
16
20
10
23
15
13
17
11
18
Hospitals & Health Healthcare
- 23. Private IP-Space
The number of Internet-connected assets where the hostname
resolves to non-route-able RFC-1918 internal IP-addresses.
HCA
Ascension
Tenet
Trinity
Vibra
Community Health
Atrium
CommonSpirit
LifePoint
Providence
MEDIAN
0 8 15 23 30
4
3
0
5
2
5
0
1
25
8
30 Cardinal
Kaiser
McKesson
Anthem
CVS
Cigna
Humana
UnitedHealth
MEDIAN
0 175 350 525 700
42
408
3
9
98
8
691
15
68
Hospitals & Health Healthcare
- 24. Wordpress (Healthcare)
Extremely popular free and open-source content management
system. Wordpress assets scanned with WPScan, which includes
vulnerabilities in WordPress plug-ins.
Total (Median)
WordPress
Websites
Total (Median)
WordPress
Vulnerabilities
Total (Median)
WordPress
Websites with
at least 1
vulnerability
Median # of
Vulnerabilities
per Wordpress
website
Hospitals &
Health
17 0 0 0
Healthcare 70 106 5 16
- 26. Every
security
program
must begin
with an asset
inventory.
Jeremiah Grossman
CEO, Bit Discovery
• Asset Inventory (Attack Surface Map)
• Multi-factor Authentication
• Email Security
• Routine Backups
• Wire Transfer Verification
• Password Management
- 28. Bit Discovery 2020
CAVEATS
Data Collection:
• Our Internet scanners sometimes use ANY type lookups
and not all service providers support ANY type DNS
lookups (i.e. Cloudflare)
• Round Robin DNS sometimes finds a lot of assets,
sometimes a little, and changes frequently.
• DNS servers and resolvers sometimes experience outages.
• DNS responses may exceed TTL.
• DNS servers may selectively block requests.
Issues with Organization Asset Inventory:
• Assets with subdomains within the ownership of a third-
party domain (e.g. <company>.wpengine.com,
<company>.salesforce.com, etc.) may cause issues.
• Assets not listed on certificate transparency and/or doesn’t
have a public DNS entry (e.g. they'll use internal DNS and
a self-signed cert).
• DNS errors falling outside the RFC standard,
"example_site.com" (~1%)
• Wildcard (*) DNS entries.
• DNS providers respond with erroneous information due to
breach.
• WHOIS redaction due to GDPR.