Imagine this: You’re a large healthcare provider whose staff is having trouble accessing vital records in your hospital’s computer network. Your IT department begins an immediate investigation and determines the cause to be a malware attack. Worse yet, the attackers are demanding ransom to obtain the decryption key. How do you respond?
For Hollywood Presbyterian Medical Center, this was no fire drill. On Feb. 17, the hospital disclosed that it had experienced a malware attack earlier that month, which temporarily affected the operation of its computer network. Specifically, the malware locked access to certain computer systems by encrypting files, preventing hospital staff from sharing communications electronically.
To make matters worse, the hackers demanded ransom to obtain the decryption key—40 Bitcoins, or approximately $17,000, to be exact. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Hollywood Presbyterian Chief Executive Officer Allen Stefanek said in a statement. “In the best interest of restoring normal operations, we did this.” The hospital said it also immediately notified law enforcement.
Hollywood Presbyterian is not alone. Cyber-attacks like ransomware—a specific form of malware designed to hold data hostage on infected systems until the owner pays the attacker a monetary reward—continue to plague the healthcare industry. According to a healthcare cyber-security survey conducted by KPMG, 81 percent of 223 U.S.-based healthcare executives polled said their organizations have been compromised by at least one cyber-attack during the past two years.
Furthermore, the survey results showed that only half felt they are adequately prepared to prevent an attack. “The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise, and healthcare executives are struggling to safeguard patient records,” says Michael Ebert, leader of the healthcare and life sciences cyber-practice at KPMG.
“The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise, and health care executives are struggling to safeguard patient records."
Michael Ebert, Leader of the Healthcare, LIfe Sciences Cyber Practice, KPMG
It’s also important to keep in mind, the cost of failing to prevent a cyber-attack goes far beyond operational expenses. Many companies incur additional costs associated with reputation and brand damage, loss of customers, revenue loss, loss of productivity, and credit monitoring services for employees or customers, and potentially even legal fees and regulatory fines and penalties associated with a data privacy and security breach.
“We’re not talking about spending a few hundred thousand dollars,” says Ebert “We’re talking about spending millions of dollars.”
In addition to ransomware, Distributor Denial-of-Service (DDoS) attacks are another evolving threat in the healthcare sector. DDoS attacks result when hackers command a fleet of remotely controlled computers to flood a targeted network with traffic, effectively bringing the network to its knees, resulting in long delays and outages.
“What we’re seeing this year, for the first time in several years, is that the top motivation is around criminal activity,” says Gary Sockrider, principal security technologist at software company Arbor Networks. Similar to ransomware, DDoS attacks can involve extortion by hackers; if you don’t pay a ransom, they’ll keep the site down.
For many years, companies’ attitudes concerning DDoS attacks has been, ‘Yes, it’s going to take us offline and it’s a big pain and it can be costly, but at least we don’t have to worry that our data is going to be lost,’” says Sockrider. Think again.
HEALTHCARE SURVEY RESULTS
Below is an excerpt from KPMG's health care and cyber-security survey.
With the changing nature, depth and consequences of cyber-attacks in healthcare, the nature of preventing, monitoring and managing those threats requires a new approach, based on:
Incorporation of cyber-security in the technology and network architecture upfront, via strategic design. Since many organizations achieved their interconnectivity by evolution, resulting in inadequate controls, what is in many cases required today is a redesign and development of a security implementation plan. Investment in security needs to become part of a cohesive, coordinated digital strategy.
A well-prepared and coordinated cyber security team and a security operations center. A successful approach requires appointing an executive with sole responsibility over cyber security, as well as capabilities for instant monitoring. Other areas that need to be covered include managing the breach itself and communicating with various constituencies.
Increased cyber security awareness and capabilities at all levels. Cyber security is a business risk as well as a technology risk. Thus cyber security executives need to be equally conversant in both. While the executive involvement typically boils down to the awareness component, it is important to have board members savvy about cyber security and able to help management in this area.
Taking a broad view of the organization when implementing cyber security. By working with a variety of business partners, organizations have, in effect, become extended value chains. The third-party vector poses an increased cyber security risk. It is crucial to understand the inherent risk of having multiple third-parties engaged and to identify risks that have to be remediated.
Increasingly, cyber-criminals are using DDoS attacks merely as a smokescreen to infiltrate the network with malware to steal data, such as intellectual property or personally identifiable information. “If you’ve been the victim of a DDoS attack, you should absolutely consider that an indicator of a compromise, and you should look to see if, and where, you’ve been compromised,” Sockrider adds.
Such multivector attacks are much more difficult to defend. “It’s like whack-a-mole,” says Sockrider. As soon as you take care of one attack vector, another one rears its ugly head.
Getting ahead of a cyber-attack means being one step ahead of the hackers. “It all boils down to leverage,” says Peter Tran, lead worldwide cyber-defense practice, RSA. “He who holds the greatest leverage is most likely almost always going to win.”
In the healthcare sector, in particular, cyber-attackers holds nearly all the leverage if the provider doesn’t have backup to the data. In Hollywood Presbyterian’s case, for example, the hospital clearly did not have an effective recovery backup system.
“We’re talking about a fundamental failure of IT security controls,” says Ebert. “I’ve had clients who had breaches that never disclosed their ransomware, because they effectively were able to recover their environment.”
Just having a backup recovery system in place, however, isn’t the answer to all your problems. “Ransomware in the cloud is an emerging threat,” says Tran. “Just because you’re backing up your data in the cloud doesn’t make you immune from your cloud backups also being held for ransom.”
More often than not, the attacker will give the decryption key back once the ransom is paid, “but that doesn’t mean the attacker doesn’t have a secondary or third way to get back into the system again,” warns Tran.
Reducing the threat of a cyber-attack comes down to good security hygiene, starting with employee security awareness training. “We have found that employees and hospitals are not that well trained on cyber-security,” says Stu Sjouwerman, founder and CEO of KnowBe4, a security awareness training firm. “Bad guys go after low-hanging fruit. Low-hanging fruit is people.”
Ransome, for example, is carried out when an employee clicks on an infected e-mail or attachment. Once that device is infected with the ransomware, the files become encrypted. “It’s still very easy to manipulate someone to opening up an infected attachment,” says Sjouwerman.
He recommends sending all employees frequent simulated phishing attacks to keep them on their toes. “That is where compliance and IT can work together,” he says.
“IT security and compliance work hand-in-hand,” Sjouwerman adds. “Being compliant doesn’t necessarily mean you are secure.”
Good security hygiene also means having in place a leader who is solely responsible for information security, says Ebert. Furthermore, whoever is leading your company’s security efforts should have the resources and leverage to perform the job effectively, he says.
If your chief information security officer sits inside the IT department, says Ebert, how does that CISO report to compliance? How does that CISO understand the data security requirements that it needs to execute?
By converging compliance, audit, and legal with IT and security, you can gain a 360-degree view of the situation in the event of an attack, says Tran. It’s also essential to identify where your most valuable data resides and put continuous monitoring controls around those systems.
“We’ve got the technology,” concludes Ebert. “We need the right resources, and we need the right understanding of how to address the weaknesses.”