When healthcare leaders discuss plans to reopen facilities and resume elective procedures, cybersecurity remediation is rarely cited as a top priority. And let’s face it, it wasn’t top of mind when they were scrambling to figure out how to configure spaces to accommodate more patients, while simultaneously navigating an unprecedented spike in both telemedicine and telecommuting.
But as the dust starts to settle, security has to move up the list, said Art Ream, CISO at Cambridge Health Alliance, during a recent webinar. All the technology that has been deployed and all the different access points that have been enabled must be reviewed before another crisis hits — one involving ransomware or one of the other myriad cybersecurity threats.
Because for bad actors, there’s no better time to attack than when organizations have their guard down. And unfortunately, no industry is as vulnerable — or offers the highest value for stolen information — as healthcare.
During the discussion, Ream — along with co-panelists Christopher Frenz, AVP of Information Security at Interfaith Medical Center, and James Morrison, Distinguished Technologist with HPE — talked about why ransomware is so effective (especially during a pandemic), the uphill battle IT and security leaders face in procuring funds, and the strategies they need to implement to protect their organizations in the future.
The “New Startup Industry”
Ransomware threats are growing at an alarming rate, for two reasons: it’s easy and it’s lucrative, noted the panelists. The fact is, “hospitals have not taken security as seriously as they should have,” said Frenz. Scams like WannaCry are able to cripple organizations (like the NHS in 2017) by encrypting medical devices, not just computer systems. And “that combination of traditionally poor security practices along with the need to pay the ransom to maintain patient safety, makes hospitals particularly desirable targets.”
Morrison believes the threat will only increase as hospitals move toward an IoT environment. “Oftentimes, IoT products are deployed with no security built into them, he said.
Meanwhile, the attacks are becoming more sophisticated, as evidenced by Maze, a strain of Windows ransomware in which data is stolen, then held as an insurance policy. Some attacks even threaten to expose healthcare organizations for HIPAA violations.
“It’s a new startup industry,” said Ream. “I hate to give credit where credit’s due but they do have a business model, and they target healthcare.”
And Covid-19 has only made it worse, according to Frenz. “Hospitals rapidly began to roll out telehealth and remote access, while adding medical devices like ventilators to their networks. On top of that, you have a lot of changes with temporary workforces coming and going, and people managing systems from home.” And so, even for hospitals that did have solid processes in place to assess the risks for a new device, those processes were glossed over to enable technology to be implemented as quickly as possible.
In fact, it happened quite frequently, said Frenz. And while leaders can’t go back and undo those actions, they can prevent them from happening in the future. One way to do that is by evaluating all the technology that was deployed during the pandemic, and make sure it adheres to modern information security standards and best practices.
“A lot of hospitals rolled out technology to meet the temporary demands of Covid,” he added. “What’s going to be very interesting is how they undo all of that technology once those regulations go back into effect.”
Part of that, according to Ream, means being willing to “cycle through those individual technologies that were deployed. Yes, they were approved at the time, but now that we’re back under regulation, is it the right fit? Did we do it right, or do we need to remediate what we didn’t do upfront because of the nature of the situation?” It’s a task that will take some time, but is necessary for patient safety, as well as the organization’s viability.
“More than IT and Security”
The challenge is that all of this costs money — a lot of it — and so it can’t just be IT and security teams beating the drums to make a case for funding. It has to be an organization-wide effort that includes other leadership, as well as clinicians. But, as any CISO can attest, “they don’t often think about a breach happening, or what it’s going to cost for the next five years if there is one,” said Ream.
But they might think more about that risk if the right discussions are taking place, with the right parties. For instance, Ream leads a committee at CHA called I-SPOT, which is made of associates from legal, compliance, operations, IT, infrastructure, and marketing. The group is tasked with looking at the organization’s security posture and deciding whether to accept or deny risk with a given initiative.
And, critically, all the information is documented so that if an audit occurs, CHA can attest that although regulations were relaxed, there was a process in place to accept and understand the risk organizationally. That way, it’s not IT or security being cornered, he said. “It’s a good process that organizations can take, and make it fluid enough so that they can adjust quickly.”
And although discussing risk is vital, Frenz said leaders should take it a step further by doing tabletop exercises or simulating attacks to help build awareness among other departments. “It’s a very good way to get people outside of the cybersecurity community to understand how bad things could potentially be if you leave these risks untreated.”
Once buy-in has been achieved, there are a number of steps organizations can take to improve their security profile, including the following:
- Zero trust. According to Morrison, zero trust “is core to where we need to go. We have to look at deploying zero-trust models, and we have to understand that sometimes, especially when workforces are stressed, they are somewhat more susceptible to breaches.” Frenz, however, cautioned that it’s a significant undertaking. In fact, it took Interfaith Medical Center two years to implement a zero-trust network, something very few hospitals have achieved. His team utilized VMWare’s NSX to micro-segment servers, and installed internal firewalls for medical devices “to provide a layer of virtual patching,” he noted. “It’s a very complex process because you actually have to sit down and take an inventory of all the devices on your network to figure out what’s on your network. Once you know that, you have to then figure out how all those devices talk to each other. But it takes a lot of time to sit down and map all of that out.” Still, he highly recommended this approach.
- Layered security. Morrison, whose cybersecurity experience includes 22 years with the FBI, also advocated a layered approach that utilizes a lab build-out. “You don’t do software updates on to a live system. You pull them down to a lab-type environment and you test them in a lab.”
- Evidence-based approach. Frenz has long been an advocate of using an evidence-based approach to security, he noted. “I’m big on trying to simulate various types of attacks and see how they could impact the organization. That’s a really effective way of getting others in the organization to understand how a potential cyber risk could actually impact them.”
- Involve third parties. As networks continue to expand outside of the hospital walls, third-party security assessments become increasingly important, according to Morrison. And they need to take multiple factors into account, including IoT environment, remote workforce, and software downloads.
- Testing, testing, testing. All three speakers expressed a strong belief in creating an incident response plan, and testing it thoroughly. “You’ve got to get out there and you’ve got to test it,” said Morrison. “You’ve got to make sure that it’s real and it can survive in the light of day.”
- Be patient. The reality is that getting the full picture of your cybersecurity posture takes time, added Ream. “It gets complicated, and it’s disruptive. But it is a worthwhile exercise, because it will help you understand your environment.”
Morrison concurred, and urged leaders to seize the opportunity to “learn critical lessons and have better conversations around security. Every one of us needs to make sure our security works the way we need it to going forward.”
To view the archive of this webinar — Ransomware in Healthcare: Why Are We Targeted and What Can We Do About It (Sponsored by Hewlett Packard Enterprise) — please click here.