Last week we all read another sobering account of the disruption that cyber incidents can cause. The ransomware attack at Hollywood Presbyterian Medical Center was despicable in its nature and alarming in it what it says about the overall preparedness of healthcare to deflect these threats.
Healthcare is one of our most critical infrastructures and important to every American. The CEO for this institution eventually opted to pay the ransom to return his institution's systems back to service. A decision only he and the leadership of that hospital could make and one I'm sure not easily arrived at.
In most instances the majority of security and law enforcement professionals would advise against paying the hackers, because, 1) there is no guarantee you will get the decryption key, and 2) there is the fear that it will encourage others to follow suit. I would argue that is easy advice to give if you are not the one looking down the barrel of the ransom note. Until you have walked in those shoes you don't really know what you will do.
The hospital in this case applied practical triage logic to the patient and took the hand to save the arm. I think it is basically unfair to second guess their decision, after they were faced with more than a week of downtime, and were facing potentially longer disruption and mounting costs.
But what is not unfair to ask is how ready were they for this situation? What level of protection was in place? What detection capabilities were present to identify this situation earlier? And how ready were their contingency plans? Many of the ransomware programs we see in these attacks are well known and detectable with the right solutions in place – but were they?
Other hospital leadership teams need to ask these questions, because – to dispel one of those fears above – others will follow suit. Additional attacks are already happening. It's not a matter of if, but when.
There needs to be a fundamental shift in our thinking about security today. More priority needs to be given to detection and response, but detection and response without protection will be less effective and can fail. Systems that look for anomalous behavior or traffic first have to understand what is normal or correct. And response approaches need sound architectures and systems to enable identification, isolation and containment of infected or affected information assets.
Things that undermine this are: lack of proper and real segmentation; weak access controls and protections of credentials particularly elevated privileges; lack of discipline in hardening, patching and change control processes; lagging refresh cycles and end of life equipment; shadow IT and rogue applications; inadequate user education and awareness; not adhering to a recognized standards based approach to controls; irregular testing and assessment; lack of external review; and inadequate oversight or governance.
Organizations with a good defense-in-depth strategy, advanced detection capabilities and solid response/contingency plans will fare far better when attacked. Make no mistake about it: Protecting information assets is a business issue and organizations that don't recognize this will pay for it.
The ransomware threat is particularly relevant for healthcare today and a real threat as we are seeing. That threat continues to evolve as well and new ransomware variants continue to appear like the one thought to be affecting organizations now called "Locky."
Locky was first reported a little over a week ago, and immediately researchers began to see instances – upwards of 100,000 per day – of infected systems. It took some period of time for A/V vendors to acquire the new signature and update their software to detect and block this threat. Depending on how long it took organizations to update its system or how well its environment was covered gave Locky more time to operate undetected.
Locky is reportedly spread through a Microsoft Word attachment containing malicious macros that, when the recipient clicks on them, downloads the Locky malware and executes it. These ransomware tools are creating serious problems, as the folks in California experienced. And for healthcare they are particularly scary because they represent the worst scenario possible – a serious disruption to the ability to deliver care services.
Ransomware attacks in healthcare affect the reputation of the institution, undermine the confidence of patients and staff, and represent real financial costs.
Right now there is a clamoring for more information on the threat. This always happens right after an event like this, and then fades with time, as does the attention to the problem, but the threat doesn't go away. This is a persistent issue, requiring a persistent solution. Ransomware is not new – it has been around since at least 2009, which just happens to coincide with meaningful use and the mandate to digitize patient information in the electronic health record, making healthcare more susceptible to hacking and electronic extortion.
Symantec, a leading provider of security solutions and threat monitoring, published an excellent report in 2012, "Ransomware: A Growing Menace," that provides a brief history of ransomware, some examples of different types of ransomware attacks known at that time, and strategies for mitigation. While a bit dated today, it no less will bring two things home to those you share it with.
First, this is not something new, but rather this is just the electronic version of an old crime: extortion. Second, any and every organization is susceptible to this threat and it is definitely persistent. I recommend sharing this with non-technical leadership.
What is especially frustrating about this crime is that most of the ransomware types are well known and there are solutions out there if acquired, implemented properly and allowed to enforce would stop this threat dead in its tracks. We have seen disciplined organizations achieve this, but it takes enlightened leadership and investment.
We may never know the specifics of the Hollywood Presbyterian Medical Center incident – organizations, for good reason, are reluctant to discuss those things. What I do hope is that the CEO of that hospital will find a way to share with his counterparts in our industry just what this experience meant to his institution, how it affected them, and just how it felt to be at the helm during such a trying situation. Executive teams need to understand the cyber risks they face.
Meanwhile, here are eight areas to think about when building a resistance to these threats:
1. Education. Ensure users know now to identify anomalous behavior and avoid common threats though practical training and realistic exercises.
2. Vigilance. Maintain currency in the IT environment, refresh systems, keep patches up to date, harden according to recognized standards, mind configurations and change control.
3. Layer defenses. Use multiple layers in protective technologies and controls at the end points, on the network, at the host level, etc.
4. Compliment controls. Deploy both signature based and heuristic based detection solutions.
5. Enhance detection. Deploy next generation firewalls, malware filters, A/V filters, automate log management, IDS/IPS, etc.
6. Plan smartly. Update contingency plans, back up everything (offline), think of the worst case in exercises.
7. Be ready. Establish external support relationships, acquire tools, conduct simulations and practice for a real event.
8. Be objective. Use independent third parties to perform regular readiness audits, testing of controls and assessments.