top of page
Search
Writer's pictureJustin A.

The Ransomware Pandemic in Healthcare

Updated: Jul 27

I have spent a significant amount of time putting together a whitepaper on Ransomware. While there is a healthcare focus, the information will prove useful for organizations in all industries. The paper provides the following:

  • Context - a history of how ransomware has evolved

  • Predictions for the future

  • Practical and actionable guidance on building out your cybersecurity program

  • The most useful and actionable references that I have identified


Please contact me if you have any suggestions or feedback, or if you would simply like to discuss the content. I will continue to improve upon this whitepaper. Justin@ArmstrongRisk.com



(There is an executive summary further below)



Executive Summary

Executive involvement is essential if you and your organization are going to

successfully combat hackers.


“Don’t leave the details to others. Active, hands-on engagement by the executive team and the board is required. The risk is existential. Nothing is more important. Your involvement will produce better results as well as make sure the whole organization understands just how important the issue is.”- Former CEO of Visa Charles Scharf (Forward from “Navigating the Digital Age”)

The Threats

Hackers continue to evolve and grow in strength. They have re-invested in

themselves, and more hackers continue to join their ranks.


To get paid, cyber criminals continue to adapt their approach to ransomware.

  • Initially it was “pay the ransom and your files will be restored”

  • They started to encrypt backups so that you would have no option but to pay

  • They began stealing data in order to sell it on the dark web

  • And they are now resorting to additional forms of extortion:

    • Threatening to reveal sensitive information about patients

    • Threatening to go public or give information to regulators

    • Threatening to send the SWAT team to a patient’s home


My prediction is that next they will change data — modify or delete allergies,

medications, lab results, patient notes, and other critical data — and then request

payment to provide you with the details.


Ransomware’s impact is significant, and can be an existential threat for many small

organizations:

  • Significant cost of incident response and investigation

  • Restoration of systems

  • Lost Revenue

  • Patient Safety

  • Potential civil lawsuits

  • Reputational damage


Ransomware is a test of the entire Organization…not just the IT and Security Teams.

Your clinical staff need to be prepared to deliver care during a ransomware event.

Your executives and top management need to know how to lead in a crisis — how

will you control the narrative? How will you reassure your patients? How will you pay

your bills, including payroll?


Cybersecurity Strategy

Cybersecurity is not an IT problem, and it requires more than technology to combat

modern threats. Cybersecurity requires People, Process, and Technology.


In the past most of the focus was on prevention — keeping the attackers out. The

hackers have become so effective that we now consider successful attacks to be

inevitable.


With this new mindset that the attackers will succeed, we focus on:

  1. Quick Detection and Response

  2. Automation where feasible

  3. Resilience – Robust business continuity, disaster recovery, downtime procedures, and incident response programs


How do Hackers Continue to Infiltrate?

KnowBe4’s whitepaper "The Root Causes of Ransomware" pulls together research

from 6 different reports, it is revealed that the most popular attack methods for

ransomware are:

  1. Social Engineering (e.g., phishing)

  2. Unpatched vulnerable software

  3. RDP – remote access


I have personally observed that this is true. Often attackers will use a combination of

all three — social engineering (phishing usually) to gain access to an end user device.

From there they might exploit a known vulnerability to gain access to a server on the

network. They frequently use support tools (such as RDP – Windows Remote

Desktop) to gain access to servers on the network.


This highlights that technology alone will not stop these attacks. Hackers are

mainly infiltrating through people (tricking them with social engineering) and

process (systems that have not been patched due to poor process).


People are Our Greatest Ally

While some cybersecurity experts may refer to people as “the weakest link,” they

should be your greatest ally.


Lior Div — who founded the company Cybereason —was a member of Israel’s elite

Unit 8200 which infiltrated computer systems all over the world. He noted that the

only times they were detected and unable to complete the mission, it was always a

person (not a machine) that noticed something wrong. The person would continue

to pull on the thread until they discovered that there was an intruder.


Peter Drucker said that “Culture eats strategy for breakfast” and this applies to

cybersecurity as well. It is vital to build a strong cybersecurity culture.


Everyone in your organization needs to be educated on the basics of cybersecurity.


The culture needs to be developed so that everyone feels comfortable reporting

their own mistakes, or suspicious activity they note. They need to know how to

report it and they need to be reassured that they will not be belittled or punished

when they make a mistake.


Additionally, there needs to be leadership at all levels.

  1. Appoint a specific person who is responsible for Cybersecurity – they must be a trusted individual with exemplary ethics, and competent from a cybersecurity, IT, and business perspective.

  2. Create Cybersecurity Champions across the organization.

  3. Executive Involvement: Executives must do more than pay lip service to Security. They must endeavor to understand it, and be seen supporting the cybersecurity program by their words and actions.


Cybersecurity and Privacy as Business Enablers

Far too often security and compliance efforts are viewed as a cost. Consider the

various ways in which Security enables your organization to fulfill its mission:

  1. Keeps you out of the news — protecting your reputation.

  2. Smooths out the sales process —"Is this product secure? Does your organization have security embedded in all its processes? Do you have a SOC 2 or ISO 27001 certification?"

  3. Within Contracts — Whether it is a contract with a customer or a vendor, cybersecurity clauses are written into contracts so that all parties clearly understand the responsibilities and expectations of each party.

  4. Reassure Your Customers after the sale — When a system similar to yours is hacked, the security team can provide details to your customers on how your product is secure, or provide updates and techniques for securing it.

  5. Encourages Investment — Now more than ever, investors are looking for information about your cybersecurity risk management and governance! (Check out recent SEC requirements here)


Prepare Now for an Incident

Organizations who prepare in advance for incidents will be able to reduce the

impact and duration of the event significantly. Additionally, building out a resilient

business benefits you when you face other emergencies, such as global pandemics,

hurricanes, power outages, and more.


Get Involved!

Join one or more of the following organizations so that you can receive and share

threat intelligence, strategies, and tactics with others.

  • InfraGard - A public-private partnership between the FBI and Critical Infrastructure.

  • H-ISAC - Health Information Sharing and Analysis Center – the H-ISAC provides excellent threat intelligence, including a messaging platform where cybersecurity analysts discuss current threats back and forth all day.

  • CHWG (Cyber Health Working Group) - Healthcare IT professionals share information through a secure portal and have regular webinars.

  • ASPR TRACIE - Healthcare Emergency Preparedness Information Gateway

  • HIMSS - Healthcare Information and Management Systems Society - HIMSS has provided many great Privacy and Security resources.


Hire An Expert

In my personal life, I realized that I could never make investment decisions as well as

someone whose whole life is dedicated to understanding the markets. While I have

a good knowledge of the fundamentals, there is no way I could ever match what a

true expert can do.


The same is true of Cybersecurity. When someone has devoted many years to

cybersecurity and has seen the good, the bad, and the ugly, then they are able to

provide solid advice and direction. Far too often I have seen non-security people fail

to understand how best to prioritize efforts. An expert can also speak to your

executives (or prepare you to do so) in the language of business risk and make a

compelling case for improvements that can be measured and managed.


For example, I presented to the executives a compelling and easily understood “step

by step” narrative of how a hacker would realistically attack our organization and

even pivot to attack our customers. This was so compelling that it led to the approval

of multiple security projects which significantly reduced our risk without breaking

the bank.


Free Resources

Take advantage of the many free resources which are available from organizations

such as CISA, the American Hospital Association, the HHS Health Sector

Cybersecurity Coordination Center (HC3), and leading security vendors.


Below are my picks for top references:

Executive Focused


Technical Guides


Incident Response Resources


Crisis Management


Industry Reports

These reports can be useful when you need to make the case to executives for

implementing specific security programs and controls.


Put Justin Armstrong to Work for You!

Justin has worked closely with Executives at Hospitals large and small, and engaged

with technical teams on a wide range of IT, Cybersecurity, and regulatory

compliance topics. He has worked with a dozen companies in other verticals as well

– pharmaceuticals, technology companies, EdTech, and cybersecurity startups.

Justin can help your organization meet your cybersecurity

and compliance obligations in a cost-effective manner.



Our core values are:

  1. Honesty and Integrity

  2. Confidentiality

  3. Value above and beyond expectations

  4. We want to make you look good!







Consider just a few of the ways we can help:

  • Incident Preparedness — Prepare your entire organization, including Clinicians, for EHR downtime

  • Meet contractual, privacy, and regulatory obligations (e.g., HIPAA, GDPR)

  • Cybersecurity Strategy, Risk Management, and Governance

  • Build a strong Cybersecurity Culture

  • Cloud Security — architecture, threat modeling, building processes

  • Build your Secure Software Development Life Cycle (SSDLC)


And Security can be a business enabler!

  • Lead your organization to a SOC 2 or ISO 27001 certification

  • Assist your sales and marketing team with Security and Compliance

  • messaging – educate the team, create white papers and presentations

  • Help publicy traded companies meet the latest SEC regulations on cybersecurity

    • Build an incident response program

    • Craft 8K Statements and help determine materiality

    • Build a cybersecurity governance program

    • Assist with writing 10K statements


Contact me for a free consultation via email - Justin@ArmstrongRisk.com - or Calendly.




610 views1 comment

Recent Posts

See All

1 Comment


Kudos Justin, Great stuff here and raw material for a book!


I sent you some comments in an email.

Like
bottom of page