necessarily want to harm your victims; you want money from them. We saw a marked change in adversarial
intent here, meaning, starting with UHS, they were targeting an entire system, in the case of UHS, one with hundreds of hospitals and clinics. They know if they take the hospital down, they’ll have to divert patients, and 80 to 90 percent of the time, the hospital organization will pay. [Recently], in Düsseldorf [at the Düsseldorf University Clinic in Germany], we actually saw the first patient die because of a diversion. But now, if you take down a system, you’re really seeing a shift. Now, these criminals are trying to bring down patient care organizations during a pandemic. Why this is happening is open to speculation; but this isn’t entrepreneurial anymore, this is something different. We have never had an attack like this that has had a sus- tained impact on people, what we call a kinetic impact. So we’ve drawn chalk lines around different types of activity. For more than a dozen hospital systems [at the time], their command and control servers, web addresses, instrumentation they’re using to control the bot net—that information is now largely known, and cybersecurity companies and network carriers are sink-hole-ing this, meaning, shutting down channels. As we talk with network carriers and intelligence agen- cies, they’re seeing continued attempts to break into at least two dozen more hospitals. But one network carrier only sees what’s going on in their network. So this is an ongoing attack. Right now, a lot of that infrastructure is being sink-holed, which will work for a while, until the bad guys likely change their infrastructure. The pause we’re all kind of breathing
here is like the eye of a storm. If they change their infrastructure, many more patient care organizations will be in dan- ger. From our own studies, we know that 66 percent of America’s hospitals do not meet minimal cybersecurity standards, according to the NIST framework. In fairness, healthcare has always
struggled to fund this. They’ve been mak- ing investments, but not fast enough to keep up with the adversary. And right now, airlines and hotels aren’t going to be attacked, because they’re so underpopu- lated. Healthcare is what’s still opened, but also has a weakened security posture. And hospitals have had to be responding to the coronavirus. And typically, half of the hospital’s employees are working remotely. All the right things were done at the time, but now, just as we had that shortage of masks, ventilators and PPE. In the same way, we now need to shore up America’s hospitals’ cybersecurity structures, for them to remain open.
Do you have any idea of what’s behind this change in adversarial intent? That’s a great question; we don’t know all the answers yet, but there’s a theory about the attempted takedown of TrickBot by Microsoft and a series of private-sector partners, and allegedly U.S. Cyber Command, which it’s reported, tried to take down this bot net about three years ago. Microsoft went to court and made a very interesting case to get access to these servers. They won in court and processed their takedown and disrupted the bot net but didn’t kill it. So you have a wounded animal that might be fighting back; so there’s the theory that this is retaliatory. Also, generally, takedowns occur quietly; you don’t want the bad guy to know what you’re doing, so you can do it again. But this got sucked up into the PR machine.
Who’s behind TrickBot? It’s a hacker group called Wizard Spider, a Russian-speaking actor. They’re very efficient. They can go from initial com- promise to locking up a victim in a matter of hours. They’re very good at what they do, but their motivations have historically been entrepreneurial in nature. So they could be retaliating. The U.S. Treasury Department has reminded people that paying ransomware could result in civil or criminal penalties. There’s no evidence this is election-related, but it is curious that it occurred a week before an election. So no one really knows what’s going on. But it’s a different world now if you’re a healthcare CISO. You’re going to have to get the necessary protections in place now.
What should CISOs and their teams be doing right now? Think of it this way: in a lot of ways, this is like a pandemic. Just as we have social distancing from people, we need social distancing in a network, and that’s done through network segmentation.
Network segmentation has his- torically been a low priority for hospital system IT people, right? It’s almost been non-existent. Think about it: a surgeon is in surgery in the morning, in research in the afternoon, and then in his office practice. But think about the social distancing metaphor there. In fact, I’m going to analogize extensively to the COVID-19 pandemic situation here. The second element is contact tracing;
the analogy on your network is endpoint detection response, or telemetry. That’s so much more important now, because half of your workers are at home, where they’re outside your network and the normal levels of protection.
And the third element is equivalent to
PPE and that’s identity management, and multi-factorial authentication inside the hospital, zero trust. Once the bad guys get inside, they’re inside, and you can crack a 12-digit password in seconds. If you’re coming from the inside, there’s very little to stop an intrusion. So privilege access managements are key. That’s PAM, the equivalent to PPE.
Shouldn’t organizations also be en- gaging in behavioral monitoring? That’s important, yes, but advanced. Endpoint detection response, privilege access management, multi-factor identi- fication, and network segmentation, are all essential now; then we need to get to behavioral monitoring. You don’t see ran- somware attacks on banks. Why? Because they have all these tools in place—even your small, local bank has them—they have to. Three or four years ago, they found that out. Healthcare has more valuable data; the bank only knows how much money you have. There’s a huge amount of information in medical records. Bad guys attack hospitals because that’s where the data is. What this ultimately means is that we have to invest in security relative to the threat and risk to the data we hold. Hospitals have a wealth of data; and unfortunately, with lots of data and analytics comes lots of risk, and you have to protect that. Unfortunately, rather than a slow realiza-
tion that we have to catch up in this cat and mouse game, is a revolutionary response: we need these defenses, and we need them now. And now’s not the time to be spending more money on security, given the challenges of the coronavirus, but that’s exactly what will have to happen. If you get locked up by ransomware, you
won’t be able to do elective surgeries, you’ll lose trust with patients, and you might not even be able to pay ransomware. In the past, people went out and bought cyber insurance; hospitals have revealed that they have cyber insurance. The problem is that the hospital gets locked up and they pay the ransom, and that only fuels further ransomware attacks. It doesn’t change until you change the economic landscape.
Is there anything that you’d like to add? I think that at the end of the day, as difficult as this is at this time, we have to realize that ransomware is largely preventable. But it is going to take a response from America’s cybersecurity companies to help healthcare get through this. Just as we’ve responded to the pandemic, we have to get shored up from a cybersecurity perspective, and we have to do it now. We’re capable of doing it, but it’s going to take immediate action to get there. HI
JANUARY/FEBRUARY 2021 | hcinnovationgroup.co
| Page 2
| Page 3
| Page 4
| Page 5
| Page 6
| Page 7
| Page 8
| Page 9
| Page 10
| Page 11
| Page 12
| Page 13
| Page 14
| Page 15
| Page 16
| Page 17
| Page 18
| Page 19
| Page 20
| Page 21
| Page 22
| Page 23
| Page 24
| Page 25
| Page 26
| Page 27
| Page 28
| Page 29
| Page 30
| Page 31
| Page 32