I have spent a significant amount of time putting together a whitepaper on Ransomware. While there is a healthcare focus, the information will prove useful for organizations in all industries. The paper provides the following:
Context - a history of how ransomware has evolved
Predictions for the future
Practical and actionable guidance on building out your cybersecurity program
The most useful and actionable references that I have identified
Please contact me if you have any suggestions or feedback, or if you would simply like to discuss the content. I will continue to improve upon this whitepaper. Justin@ArmstrongRisk.com
(There is an executive summary further below)
Executive Summary
Executive involvement is essential if you and your organization are going to
successfully combat hackers.
“Don’t leave the details to others. Active, hands-on engagement by the executive team and the board is required. The risk is existential. Nothing is more important. Your involvement will produce better results as well as make sure the whole organization understands just how important the issue is.”- Former CEO of Visa Charles Scharf (Forward from “Navigating the Digital Age”)
The Threats
Hackers continue to evolve and grow in strength. They have re-invested in
themselves, and more hackers continue to join their ranks.
To get paid, cyber criminals continue to adapt their approach to ransomware.
Initially it was “pay the ransom and your files will be restored”
They started to encrypt backups so that you would have no option but to pay
They began stealing data in order to sell it on the dark web
And they are now resorting to additional forms of extortion:
Threatening to reveal sensitive information about patients
Threatening to go public or give information to regulators
Threatening to send the SWAT team to a patient’s home
My prediction is that next they will change data — modify or delete allergies,
medications, lab results, patient notes, and other critical data — and then request
payment to provide you with the details.
Ransomware’s impact is significant, and can be an existential threat for many small
organizations:
Significant cost of incident response and investigation
Restoration of systems
Lost Revenue
Patient Safety
Potential civil lawsuits
Reputational damage
Ransomware is a test of the entire Organization…not just the IT and Security Teams.
Your clinical staff need to be prepared to deliver care during a ransomware event.
Your executives and top management need to know how to lead in a crisis — how
will you control the narrative? How will you reassure your patients? How will you pay
your bills, including payroll?
Cybersecurity Strategy
Cybersecurity is not an IT problem, and it requires more than technology to combat
modern threats. Cybersecurity requires People, Process, and Technology.
In the past most of the focus was on prevention — keeping the attackers out. The
hackers have become so effective that we now consider successful attacks to be
inevitable.
With this new mindset that the attackers will succeed, we focus on:
Quick Detection and Response
Automation where feasible
Resilience – Robust business continuity, disaster recovery, downtime procedures, and incident response programs
How do Hackers Continue to Infiltrate?
KnowBe4’s whitepaper "The Root Causes of Ransomware" pulls together research
from 6 different reports, it is revealed that the most popular attack methods for
ransomware are:
Social Engineering (e.g., phishing)
Unpatched vulnerable software
RDP – remote access
I have personally observed that this is true. Often attackers will use a combination of
all three — social engineering (phishing usually) to gain access to an end user device.
From there they might exploit a known vulnerability to gain access to a server on the
network. They frequently use support tools (such as RDP – Windows Remote
Desktop) to gain access to servers on the network.
This highlights that technology alone will not stop these attacks. Hackers are
mainly infiltrating through people (tricking them with social engineering) and
process (systems that have not been patched due to poor process).
People are Our Greatest Ally
While some cybersecurity experts may refer to people as “the weakest link,” they
should be your greatest ally.
Lior Div — who founded the company Cybereason —was a member of Israel’s elite
Unit 8200 which infiltrated computer systems all over the world. He noted that the
only times they were detected and unable to complete the mission, it was always a
person (not a machine) that noticed something wrong. The person would continue
to pull on the thread until they discovered that there was an intruder.
Peter Drucker said that “Culture eats strategy for breakfast” and this applies to
cybersecurity as well. It is vital to build a strong cybersecurity culture.
Everyone in your organization needs to be educated on the basics of cybersecurity.
The culture needs to be developed so that everyone feels comfortable reporting
their own mistakes, or suspicious activity they note. They need to know how to
report it and they need to be reassured that they will not be belittled or punished
when they make a mistake.
Additionally, there needs to be leadership at all levels.
Appoint a specific person who is responsible for Cybersecurity – they must be a trusted individual with exemplary ethics, and competent from a cybersecurity, IT, and business perspective.
Create Cybersecurity Champions across the organization.
Executive Involvement: Executives must do more than pay lip service to Security. They must endeavor to understand it, and be seen supporting the cybersecurity program by their words and actions.
Cybersecurity and Privacy as Business Enablers
Far too often security and compliance efforts are viewed as a cost. Consider the
various ways in which Security enables your organization to fulfill its mission:
Keeps you out of the news — protecting your reputation.
Smooths out the sales process —"Is this product secure? Does your organization have security embedded in all its processes? Do you have a SOC 2 or ISO 27001 certification?"
Within Contracts — Whether it is a contract with a customer or a vendor, cybersecurity clauses are written into contracts so that all parties clearly understand the responsibilities and expectations of each party.
Reassure Your Customers after the sale — When a system similar to yours is hacked, the security team can provide details to your customers on how your product is secure, or provide updates and techniques for securing it.
Encourages Investment — Now more than ever, investors are looking for information about your cybersecurity risk management and governance! (Check out recent SEC requirements here)
Prepare Now for an Incident
Organizations who prepare in advance for incidents will be able to reduce the
impact and duration of the event significantly. Additionally, building out a resilient
business benefits you when you face other emergencies, such as global pandemics,
hurricanes, power outages, and more.
Get Involved!
Join one or more of the following organizations so that you can receive and share
threat intelligence, strategies, and tactics with others.
InfraGard - A public-private partnership between the FBI and Critical Infrastructure.
H-ISAC - Health Information Sharing and Analysis Center – the H-ISAC provides excellent threat intelligence, including a messaging platform where cybersecurity analysts discuss current threats back and forth all day.
CHWG (Cyber Health Working Group) - Healthcare IT professionals share information through a secure portal and have regular webinars.
ASPR TRACIE - Healthcare Emergency Preparedness Information Gateway
HIMSS - Healthcare Information and Management Systems Society - HIMSS has provided many great Privacy and Security resources.
Hire An Expert
In my personal life, I realized that I could never make investment decisions as well as
someone whose whole life is dedicated to understanding the markets. While I have
a good knowledge of the fundamentals, there is no way I could ever match what a
true expert can do.
The same is true of Cybersecurity. When someone has devoted many years to
cybersecurity and has seen the good, the bad, and the ugly, then they are able to
provide solid advice and direction. Far too often I have seen non-security people fail
to understand how best to prioritize efforts. An expert can also speak to your
executives (or prepare you to do so) in the language of business risk and make a
compelling case for improvements that can be measured and managed.
For example, I presented to the executives a compelling and easily understood “step
by step” narrative of how a hacker would realistically attack our organization and
even pivot to attack our customers. This was so compelling that it led to the approval
of multiple security projects which significantly reduced our risk without breaking
the bank.
Free Resources
Take advantage of the many free resources which are available from organizations
such as CISA, the American Hospital Association, the HHS Health Sector
Cybersecurity Coordination Center (HC3), and leading security vendors.
Below are my picks for top references:
Executive Focused
“Navigating the Digital Age,” 3rd edition (must provide personal information)
“Navigating the Digital Age,” 1st edition (no information required)
Technical Guides
Australian Signals Directorate - Cybersecurity Resources
Essential Eight – Eight best practices that prove to be most effective.
Information Security Manual – Lots of useful detail for the team!
DNS: https://www.quad9.net/ - Use quad9 for your DNS.
Windows Local Administrator Password Solution (LAPS) -https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
Incident Response Resources
DHS Cyber Tabletop Exercise (TTX) for the Healthcare Industry — A complete set of materials for running a TTX, including planning documents, presentation, online references, and more.
Crisis Management
ASPR (Administration for Strategic Preparedness & Response) TRACIE (Technical Resources, Assistance Center, and Information Exchange) provides many excellent resources on a wide variety of emergency preparedness topics, and you can subscribe to their listserv.
Carnegie Mellon “Guide to Effective Incident Management Communications” is a good place to start.
“Crisis Communications” by Steve Fink provides real life examples of good and bad crisis management. It is an education on how to control the narrative and lead in a crisis.
IBM’s Cyber Range in Boston provides a very realistic way of experiencing a cyber-attack and seeing how you and your team respond.
Industry Reports
These reports can be useful when you need to make the case to executives for
implementing specific security programs and controls.
The Verizon Data Breach Investigations Report (DBIR) – this report has been accepted as the best source of data - https://www.verizon.com/business/resources/reports/dbir/
Crowdstrike Global Threat Report — https://www.crowdstrike.com/resources/reports/?lang=1
Cybereason “Ransomware: The True Cost to Business” Annual Report —https://www.cybereason.com/ransomware-the-true-cost-to-business-2024
IBM Cost of a Data Breach Report — https://www.ibm.com/reports/data-breach
Put Justin Armstrong to Work for You!
Justin has worked closely with Executives at Hospitals large and small, and engaged
with technical teams on a wide range of IT, Cybersecurity, and regulatory
compliance topics. He has worked with a dozen companies in other verticals as well
– pharmaceuticals, technology companies, EdTech, and cybersecurity startups.
Justin can help your organization meet your cybersecurity
and compliance obligations in a cost-effective manner.
Our core values are:
Honesty and Integrity
Confidentiality
Value above and beyond expectations
We want to make you look good!
Consider just a few of the ways we can help:
Incident Preparedness — Prepare your entire organization, including Clinicians, for EHR downtime
Meet contractual, privacy, and regulatory obligations (e.g., HIPAA, GDPR)
Cybersecurity Strategy, Risk Management, and Governance
Build a strong Cybersecurity Culture
Cloud Security — architecture, threat modeling, building processes
Build your Secure Software Development Life Cycle (SSDLC)
And Security can be a business enabler!
Lead your organization to a SOC 2 or ISO 27001 certification
Assist your sales and marketing team with Security and Compliance
messaging – educate the team, create white papers and presentations
Help publicy traded companies meet the latest SEC regulations on cybersecurity
Build an incident response program
Craft 8K Statements and help determine materiality
Build a cybersecurity governance program
Assist with writing 10K statements
Kudos Justin, Great stuff here and raw material for a book!
I sent you some comments in an email.