A little while back the government put out a cybersecurity advisory about an “imminent cybercrime threat” that was targeting hospitals using Ryuk ransomware. To dive deeper into this threat, what this announcement means for healthcare, and what healthcare organizations can do to be prepared for this and other threats we sat down with Dan L. Dodson, CEO, Fortified Health Security.
What’s your reaction to the healthcare specific Ryuk ransomware threat announcement?
The joint cybersecurity advisory issued recently on the threat of an imminent ransomware attack is a call to arms for healthcare. The escalation of the alert was driven by two different factors. The first being credible evidence gathered by CISA, the FBI and HHS that there was in fact an increased threat to healthcare. This included lists with names of hospitals being targeted. The second, which isn’t as widely discussed, is that this ransomware exploit has been around for several years. What is unique, is that it has greatly evolved over time, so that the duration from initial entry to impact has been shortened to less than five hours. It’s really the combination of those two things that we believe were catalysts for the increased threat announcement. Healthcare organizations must take this threat seriously. It has become quicker and more difficult to catch given the short duration – especially if an organization isn’t executing basic security fundamentals.
Is this type of specific threat really any different than the thousands of threats hitting healthcare organizations every day?
The attack methods used by these cybercriminals are not new. The difference in this specific ransomware threat is the speed of exploit and intensity – which is why the threat level has increased. In the case of the Ryuk ransomware threat, time to act is measured in hours and not days. The primary avenue to penetrate and exploit continues to be phishing emails, which is not new for healthcare. In fact, it has been the number one threat for the last couple of years. When CISA, the FBI and HHS publish a threat alert, this brings clear, credible evidence that a threat escalation is coming.
What are the key elements every organization should include in their incident response plan?
There are two key elements organizations should include in their Incident Response (IR) plans. The first is the need to have an IR plan that’s been vetted and rehearsed. The second, and a critical element of an IR plan, is to make sure that the organization understands the requirements of its cyber insurance. Typically, there are preferred vendor partners or technologies that organizations must use in the event they want insurance to actually cover an attack. It’s important to remember that organizations should not separate their IR policy and their cyber insurance requirements – both must be included in your IR plan. Finally, while communication plans are standard in an incident response, from a technology perspective, organizations must understand how to isolate risk with minimal disruption to patient care, while not compromising the integrity of assets that can be impacted.
Is cyber insurance really worth the money? Does it really cover what’s needed when an incident occurs?
Having cyber insurance is necessary. However – as previously mentioned – organizations must understand the specific insurance they have in place. Most policies require organizations to execute certain fundamentals and, if they are not executed, and the organization has an adverse event triggering the need for the insurance, you may not have the protection you thought you had. It provides a false sense of security. In many cases, organizations might file a claim after an adverse event, only to find out that they’re not going to be covered due to not executing the required fundamentals. Understand how your insurance policy works, how to activate it, what’s covered, and most importantly, follow the steps so you receive the coverage you need.
Where can a healthcare organization best invest to stop the spread of ransomware or a virus hitting their organization?
Each healthcare organization is in a different spot of its cybersecurity journey. However there are two fundamentals that apply to all. First, email phishing continues to be most active area for threats to percolate. This is why making sure you have invested in a robust security and awareness training program is key. Second, executing the security fundamentals is absolutely essential. This includes user education, patching, and monitoring systems to effectively lower risk. So making sure advanced endpoint protection and/or managed detection and response (MDR) are implemented, ensuring proper and regular patching is done throughout the environment along with disabling all unused or unnecessary ports, protocols and services such as RDP. Oftentimes in healthcare, we see that cyber leaders know what these fundamentals are, but struggle to execute them because of human capital issues, cultural issues, budget issues, etc.
Is this an opportunity for CISOs to leverage this announcement to get board level attention (and budget) for healthcare security in their organization? How should they navigate this?
Organizations who haven’t been negatively impacted must leverage this point in time to describe to their colleagues the deficiencies that exist in their cybersecurity program. Letting senior leadership know how they could have been at risk had they been targeted will certainly get their attention. Healthcare organizations can’t let this moment in time pass them by. The way to make sure that doesn’t happen is by articulating to their organization where they need to start making more investments and how, without these investments, their organization can be put at risk. To navigate this, organizations should tie the investment to the mission of their organization – which ultimately is serving patients.
If you want to learn more about healthcare security and hear from Dan Dodson, register for the FREE EXPO.health Experience series event with Gabrielle Hempel sharing a keynote on how pandemic response can inform your cybersecurity incident response.