If ransomware attacks are still not quite an inevitability, they’re more common than ever across healthcare, and the threat is still an unwelcome fact of life for hospitals and health systems trying to keep their data – and their patients – safe.
At the HIMSS Healthcare Cybersecurity Forum on Monday, two security leaders – Stephen Dunkle, chief information security officer at Geisinger, and Steve Cagle, CEO of Clearwater – offered some useful perspectives on ransomware risk-mitigation.
“Cybersecurity traditionally has been around building a strategy with a well-defined perimeter, and building that wall, and keeping people out,” said Cagle. “And that’s changed. The mindset has changed.
“We have a whole new set of vulnerabilities,” he explained. “The risk landscape is different, and how we go about assessing that risk and then putting different types of controls in place to bring that risk to an acceptable level, that really needs to become a core competency of the organization as these types of trends continue to evolve over time.”
One of the biggest changes – ideally, at least, at forward-thinking organizations – is a new understanding of how and why to do the fundamental first step for cybersecurity, the risk assessment.
“Oftentimes, a risk analysis was viewed by many organizations as a compliance exercise, or something that we need to do for HIPAA, or for meaningful use, or promoting interoperability,” said Cagle, whose consultancy helps health systems with cyber risk management and regulatory compliance.
“We disagree that’s the main reason to do the risk analysis. It’s an important reason, but really the reason to do the risk analysis is to understand where you have potential exposure to the organization.”
An essential first step is a desire to understand where vulnerabilities exist, “identifying information systems that have sensitive data or that are critical to the business – including those systems with electronic protected health information – making sure that the level of the rigor of the risk analysis is extremely comprehensive,” Cagle explained.
That said, “every organization has its own unique technology, its own process – and its own risk tolerance.”
Once vulnerabilities and risks are cataloged, it’s time to assess controls that are in place, and we need to decide or make a determination as to how effective those controls are. What’s the likelihood of a threat exploiting a vulnerability? And then what’s the impact to our organization if that were to occur?”
Many organizations – although fewer than there used to be – still neglect to sit down and answer those questions, to “really sit down at a leadership governance level and define what impact means to their organization,” he said.
“What’s a high? What’s the low? What’s the one? What’s the five? What does that mean in terms of number of records or financial terms or clinical outcome? Risk is a function of likelihood of impact. It has to do with what the harm is that could be caused to the organization, and the probability of that harm.”
Dunkle has seen the role of the CISO changing over his years in the trenches.
“I can remember the early years of the profession, it was about the security professional doing what they felt, based on their expertise, was needed,” he said.
“Thankfully, we’ve migrated to more of a risk-based approach. It’s not about ultimate security. It’s about doing what’s right for the organization, and it should be business-driven.”
He added: “The security professional’s job is to listen to that, and basically take those marching orders, and say, ‘I understand the risk tolerance of this organization, and my job is to maintain that level of risk tolerance – the protection mechanisms – from a security standpoint. That’s a very different model than in the early years.
Dunkle pointed out that ransomware has raised the stakes considerably: An attack is not just a threat to protected health information or a potential HIPAA violation. The network downtime or device disruption caused by a system seizure could pose significant patient safety risks.
“I’ve been in quite a few discussions about risk, and it always seems to center initially around information,” he said. “But what we’re trying to sell within my department and others at Geisinger is that information is one piece of it. But you also need to think about the integrity of the systems and the availability of the systems.
“Somebody, God forbid, bringing down a medical device isn’t really an information disclosure concern. But if you can’t treat patients, that opens a whole new realm for a healthcare system from a risk perspective.”
Cagle noted that “we recently saw the first case of [alleged] medical malpractice related to ransomware attack” in the U.S. “It’s a tragic story, and it’ll be interesting to see how this case plays out,” he said. “And I don’t think it’ll be the last case like this.”
He noted that “cyber insurance rates are going up, and then the ability to actually get coverage is being limited if certain controls aren’t in place. The level of risk that’s out there is expanding.”
Given the high stakes, it’s no wonder, then, that some healthcare organizations opt to pay cyberattackers millions in cryptocurrency to get their systems back online – even though the official recommendation from the FBI, the Department of Homeland Security and other federal agencies is to avoid paying ransoms.
Given that potential necessity, should planning on how to pay a ransom be part of a cyber prevention plan?
“I think it’s part of the whole package,” said Dunkle. “I truly believe sooner or later all of us are going to have to make some decisions here – hopefully not to the depth some organizations do. But I think all of us are going to be impacted by this. So you might as well plan for it.”
“You certainly don’t want it to be the first time that you’re going through that exercise, when there is an attack,” Cagle agreed. “So part of the prevention strategy [should be], ‘How do we get out of it as quickly as possible with minimal impact to the organization?’
“It’s a very chaotic time,” he said. “Certainly, people are under high levels of stress. And I think going through that exercise beforehand makes sure people understand that there are certain questions that we’re going to need to answer:
“Who do we call? Who do we notify? How do we speak to third parties to the public and test the disaster-recovery and business continuity plans? That can make a huge difference, in shortening the length or minimizing some of the impact that occurs.”