WannaCry, Petya, NotPetya—recent news reports have been filled with coverage of massive ransomware attacks that swept across the globe, wreaking havoc on public utilities, companies, health systems and government offices. Ransomware is a type of malware that prevents or limits access to a system until a ransom is paid. In the face of these attacks and other emerging cybersecurity threats, what can healthcare organizations do to identify vulnerabilities and protect sensitive patient data?
To find out, I spoke with Mac McMillan, President & Chief Strategy Officer of CynergisTek, Inc., a top-ranked healthcare IT information security and privacy consulting firm. Former Chair of the HIMSS Privacy & Security Policy Task Force, Mac has nearly four decades of experience in information security, intelligence and consulting.
Maureen: Mac, there have been several high-profile ransomware attacks recently. Are ransomware attacks on the rise?
Mac: Definitely. If you look at the incidents that have been reported so far this year, hacking far exceeds any other kind of attack. And of those, attacks categorized as ransomware have been the most frequent.
The biggest reason is because they are successful. Criminals are getting money for doing this and as long as that’s the case, they will keep doing it. In some cases, too, the motivation is less about money and more about destroying systems.
The biggest thing to take away is that not only are these attacks becoming pervasive, they are also increasingly destructive. Last week, for instance, three hospitals were hit by ransomware attacks that essentially took them offline. A week later, they are still rebuilding their systems and trying to get back up and running. The risk is not just to data, it’s also a risk to an organization’s operations.
Maureen: Are ransomware attacks always considered breaches? Can you explain when notification is required?
Mac: In healthcare, a ransomware attack, by definition, is considered a breach, but that doesn’t mean notification is required. If a ransomware attack occurs, you have to investigate the circumstances, including how it got there and what it did.
If in the process of investigating, you determine that compromise of data was possible or actually occurred, then you have to notify patients as well as HHS, depending on the number of compromised records. If you determine data was not compromised or accessed, you don’t have to notify, according to federal law. Certain state laws may be different, though, and it’s important to check.
Maureen: If an organization falls victim to a ransomware attack, what are next steps they should take?
Mac: First, disconnect from the internet, isolate the infection and try to salvage as much of their environment as possible. It’s important to try to avoid having the malware affect critical systems or critical databases by isolating it and figuring out how to eradicate it. Then they need to rebuild their systems.
The biggest key to all of this, at the end of the day, is having good solid procedures in place for recovery. When you get hit with one of these attacks, you’d better have more than just data backed up, including images and configurations.
When you build a system and figure out the right configurations, you essentially create an image so when you create the next configuration, you apply that image. If you don’t keep those images up to date, when you have an incident, you might have to rebuild from scratch.
if you have to rebuild your network from bare metal, that means reloading the operating system and all the applications, and reapplying all of the configurations that were there before, in the correct order. That is a huge task, which is why backing up is so important.
Maureen: What are some of the things that healthcare organizations should be doing to defend against these attacks?
Mac: The first thing they should be doing is making sure to keep their environment up to date. That means having a good schedule for refreshing their systems, such as browsers and anti-virus protection. Secondly, they should be applying a standard when configuring devices. And third, healthcare organizations need to be much more diligent when it comes to patching and maintenance.
Keeping patches up to date is very important. New vulnerabilities come out every day and they’re categorized based on threat level: critical, serious, routine, etc. Critical vulnerabilities should be addressed right away and serious ones within a week to 10 days.
The next step is to control access to systems and data. Remote access should require two-factor authentication and so should any elevated privileges, such as admin accounts. Most of these major breaches gain access and use a set of elevated privileges to compromise the network. If you make it harder to get access to those privileges, it becomes much harder to run an attack.
Technologies that recognize anomalous behaviors like advanced malware detection, web gateways and email firewalls are also really helpful and organizations need to do a better job at using them.
It’s also important to make sure employees know to tell someone right away if their computer is acting strangely, and to be suspicious of phishing attempts.
Maureen: Why is it important to evaluate vendor access and security practices?
Mac: The concept of risk within the four walls of my organization does not exist anymore. If you have third-parties who host critical systems or access patient data, you need to pay attention to what they’re doing and what their security practices are. Think about security not just as what you’re doing, but who you are working with.