The wave of ransomware attacks that has begun to threaten the healthcare sector highlights the need for greater vigilance and better defenses as we go into the new year.
A report (PDF) by cybersecurity software firm Bitdefender found that detected and blocked ransomware attacks increased 715% in the first half of this year compared to a year earlier and that the types of attack were rapidly evolving.
Cyber bad actors have been growing bolder and more sophisticated in recent years as ransomware attacks have emerged as a highly profitable crime. Compromised organizations often face the difficult choice between paying up or facing potentially disastrous disruptions to their operations.
If that wasn’t enough, the decision to pay a ransom is also not necessarily a risk-free solution. The U.S. Treasury issued a notice in October advising companies that pay ransoms that they could be subject to monetary penalties if the payment involves any groups or individuals under U.S. sanctions.
It’s also become clear as we head into 2021 that the bad guys aren’t giving the healthcare sector a pass just because of the potential risks to patient care. The dynamics of the COVID-19 pandemic on the healthcare sector, combining the impact of increasing medical demands with revenue pressure from reduced elective procedures, make it especially challenging for those healthcare chief information security officers looking to bolster their defenses.
RELATED: Hospitals hit with ransomware attacks as FBI warns of escalating threat to healthcare
It’s an expensive battle to fight, both in terms of acquiring the necessary technology and finding the right talent to utilize it.
That makes it vitally important in 2021 and beyond to take a smart, focused approach to building defenses to mitigate against ransomware, rather than throwing the kitchen sink at the threat.
The five core principles of cybersecurity defense—Identify, Protect, Detect, Respond and Recover—need to be applied in ways that work in the healthcare setting, deal with the unique threats of ransomware and don’t break the budget.
Everyone in the healthcare IT world likely knows and applies these principles, but they aren’t always applied as consistently as they need to be.
One of the biggest challenges for healthcare providers is the wide range of assets and the difficulty of keeping an accurate inventory. It’s vital to have a thorough understanding of your assets and to have them classified by risk: The protocol and risk tolerance will clearly be very different for a printer than for a critical server or a surgical medical device.
This is work that should be done in advance rather than under the intense pressure of a live attack. Hospitals need to have a strong team in place that can do the prep work and respond quickly and effectively in a crisis—particularly understanding the potential impact of response strategies and knowing who to call when help is needed.
The first layer of protection is educating staff to be less susceptible to phishing or website spoofing attempts, both of which are the primary point of entry for ransomware. If no one falls for hackers’ tricks, the problem most often ends there.
I’ve found that running regular employee phishing awareness campaigns simulating real examples of emails seen in practice have been really effective at testing employees’ alertness and raising awareness. Monitoring metrics of these campaigns also helps tangibly track improvements and identify higher risk groups for more targeted education where needed.
Implementing email headers, which prominently mark emails originating from outside the organization, while not entirely immune to tampering, is another very cost-effective way of materially reducing risk through raised awareness.
RELATED: UHS breach shows the dangers facing hospitals with growing ransomware threats
Once a ransomware attack gets into a hospital’s network, it’s crucial to have systems in place that limit the “blast radius” or damage it can do and to protect the assets that are the most critical to operations and patient care. Effective segmentation and network/asset monitoring is critical to both detect and contain the threat as it emerges.
Having a comprehensive vulnerability assessment and asset patching program in place both for medical devices and regular IT assets is another key pillar of any defense strategy. IT teams need to understand the risk profile of their institution’s devices and make sure that security patches are applied as soon as reasonably possible, prioritized by risk.
Patching cadence, combined with numerous assets and device obsolescence, is a significant challenge for both providers and device manufacturers. Improving transparency on critical vulnerability communication and more timely release of patches is something device manufacturers, including GE Healthcare, have acutely focused on in recent years as the ransomware threat has evolved.
Providers should regularly monitor device manufacturer security portals or subscribe to automated alerting where available, monitor CISA, NVD and OEM software alerts and participate in trusted cyber intelligence sharing communities, like H-ISAC, to stay abreast of emerging threats.
If all this sounds expensive, it’s because it can be. The right security tools do come with a healthy dose of sticker shock, as does the best cyber talent.
The trick is to keep a brutal focus on addressing the highest risks, accepting that you can’t have everything at once. Create a risk matrix and systematically work your way through it, while exercising plenty of due diligence when onboarding new tools, leveraging the prior experience of fellow security professionals in peer companies and conducting small-scale pilots wherever possible.
On the human capital side, finding and retaining cyber talent is becoming increasingly difficult—there is no debating that. While not a silver bullet by any means, maintaining a core of proven talent supplemented with bright, motivated, less-experienced talent, who can be developed into healthcare security specialists, is a more cost-effective approach.
Utilizing alternative talent pipelines, like internships through organizations with cyber-focused curricula like YearUp, is another great avenue to assess on-the-job performance and organizational fit while also providing development opportunities for key talent.
The spike in ransomware attacks on hospitals underlines that smart investment in security defense strategy is well worth the cost. Even if the ransom isn’t paid, a successful attack can exact a very high cost in terms of disrupted operations and reputational impact.
Matt Silva is senior vice president and chief information security officer at GE Healthcare.