As was summarized in this publication’s introduction to the first article in this two-part series on the ransomware crisis, published on April 18, ransomware has blossomed into a crisis-level phenomenon recently in U.S. healthcare. The first nationally reported mainstream media news story in this drama was that around Hollywood Presbyterian Medical Center. On Friday, February 12, NBC4News, the local affiliate of the NBC network in Los Angeles, reported in its noon and evening broadcasts, and then online, this story: “Hollywood Hospital ‘Victim of Cyber Attack.’” And since that moment, ransomware attacks have rarely been out of the mainstream media headlines, with revelations of attacks that have brought down electronic health record (EHR) and other clinical and operational information systems at the 10-hospital Columbia, Md.-based MedStar Health (first media report March 28), as well as at Methodist Hospital in Henderson, Ky. (first news report March 21), Alvarado Hospital Medical Center in San Diego, and Chino (Calif.) Valley Medical Center and Desert Valley Hospital in Victorville, Calif. (news stories on March 31), and Kings Daughters Health in Marion, Ind. (first news report Apr. 1).
What’s more, these reports represent a small percentage of the actual ransomware attacks taking place at hospitals and other patient care organizations nationwide; they involve situations in which full shutdowns of EHRs and even enterprise-wide information systems have taken place, and thus have garnered mainstream media attention. All those industry experts interviewed for the first ransomware article indicated that they are aware of ransomware attacks happening at least weekly now in the U.S., though in the majority of cases, patient care leaders have been able to respond to such attacks in ways that have avoided necessitated total shutdowns.
In the first article, we quoted Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, as saying of the explosion in ransomware activity, “I don’t know that I would call it crisis mode, but I will say that it’s a very serious threat to the industry right now, primarily because it’s a very concerted effort on the part of the cyber criminals to take advantage of weaknesses in the industry that they figured out they could exploit fairly readily. It has shone a bright light on the lack of preparedness in the industry for these kinds of attacks.,” he told us. “The problem now is that it’s happening so frequently and randomly, so it’s not like you’re being attacked directly—everyone who is connected is being attacked.”
After providing a sense of the overall landscape, those industry experts interviewed for the first article in this series gave an overall set of recommendations for a plan to prepare to meet the ransomware challenge. Here are some of the key factors they shared with us as being essential elements to any such plan:
Ø Above all, what is needed is awareness, buy-in, and support, from the CEO and the c-suite of the patient care organization and from its entire board of directors, as well as from senior management across the enterprise
Ø An information security/data security/cybersecurity strategic plan, fully articulated
Ø In most cases, the use of external services, such as security operations centers (SOCs), and other external consultants and vendors, to support data security management and operations
Ø As part of day-to-day operations, very frequent system-wide backups (possibly daily backups of at least portions of entire information systems, with annual, semi-annual, or quarterly testing of daily/frequent backup processes), behavioral monitoring and auditing processes, continuous updating of antivirus program signatures, continuous server patch updates, and the routinization of other operations-critical processes, with fail-safe verification processes in place
Ø Stronger limits on role-based user access to file-shares, systems and networks
Ø Intensive, comprehensive, continual education and training of all end-users of EHRs and other clinical and operational systems, especially including continual training around phishing
Ø In most cases, the hiring and support of a CISO and data security team
Ø Continuous budgeted funding sufficient for the above
Forging Ahead: What Healthcare IT Leaders Should Be Doing Now
So, what should CIOs, CISOs (chief information security officers), and other healthcare IT leaders be doing right now to protect their organizations from these threats? John Weller, CISO at Metro Health Hospital in Grand Rapids, Mich., part of the Metro Health system, says, “As a CISO, I’m relying on the operations to implement and monitor security threats. As CISOs, we try to find our weaknesses and see how we can compensate for them or solve them.”
And Josh Wilda, vice president of information technology at Metro Health, puts it this way: “From what I’ve seen, the focus has always been, how could someone come in and propagate a virus across the organization and/or the focus always been on data loss prevention, with PHI and HIPAA, and how could someone come in and steal that for their own personal gain. Now it’s totally different, they are not stealing it, the data is there, the organization just can’t get to it. So we have to approach it differently.”
What’s more, Wilda says, “As we know, ransomware isn’t brute force, it’s coming in because of behavioral things that end-users are causing, through spam email and phishing attacks and searching the Internet, so one of the biggest pieces here is that education is very key; and we’ve seen a lot of recent success from the security and privacy office, from John and his counterpart in the privacy officer role, really trying to educate our end users and increase awareness that, while locking down things is all well and good, that could hinder operations of a hospital.”
“So,” Wilda continues, “we can lock it down to a point, but it’s really our end users that need to be on the lookout for how they are opening the door for ransomware to be here. By clicking on an email that doesn’t look right to them or going on the internet to look at the news, but there’s potentially some advertisements there that open the door to ransomware, so one of the key things is a lot of education, because that’s where you’re seeing ransomware coming into organizations.” “Securing the human is the hardest part,” Weller adds. “So we have newsletters and training and education and phishing campaigns.”
“Targeted education, backup strategies, performing technology updates and server patching, and technology assessments, are all critical,” says John Petersen, an Albany, N.Y.-based manager at The Chartis Group, a Chicago-based healthcare consulting firm. “It’s also very important for IT leaders at patient care organizations to know what their third-party vendors are doing. And also,” he adds, “organizations should take a look at their overall IT strategy. Certainly, looking at end-user personal devices—you really have to review your BYOD policies. In most cases, those personal devices are not secure. And also, as far as testing backups, organizations could really focus in on incident response and planning. Just as you’d have an incident response plan for hurricanes or earthquakes, you need a plan and a team to test out for these incidents.”
“There’s been a lot of great content put out there across lots of different media forums right now,” says Ron Mehring, CISO at the 20-plus-hospital Texas Health Resources, based in Arlington, Tex. “But, the blocking and tackling matters. Backups, backups, backups,” he stresses. “Have the ability to restore data in your environment in a way commiserate to whatever the criticality of that data is. In other words, if that data needs to be restored in an hour, and so it doesn’t impact operations, then have the systems set up to be able to restore that data in an hour. And that can be difficult for a lot of different health systems.” And he agrees with everyone on the need to constantly be involved in training and awareness programs for end-users.
In addition, Mehring says, “Health systems do a great job on structured data, we know where databases are, but when you get to unstructured data, it’s kind of all over the place. And depending on the kind of clinical workflow, we might have a departmental directory set up with some specific files and forms specific to that clinical workflow, and it has to be accessed and maybe everyone in the department has access to that directory for that particular form for that workflow. If someone clicks on something, now that departmental directory is encrypted and no one can access it. So in a healthcare system, there needs to be an inventory of unstructured data,” he urges.
And, when a ransomware attack does infect a system, and patient care is affected by the shutdown of a patient care organization’s EHR, Mehring urges, “Make sure you have disaster recovery plans, make sure that continuity plans are in place, so if something goes wrong, and files are inaccessible, you know how you’re going to operate without the data. Have a backup plan and practice it. So if we have a ransomware attack on our data, at a technical level, who is going to respond to it, and how are we going to pivot people to that problem? And how are we escalating to let the operations staff know what’s going on as well as leadership knows what’s going on in the organization that we have a significant event going on that has the potential to disrupt our caregiving?”
What’s more, says Natalie Lehr, “The challenge with ransomware is that not only does it affect the user device but connected devices, that it could even harm those backups, if they’re connected.” Lehr, who is vice president of analytics and co-founder of the Silver Spring, Md.-based TSC Advantage consulting firm, which advises organizations in several industries, including the energy industry, manufacturing, the mergers and acquisitions area, and healthcare, says, “The discussion then becomes, how do you remove the backups from the attack vector, so you will always have, offline, some kind of clean backup? And I think part of coming with a more effective recovery strategy, is that you recoup data sooner.” In that regard, she says, “You definitely need to test that your backups are effective. Many organizations have a procedure for backups but don’t make sure that they function properly, so they have a procedure for testing backups.” She recommends at least twice a year, noting that “More mature organizations are doing it quarterly,” despite the disruption to daily processes involved in such backup testing.
High-Level Support—and Resources--Needed
What’s extremely important in all this, says The Chartis Group’s Petersen, is to keep in mind that “This is not just an IT problem. And in order to solve this, it will take efforts from across the entire organization, even to the point of a cross-functional incident response organization,” he says. “At the highest level, the CEO, the c-suite, and the board need to be aware of this. And if you don’t have a CIO or CISO who takes part in regular board meetings or has the venue to be able to describe these situations, a lot of this gets lost, when they’re hearing about all the clinical information systems that need to be added to the clinical space, and that’s a source of frustration with funding for this.”
CynergisTek’s McMillan says flatly, “I tell people there are [three] things that are critical that we need to do better and better quickly. First, we have to get away of notion of annual training for user—as if that’s effective. We need more interactive training for users. Users have a huge bullseye on their backs with respect to attackers, and we have to make them smarter about not being a victim. Second,” McMillan says, “We’ve got to do a better job in how we architect our environment and how we manage it. We need layered defenses, complementary controls, both signature based and heuristic based technologies, we need more advanced malware detection systems deployed, and we need active monitoring. And lastly, we need to make incident response and recovery a priority, and we need to review those plans we have today and those processes, make sure they are up to date and actionable, and practice them, so when we have an incident, we can limit the impact it has on the environment.”
Going Forward, a Moving Target
How will things play out over time? “I’m optimistic in the long term,” says Fernando Blanco, who ten months ago joined the 50-plus-hospital Christus Health system, based in Irving, Tex., after working as a CISO in the consumer products industry. “The industry is moving in the right direction. But I think we’re going to get worse before we get better; I think we’re going to see a lot more of these cases,” he cautions. “The number-one recommendation I continue to offer is backups.”
That having been said, Blanco says that in the near term, he sees cybercriminals inevitably altering their tactics in the coming months, as healthcare IT leaders become more savvy at fighting back at these attack. “Instead of encrypting 1,000 files in an hour, the malware criminals will move slowly, so that yesterday’s backup still has the malware in it,” he says. “So your backup strategy as a recovery system will no longer be valid. If malware moves in that direction, it will be harder to detect, and it will be harder to go back to your safe state. Right now, you can go to your backup and restore. But if my two-day backup or my seven-day backup still includes malware in it through an encrypted file, if they delay the process, then we’ll have a problem.” Thus, he says, he echoes what the other industry leaders have said here about the importance of backups and of backup testing.
In the end, all those interviewed agree, this area will remain a moving target for some time, as healthcare IT leaders are forced to play a perverse kind of “whack-a-mole” game with cybercriminals. Even as CIOs, CISOs, and their colleagues move to address the ransomware crisis, the cybercriminals who are creating the crisis will find new ways to torment healthcare, as the motivation for doing so remains so compelling. All healthcare leaders need to take the ongoing threat seriously—and prepare for a continuously evolving landscape around it, experts agree.
Healthcare Informatics will continue to provide ongoing coverage of this rapidly evolving situation.