Recently, HCI Editor-in-Chief Mark Hagland spoke with Ron Schlecht, founder and CEO of BTB Security, a consulting firm with offices in Chicago and Austin, Texas. The Philadelphia-based Schlecht founded the company in 2006. The consulting firm, with 22 consultants, focuses primarily on providing information security assessment services, breach response, and managed security monitoring. BTB works in multiple industries, with about 15 percent of its work in the financial services sector, about 10 percent in healthcare, 5 percent in resorts and entertainment, and the rest of its work scattered across a range of other industries. Below are excerpts from Hagland’s interview with Schlecht, who was able to share his perspectives based on his and his company’s work in multiple industries.
How would you describe the cybersecurity landscape right now in healthcare?
I would say that it is challenging at best, only because so many new technologies have been introduced into the industry, both in management and clinical care.
In particular, how would you characterize the ransomware phenomenon right now—as a crisis?
Yes, one could use that term to describe it, since it’s somewhat new. I’ve gotten used to dealing with malware or any number of types of viruses. But when it comes to ransomware, nobody knows what to do right now; for one thing, there’s so much misinformation about whether to pay the ransom or not. And that’s probably the most distressing thing right now, with disagreement on whether to pay ransom or not. In general, we tell people not to pay ransom. Obviously, every case will be different, but the general response is not to pay it. There are a lot of uncertainties involved in that kind of situation?
One could compare paying ransom in a ransomware situation to paying a kidnapper to give your loved one back, correct?
Exactly. They might give you the decryption key. But who’s to say that they won’t choose to maintain persistent access, and won’t come back and re-encrypt those files? There’s no guarantee that you’ll get your files back and in the right condition.
Would you agree that healthcare is behind other industries in terms of cybersecurity preparation and defense?
Yes, I would say that it’s behind other industries, but with the addendum that the end-users are some of the main points of vulnerability in healthcare, and that sets healthcare apart from many other industries.
In our two-part series on the ransomware crisis, people said a few basic things. They repeatedly stressed end-user training, plus more rigorous, role-based access, and backing up your EHRs every day. And behavioral monitoring. What are your thoughts in that regard?
Yes, those are what I’ll call some of the canned responses to ransomware threats. In addition to those responses, there are technical means, including behavioral monitoring, to guard against ransomware attacks. There’s threat intelligence that is available. There are a lot of free and commercial options for applying threat intelligence to address risk, in terms of obtaining indicators of compromise. A virus will look and act a certain way, and therefore, can often be identified because of certain characteristics. So a lot of times, a signature-based intelligence can essentially be applied to monitoring services or solutions. So for people who are doing monitoring already, signature- and behavioral-based intelligence can be integrated into your programs.
What percentage of hospital organizations are leveraging signature- and behavioral-based intelligence tools and strategies now, do you think? A small percentage?
Yes, it’s a very small percentage. And in that context, it’s a maturity issue. Most hospital organizations, in terms of spending the money, are still just checking boxes. They’re not in the business of providing the best security out there, but clinical care in most cases, or research.
How strong has the healthcare industry’s response to this crisis been, relative to the threat involved, on a scale of 1 to 10?
It’s been a 3 to 4, I would say. They know about the threat, but they’re underspending right now relative to it. There are mitigating controls in place that people think are enough. But you don’t really realize the cost of this until a breach or shutdown occurs. It’s almost like buying insurance, really.
So, given the threat and the need for electronic health record and other clinical information systems to remain up and available at all times, it seems that CIOs need to convince their fellow c-suite executives, and boards, to agree to spend the money to fund decent security to make sure that systems remain functioning 24/7, correct?