Why ransomware continues to knock on healthcare’s door, enter, and create havoc
My name is Adam, and I’ve worked in the healthcare industry for over 15 years. In my current line of work, I assist healthcare facilities across the U.S. with their overall cybersecurity posture, ranging from physical and technical security controls to security incident response in conjunction with disaster recovery and business continuity planning.
My scope of work is quite broad, however, I’m here today to address the state of healthcare relative to ransomware.
In many cases, it has been determined that threat actors were inside a healthcare organization’s network for months or even years before setting their malicious code loose. To help ensure payment is made, some threat actors will delete backup data and encrypt the remaining data, thus making it almost impossible for the organization to recover from the situation on their own. At that point, the business is kneecapped and they are at the attackers’ mercy.
Why does this continue to happen?
It’s simple, yet complicated.
Healthcare leadership and boards of directors are disconnected from the current state of cybersecurity within their own organizations for many reasons. Driving revenue, keeping physicians happy and in place while cutting costs top the list of goals for most executives, so it shouldn’t be surprising that little attention is paid to, for example, implementing two-factor authentication for critical, externally facing systems such as e-mail and remote access to the network.
How IT manages privileged credentials is not their problem. The fact that IT doesn’t have two-factor authentication deployed on mission critical servers, networking equipment, routers, and firewalls fails to keep leadership up at night because they generally have no idea what the ramifications are if/when hackers gain access to any of this equipment.
Data backup policies and procedures, incident response plans, and how one would recover from a ransomware attack are low on their priority list. They’re low on the priority list until someone clicks on a malicious link that the spam filter didn’t catch thus unleashing ransomware on the network, after which all hell breaks loose.
When I ask someone what their plan is for clinical staff to access historical patient information, prescription history, or drug interaction in the event they must completely shut down their computer network and Internet access, I generally receive a blank stare in return. Some EMR/EHR vendors provide emergency downtime computers on each floor where staff can access critical patient information in the event the entire network is down.
Other EMR/EHR vendors may not be able to offer this type of emergency downtime solution, or maybe leadership determined the cost to add emergency downtime computers to be too great. Either way, if the computer network must be completely shut down to help stop a ransomware attack or the ransomware attack itself shuts down the entire network, leadership’s decision to not purchase the emergency downtime solution or the EMR/EHR vendor’s inability to provide one comes back to haunt the organization and patients alike.
To reduce an organization’s cybersecurity risk, leadership must chart a different course focusing more time, attention, and resources on cybersecurity. Further, leadership must work with and listen to those in charge of compliance, IT/IT security, networking, infrastructure, and others in the trenches to better understand both challenges and opportunities. Understanding and reducing an organization’s risk is crucial to the overall health of the organization. A culture of cybersecurity and security awareness must be implemented and reinforced by all. No one person or small team can manage it all on their own.
A security committee, fully supported by leadership and made up of individuals from different departments, is required for any chance of success. Quarterly meetings aren’t enough. A security committee must meet at least bi-monthly in order to be effective and help drive positive change throughout the organization. Critical areas to address immediately are password policies and two-factor authentication.
Poor password policies exist to this day and hacking software can crack passwords chose according to them in minutes. It’s been shown that even twelve-character passwords with four of four complexity can be broken in a short amount of time. This is yet another reason why two-factor authentication is critical.
Often-times it is difficult for leaders to listen to employees talk through technical subjects surrounding cybersecurity. They may not realize it, but their technical team(s) are the cornerstone of their business operations. Without them, the healthcare organization comes to a standstill. It is imperative technical staff members are afforded the opportunity and ability to speak on the true state of the network – both good and bad.
If leadership and employees can talk through the concerns and work through the issues, the organization will be in a much better position to deal with many events, including ransomware. If leaders choose to hide their head in the sand, they can expect to see their IT/IT security, compliance, CIO/CISO, and other critical employees exit stage left because they won’t want to take the blame for a security event that could have been prevented if leadership had only listened and supported the team’s collective efforts.