TEN TRANSFORMATIVE TRENDS 2020


Ransomware in the Face of a Health Crisis


brought on by COVID-19? By Rajiv Leventhal


TEN I


t’s been three years since the WannaCry ransomware attack struck the world, affecting business operations of all kinds in approximately 150 countries. Yet, even as most industries recovered from the initial attack that jolted the informa- tion technology world across the planet, the impact continues to be felt.


According to a June 2019 report from cybersecurity fi rm Armis, for instance, more than 40 percent of healthcare orga- nizations experienced a cyber attack involving the WannaCry ransomware cryptoworm within the six months prior. The goal of WannaCry has been to encrypt the data on the computer and display a demand for ransom to be paid in bitcoin. Researchers have indicated that this method has worked; some estimates have put the cost of WannaCry attacks at over $4 billion in fi nancial losses, includ- ing $325 million in paid out ransom. “Healthcare, manufacturing and retail sectors have high rates of old operating


from cybersecurity company Emsisoft, which found that 764 healthcare provid- ers were hit with ransomware attacks in 2019.


So, what are health systems and their technology partners doing today to become more resilient? And what lessons have been learned that could be applied to planning for the future? Healthcare security leaders interviewed for this piece emphasize that practicing good hygiene and having a strong security program in place are still the most important pieces to preventing, responding to, and if nec- essary, recovering from a ransomware attack.


“It’s my job as a [security offi cer] to


make sure I’m securing my environ- ment, picking the right tools to secure my environment, and that I have the right people and processes in place,” says John Houston, vice president, privacy and information security & associate counsel, at UPMC, an $21 billion health system and insurer, headquartered in Pittsburgh. “Threats and technology are always changing, but having a mature program in place will allow you to [continuously] look at how risks and threats are evolv- ing, so you can adapt appropriately. Does it mean I will never have a security incident? Of course not, but [having a program in place] shows that I have done an in-depth risk analysis within my environment, and that I’m thinking enough about where I am at and where I am going,” he says.


Mac McMillan


systems in their networks,” the report indicated. Indeed, healthcare organizations con-


tinue to be the preferred target of cyber criminals who can gather patient names, insurance and financial information, addresses, Social Security numbers and other personal data that hackers can use for identity theft or other fraudulent activity. These threats in healthcare are not new, but they are still regularly occur- ring, as pointed out in a recent report


Doubling down on that point is Mac McMillan, the CEO Emeritus of cyberse- curity fi rm CynergisTek Inc., who adds that hospitals investing in advanced technology, advanced malware detec- tion software, and active monitoring—so that they have a partner watching what’s going on with their systems and what’s coming at them—as well as those that have implemented strong passwords and multi-factor authentication on critical systems, are the organizations that will be best set up for success.


Cybersecurity “hygiene” is a term often used by experts in this space, referring to the regular maintenance that’s necessary


TRANSFORMATIVE TRENDS


2020


for computers and software to run at peak effi ciency. Ultimately, offers Houston, one of the biggest security risks to a health- care organization continues to be people. “Simply put, we tell users to not store sensitive information on computers,” he says. “Every employee needs to have seen samples of real phishing emails, mali- cious links and [must] know how to avoid becoming an unwitting victim,” adds Shefali Mookencherry, principal advisor at consulting fi rm Impact Advisors. Undoubtedly, poor hygiene can result in the exposure of unpatched vulnerabili- ties, something McMillan recently experi- enced from one hospital chief information security offi cer (CISO) who, after running a recent system scan, found out that his organization stopped patching its systems and stopped making updates as a result of the COVID-19 crisis. The rationale behind that decision, McMillan recounts, was that the organization’s CIO said the focus needed to solely be on operations, and that patching, updates, or other changes to IT systems had the potential to negatively impact them—a scenario that the IT team had to avoid at all costs in the face of a healthcare pandemic. “The issue there is that ransomware exploits typically look for some weakness in the system they can take advantage of, meaning something that’s not patched, something that isn’t running that should be, or something that’s not confi gured properly,” McMillan says. “So the minute you stop doing those things, you imme- diately increase your [attack surface], and all it takes is one phishing message to get through, and we’re off to the races. You cannot just neglect your systems during an emergent situation, because that’s exactly what the bad guys are hoping you do,” he emphasizes.


continued on page 8 MAY/JUNE 2020 | hcinnovationgroup.com 7


How are healthcare security leaders responding to the new vulnerabilities


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32