It has become widely accepted by senior leadership teams that when it comes to cybersecurity attacks, it’s not a matter of if an organization will be targeted, but when it will. What most don’t know, however, is how traumatizing a cyber-incident can be.
“It felt dirty,” said CISO Patrick Voon, whose organization — Loma Linda University Health — sustained an attack in 2020. “When you find out that someone has come into your house and poked around, it’s not a good feeling. It’s something that I don’t want to go through again.”
Fortunately, Voon’s team had a solid cybersecurity strategy in place and, as a result, operations were able to continue. But it was an eye-opening experience, noted Voon, who addressed the topic during a recent webinar. “Until it happened to us, I couldn’t believe all the nitty gritty things that are involved.”
For some organizations, the fallout has been far worse, with outages lasting for weeks and patient care suffering tremendously. “That’s the reality we live in,” said Aaron Miri, Chief Digital & Information Officer, Baptist Health, who also spoke on the panel, along with Motti Sorani, CTO at CyberMDX.
The good, Miri noted, is that the rise in ransomware threats has increased awareness of cybersecurity’s critical role and has initiated conversations about risk management. The problem is that it’s not always reflected in budget planning.
According to an Ipsos survey sponsored by CyberMDX and Philips, just 11 percent of IT and IS leaders believe their organizations consider cybersecurity to be a high-level priority in terms of spend. Even more alarming, the majority of respondents said “they don’t feel prepared for a ransomware attack or in control,” Sorani noted.
This should come as no surprise, said Voon, particularly with margins as narrow as ever. “It comes down to risk management and what the business needs to do to operate and be successful,” he added. For CISOs, CIOs and other leaders, explaining why it’s so critical to continually invest in cybersecurity — and the consequences of failing to do so — has become part of the job description.
Making the Case
It starts by identifying the major risks posed by cyberthreats and explaining what’s being done to protect the organization. According to Miri, who has held several leadership roles, health systems are most vulnerable when going through a major transition, such as an EHR go-live or a new facility opening. “Ransomware tends to hit at moments of change,” he said. During those times, it’s even more important to analyze how malicious links can penetrate the system, who is being targeted, and what layers are in place to protect the organization.
For example, his team noticed a high uptick in emails being sent to workers in payroll services, then quickly notified those who might potentially be targeted.
At Loma Linda, Voon has utilized a single slide to educate board members and senior leaders about how attackers get in; where key points of vulnerability exists, including email; and what they’re doing for each one of those layers. “We’re able to show why we invest in EDR, application whitelisting, and security awareness and training,” he noted. “They understand that we’re doing best practices, and that we’re in a position where we can say we’ve done our due diligence.”
Assessing the Risk
When it comes to risk mitigation and containment, there’s no such thing as oversharing, noted Miri, who urged attendees to be “as transparent as possible.” That includes defining, as part of the defense-in-depth strategy, where critical data is located, along with who does – and does not – have elevated rights. “Do we know what the key users are doing across the organization? Do we know what systems are going up and where? Do we have a mitigation plan for each of those events? That’s why risk assessments are important,” he said.
By having GRC (Governance, Risk, and Compliance) solutions in place, organizations are able to do proactive and reactive measurement, and are able to show the metrics that CEOs want to see. “You’re going to have to make decisions on the fly, and so you have to have those conversations to make sure everyone understands that.” And to make sure that when an incident occurs the team will be ready.
The Right Response
Although there certainly isn’t a one-size-fits-all approach to mitigating the risk of malware, there are basic principles that can, and should, be applied, noted Sorani.
- Reduce the likelihood of penetration by focusing on entry points, which include Internet-facing services, remote access systems, and users themselves.
- Limit the potential of lateral movement within the network using Zero Trust paradigms.
- Secure critical assets such as devices, and make sure you have online and offline backups.
To enable these three pillars, having good visibility is essential, he noted. “You want to map all of your connected assets and identify the critical ones.” Doing so can help identify gaps and prioritize actions down the road.
Another critical piece is having a vendor partner that has taken all of the necessary steps to secure data, said Miri. “Make sure you’re putting money toward vendors that take this seriously. Are you giving you SOC Type 2 and Type 3 reports? Are they able to show you audits of what they have in their system?” If the answer is no, he advised reconsidering the partnership.
Finally, it’s important to have a culture that encourages employees to voice any concerns. At Baptist, for example, frontline staffers are empowered to speak up and ‘stop the line’ if something doesn’t feel right. That way, not only do team members feel validated, but the focus remains on getting better. “If you have a culture where people believe in each other and are pulling for each other, you can only go up from there.”
To view the archive of this webinar — Keys to Creating, Maintaining & Drilling a Ransomware Incident Response Plan — click here.