Have executives run out of excuses to postpone increasing security awareness, employee training, and overall IT security budgets? Based on events of the past two months, one could make a pretty compelling case.
A survey of 1,530 nonexecutive directors and C-level executives in the US, UK, Germany, Japan, and Nordic countries, conducted by Nasdaq and Tanium, found that 40% of executives said they do not feel responsible for the repercussions of criminal hackings.
"I think the most shocking statistic was really the fact that the individuals at the top of an organization, executives like CEOs and CIOs, and even board members, didn't feel personally responsible for cybersecurity or protecting the customer data," said Dave Damato, chief security officer at Tanium, speaking on CNBC's Squawk Box that same day.
Have executives run out of excuses to postpone increasing security awareness, employee training, and overall IT security budgets? Based on events of the past two months, in the healthcare industry anyway, I could make a pretty good case:
- At the end of March, MedStar Health, which operates 10 regional hospitals in the Baltimore/Washington region, was forced to resort to paper medical records and transactions. MedStar executives initially denied it was another ransomware attack, although media accounts quoted employees who had seen ransomware demands pop up on their computer screens. MedStar paid no ransom and brought all systems back online last week. Executives also disputed an Associated Press story quoting unnamed employees who said the organization ignored information systems security warnings dating as far back as 2007.
- In mid-March, another ransomware attack hit Methodist Hospital in Henderson, KY. The attackers copied records and deleted the originals. In this case, the hospital was able to activate a backup system and continue to run its systems smoothly, albeit with temporary limited Web access to some services. Methodist paid no ransom.
- Shortly thereafter, hacker criminals demanded ransom from two more Southern California hospitals run by Prime Healthcare Services – Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville. As of this writing, there is no evidence that Prime paid any ransom.
- In mid-February, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to hackers who had infiltrated its network and encrypted medical records and demanded a $3.4 million ransom be paid. The hospital CEO said paying the $17,000 ransom to unlock its own data, after three weeks of operating without critical computer programs, was in the organization's best interest.
All of this has activated security vendors and members of the media, such as myself, into a storm of calls to action in the information security realm not seen since the Anthem breach early last year.
Various advances in the kinds of malware that can deliver ransomware to healthcare desktops and laptops, often through spam, phishing attempts, or other credible-looking emails, are blamed for the recent rash of attacks.
The idea of ransomware is not new. Reports dating back to 2005 and before mention it by name. And then consider this: Some cloud-based systems will now lock ordinary users out of their services while they perform security scans and remove files they determine are malware.
This happened to me just last week, when ESET, a security vendor who has worked with Facebook since 2014, locked me out of Facebook (on every device I use to access the service) while it performed an hour-long scan-and-remove operation on one of my PCs.
The files it removed were unfamiliar to me, and probably were just adware, but nothing punctuates the precarious condition we find ourselves in better than the fact that a careful PC user such as myself must now consider such lock-outs a possible everyday occurrence.
What's to be Done
"Ransomware as it's out there today is taking advantage of a lot of things that we've seen from the security realm that we would like people to fix in the past… like patches not being applied, and outdated software," says Tony Tulio, senior manager of information security and privacy at General Dynamics Health Solutions.
In addition to keeping up with patching operating systems and applications, organizations need to adopt a security framework, such as ISO 27000, the NIST risk management framework, or the framework for healthcare promoted by HITRUST, Tulio says.
Any responsible healthcare organization backs up its data, but the ransomware surge suggests backups should occur more frequently, so the "last known good" backup can be relatively recent, and thus require a minimal amount of rework if it must be slipped into production use.
Another good suggestion Tulio offers is to try to interrupt the communication which must occur between ransomware and its command-and-control servers somewhere out on the Internet. "There are a lot of different points in there where you can break that chain and stop ransomware from actually affecting your computers," he says.
With each new wave of malware, I am more convinced than ever that the writing is on the wall for desktop computing as we know it. Keeping individual PC patches up-to-date just does not make economic sense at a time when we should be moving more of the IT budget away from running such patching and toward better overall security controls. Zero-client approaches make more sense than ever, although in healthcare, they are still uncommon.
Still, it is worth remembering that healthcare (and other industries) continue to face a variety of security challenges; ransomware is not the only threat out there. In February, someone found paper records for 113,000 patients in a recycling bin. Garden-variety breaches continue, although ransomware's ability to interrupt normal hospital operations clearly is a bigger threat to patients' lives.
Ironically, the gap between the big breaches early last year and the current rash of ransomware has caused cyber insurance rates to drop, according to insurance broker Marsh & McLennan.
Perhaps this is why so many high-ranking executives think cybersecurity is not their problem. But it's everybody's problem, it's getting worse, and the ransomware attacks on healthcare of the past two months are likely to make those cyber insurance rates spike upward again.
I keep coming back to that executive survey where I began this column. I hope any executive indifference to this threat will begin to disappear.
Healthcare is being squeezed from all directions, but having patient files held for ransom—with the terrible possibility that when they are unlocked, they will be marred by subtle, but troubling alterations—is unacceptable for all of us.
Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.