As a leader, one of the most difficult tasks is to lead your team into a battle they’re likely to lose. In fact, when healthcare organizations recruit red teams to test their security posture, it’s a battle they’re designed to lose — but one that can, if executed properly, significantly improve their response strategy when the inevitable occurs.
“I don’t like seeing us get beat,” said Dan Bowden, CISO at Sentara Healthcare, during a recent panel discussion. “But you have to invest in finding out where the line is on how good you really are.” And, along with that, “you have to want to find the problems.”
It can be a departure from the way some organizations have traditionally operated, but it’s one that could give CISOs a leg up in protecting patient data, something that has become increasingly difficult and complex, according to Bowden, who discussed ransomware readiness along with Erik Decker, CISO at Intermountain Healthcare, and Drex DeFord, Executive Healthcare Strategist at CrowdStrike.
Ransomware was always a concern for IT and security leaders; in recent years, however, it has become a key priority for all leaders, as incidents continue to happen at an alarming rate. “I can’t over-stress the criticality of this particular threat,” said Decker, adding that as many as 90 health systems were hit with ransomware in 2020, resulting in $20 billion dollars in total downtime impact.
The attack earlier this year on Scripps Health led to a network outage that lasted for several weeks, leading to a $91 million loss in revenue recognition and immeasurable damage to the organization’s reputation. “The days of being able to deliver safe, effective healthcare to patients and families without the electronic components of the EHR and other systems are over,” said DeFord.
Unfortunately, it’s a situation in which many organizations, from large health systems to small practices, have found themselves. “They haven’t done the things they need to do to prepare. And even when they have, some think they’re better prepared than they really are,” he added. In some cases, leaders don’t actually know “how long they can treat patients without the EHR, or how well they can do billing without revenue cycle.”
This is where red teams come into play, noted Bowden, whose organization leveraged some just that a few months ago. And although it was hard to watch the perpetrators do their job and successfully break in to the system, it was exactly what Sentara needed to get on the right track. “It was like watching your football team get demolished,” he said. “It’s natural for us to think we’re better than we are; that’s just human.”
And now, instead of operating under false pretenses, his team learned a great deal about where the biggest vulnerabilities exist, and how they can be addressed. “You have to analyze the findings and figure out, how did they beat us to get that touchdown?” But it doesn’t stop there, he noted. Leaders need to think about the other plays that could have resulted in a score, and make sure they’re ready to defend against them.
The important thing is to be willing to lose, Bowden said. “If I picked a red team that didn’t beat me, I would question my judgment about how I picked and who I picked, and then I’d fire them. If you want to get better, you have to do that. And it’s hard; it goes against our nature, but that’s the game.”
What’s even more important are the next steps, noted DeFord. And that starts by ensuring you have “full disclosure on everything they did and how they went about it.” The object is not to punish the blue team, he added, but to ensure they acquired the information they need to improve.
Next, it’s time to act on that info — quickly — by fostering engagement and collaboration among departments, and implementing any lessons learned. “The reaction should be ‘this is what happened, and this is what we’re going to do,’” said Bowden. Decker agreed, adding that the response and recovery is actually the most important component of data security. “If you’re promising prevention, you’re setting yourself up to fail.”
Selling the story
There are, of course, other avenues. One is to create a recoverability confidence index that leverages data to boil it down to a single score, he said. “How confident are we that we could bring everything back up? Can you use that as a communication vector inside your organization? It’s about selling the story and trying to distill highly complicated technical things into something consumable.”
Another is through education, noted Decker, who was a co-lead in the development of a guidance document (Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients) that examines the current cybersecurity landscape, identifies weaknesses that can make organizations more vulnerable to threats, and lists best practices to help mitigate threats.
It can be an invaluable tool in helping organizations perform a gap assessment by “reading about how attacks occurred and marrying that against your practices,” he said, stressing that the process never ends. “You have to continuously cycle through to learn what the next things are going to be and what has to get done.”
By taking any of these actions, whether it’s a red team exercise, a tabletop exercise, or looking through documents, leaders can strengthen their programs and become less vulnerable, said DeFord. What he does not advise, however, is going it alone. “When you look for someone to do an incident response retainer, make sure it’s somebody who does hundreds of these a year.” Crowdstrike, for example, has acted as “cleanup crew” for many of the breaches that have occurred in the past year, which he believes gives them an edge. “We’ve seen, in real life, the ugly underbelly of how these things work and the effect that they have on health systems.”
One of the tools Crowdstrike utilizes is a tiny endpoint sensor that can identify specific behaviors rather than “stopping and interrogating every file before it’s open to make sure if it matches the most wanted poster from the SIG file,” DeFord noted. That way, “You’re way more likely to find zero-day and other attacks before they’re discovered.”
As part of its service offering, Crowdstrike provides a full report on vulnerabilities that were found and how they were located, so that issues can be addressed across the enterprise, he added.
Finally, the panelists advised attendees to lean on colleagues for best practices and support. “I’ve learned so much by talking to my peers,” said Bowden. “It has helped me to better formulate my story. How do I explain what the risk is? How do I get more attention for it? That’s the problem we have: how do we get enough to maintain our technical side and our trade craft well enough to know about the threats, but then also develop the acumen and understanding to speak about risk in the terms that the other leaders in the organization do.”
To view the archive of this webinar — Exploring the Key Aspects of Ransomware Readiness — please click here.