Yes. There are three points to the triangle of security: confidentiality, integrity, and availability. And it seems that it’s that last point of the triangle, availability, that everybody worries most about. But the reality is that when you have a breach like that [such as in the MedStar Health ransomware situation]—that kills the availability. So in terms of the risk/reward decisions on what should be in place or what things to spend on, that’s a place where good risk managers can quantify the actual potential for loss if their organizations were to be hit by something like this [a ransomware attack]. So it’s a matter of maturity, in terms of understanding something like this. And once you’ve documented that, that’s a sign that the organization is ready to listen and to protect both confidentiality and availability.
Would you agree that organizations should be backing up their EHRs daily?
I think that backups should already be part of what people should be doing routinely anyway. Per daily—the potential downside to that is that it’s not just about backing up data, but backing up good data. We’ve had clients who were doing very aggressive backups, but in doing so, they were backing up encrypted data as well.
That leads to the question of how often should backups be tested, correct?
You need to plan for regular backups, and then you need to develop an understanding what the intervals of those should be there, to make sure you have enough points in time spaced out enough so you haven’t completely overwritten data. That will vary. Unfortunately, it’s rather a technical topic. People do daily backups, weekly backups, end-of-month backups, quarterly backups, and then rotate them. Some organizations back up everything nightly but also keep five copies of that, so you have an entire week’s worth. And then you may have a weekly backup that won’t be overwritten for a month, or a monthly backup that won’t be overwritten for a quarter.
So if I have a ransomware attack, I’ll look at my backup. I’ll check my daily backup to see whether it has actual data or encrypted data. You can keep going backwards, to the weekly one or the next most recent weekly one. You should always do testing to make sure you can restore—either on a quarterly or monthly basis. But you should also always be doing enough backups. If you’re looking to restore something, it all depends on when you first catch something. If we can narrow down that the ransomware was initiated on Monday, we want to look at the weekly backups from the weekend, and so on.
Given all these challenges, are we understaffed and underfunded industry-wide, in terms of the staffing of strong IT security teams in hospitals?
Yes, I agree, hospitals’ IT security teams are very understaffed. And most often, they’re not given the level of visibility or the amount of power or access they need: that’s what’s hurting the CISO role now. Many are hiring or naming CISOs to check a box, but not really in support of security.
To summarize, what are the biggest few areas where hospitals are falling down, in your view?
The biggest threat, as it relates to any type of ransomware, remains the sheer number of devices that are allowed in a healthcare organization, and how they connect.
What can medical groups do? Even the largest physician groups are very disadvantaged in terms of resources, compared to hospitals and integrated health systems, so medical group leaders will really need to think carefully about their options.
What I believe is that the leaders of medical groups should seek out the leaders of fellow medical groups. They could start to work together, even if they’re not in the same clinical areas; they can create economies of scale and use some of the same technology partners. And a lot of businesses in other industries outsource a lot of these. The technology piece is outsourced, which allows those organizations to come to organizations like ours, to do things that need to be done.
Would you agree that most hospitals and health systems need to hire external security operations centers (SOCs)?
Yes, all of these organizations need to be doing third-party independent assessments.
What do you think is going to happen around ransomware and malware in the next couple of years?
It’s going to continue to increase. It’s something that’s very profitable for criminals, and people are unfortunately paying it, not only in healthcare, but also, unfortunately, across a lot of different industries.
Is there anything you’d like to add, in the context of everything we’ve been discussing?
This is an area is one in which the threats are just going to continue to increase. And for us, if it brings security a little bit into the limelight and helps people focus on the issues, that’s a good thing, but of course, the threats overall are a very bad thing.