Getty Images/iStockphoto
Health CISO Shares Security Strategies for Ransomware, Enterprise Risks
IU Health CISO Mitch Parker recently shed light on the barrage of attacks facing healthcare and the need for developing security strategies to defeat enterprise risks, like ransomware.
The threat landscape in the past year has demonstrated just how low cybercriminals will stoop to make a quick payout. The healthcare sector, already burdened with the COVID-19 pandemic response, faced heightened cybersecurity threats and data exfiltration attempts that threatened to disrupt the overall infrastructure.
Mitch Parker, Chief Information Security Officer for Indiana University (IU) Health, detailed just how serious things have become for healthcare on the cyber front, in a recent Xtelligent Healthcare Media webcast -- and just how pressing it is for providers to take action now to prevent falling victim.
“Last year in healthcare cybersecurity, we've seen an influx in the number of targeted attacks,” Parker said. “And we've seen a complete rapid expansion of the healthcare infrastructure to meet the response to this national crisis of COVID-19.”
“Providers now, because of the complete change in infrastructure, are facing a greater number of vulnerabilities, and we have to ensure the care strategy that we now have can meet our needs,” he added.
Ransomware is one of the largest risks facing the healthcare sector today. The threat has evolved from full reliance on phishing emails or corrupt PDF files to infect victims, said Parker. Now attackers are actively seeking vulnerabilities to exploit, such as remote desktop protocols (RDPs), virtual private networks (VPNs), or even secure shell.
By leveraging stolen credentials and password spraying attacks, hackers can gain access to networks. Parker stressed that hackers are increasingly delaying the ransomware deployment to first take control of all connected, vulnerable devices and some internal storage, to use that control for the maximum effect and damage.
To Parker, this was brought on by providers effectively using backups to restore data without paying hackers’ demands.
“When you think about it, ransomware is a business. And the costs have significantly increased because of the increased time and resources that you need to do a successful attack,” he explained. “Five years ago, you could send out a phishing email, good chance you'd lock up the entire network. Now, it's a lot more difficult.”
“You really have to make sure you have a good understanding of your internal processes to be able to develop controls that prevent these issues,” he continued. “These good control processes are to make sure you minimize the damage caused by an insider threat by preventing the insider threat from happening in the first place.”
Parker has also seen an influx of phishing attacks, which continue to be the best way to gather credentials.
To combat these threats, providers must be considering a “separation of duties.” In this way, entities can reduce the number of users with elevated privileges to assets and systems, which many don't need to perform their job duties.
Without proper access management, providers are creating a number of risks and security issues. Parker explained that particularly with ransomware, compromising a privileged account makes it much easier to own a network.
This can be seen with EHRs. In some instances, these hacks and insider incidents can go undetected for numbers of years. Without controls or visibility into that access, a malicious actor can make off with hundreds of thousands of dollars, if not more.
To Parker, legacy systems and failure to adequately patch vulnerabilities are also creating a serious security issue. While reports have shown that many provider organizations continue to use these platforms as it will be too costly to replace, enterprises are likely spending an increased amount of money to accommodate these outdated systems.
Why? “Because you're lowering the security of your entire network to accommodate it and use it.”
“Too often the major cause for a lot of these legacy systems sticking around are managers that want their budgets to look good,” explained Parker. “They want to say, ‘Look, I have a good budget. I'm saving money.’ You're not saving money. You're putting the entire network at risk.”
“That's the main cause of these systems sticking around. And I've been through enough of these cases where people have literally come to me and said, ‘I'm not upgrading because it's going to cost money out of my budget. And I don't want to spend it,’” he added. “And that's been a major sticking point for some of these applications.”
Insufficient planning and a lack of due diligence is also a serious vulnerability in the healthcare space. Parker explained that when planning initiatives, security is often moved to the back burner to cut costs.
Reports have shown recovery costs are nearly doubled without needed security or even relying on simply paying ransom demands instead of investing in needed security. Data shows that proactively securing the network will always cost less than reacting to a security issue as it comes to light or after a breach.
To move the needle, healthcare entities need to employ a strong foundation of policies and procedures to build these services upon, he explained. These are absolutely critical to ensuring the implementation of high security posture across the enterprise.
Organizational support is crucial to the success, leveraging federal, state, and local laws and guidelines. The policies also need to reflect the entity’s mission, values, and current views, which should begin with a solid risk assessment. Parker recommended the use of the ONC System Readiness Tool to effectively accomplish the process.
Following a thorough assessment, entities can then perform a gap analysis to identify areas needing improvement and the development of a plan to address them.
“Don't burn yourself out over this. This is going to take over a year. I don't care how big of an organization you have. It will take you over a year,” he explained. “You need to have this good plan to address discovered issues and a really good communication plan.”
“When you develop your policies and procedures, make sure you understand the customer's use cases and their work flows as part of development,” he added. “Because if you don't do that you're going to find yourself at the receiving end of a lot of angry customers who are going to ask why the heck you put that policy in place that has nothing to do with their business. And I mean that.”
At the end of the day, entities must also understand the limitations of what they’re up against: effective policies and procedures can only succeed when the systems can support them. All security plans must be aligned with the overall mission of the provider, with stakeholder buy-in, or they won’t be effective.
For more insights into building an effective healthcare cybersecurity program, entities should review previous Department of Health and Human Services insights that are tailored to the size of the organization.