[BreachExchange] Can hospitals survive the ransomware threat?

[Audrey McNeil]

http://www.itproportal.com/2016/08/05/can-hospitals-
survive-the-ransomware-threat/

Computer networks at hospitals are vulnerable gateways to valuable and
hyper-sensitive patient data. Hackers recognising this weakness are
stepping up their game and refining their attack strategy to target
hospitals and healthcare organisations. A recent rash of four separate
attacks in Southern Carolina, California, Kentucky, and Canada marked a
tipping point and catalysed the FBI into conducting a full probe into this
escalating trend.

With more than four million instances of ransomware in the second quarter
of 2015 alone and exponential growth predicted for this year, hospital IT
departments can hardly keep their heads above water. The stakes are high
and to survive the ransomware threat, hospitals need to double down on
prevention, preparation and other ways to protect themselves.

Insufficient approach to security

Ransomware exploits the perfect storm of conditions in hospitals for
financial gain. In 2015, a federal mandate in the U.S. passed, requiring
electronic medical records (EMR) or electronic health records (EHR) to be
implemented into personal health information (PHI) systems, eating into
constrained IT budgets and available resources and spreading IT staff thin.
With a forced focus on implementing access to electronic records and online
systems, security concerns have remained secondary. Many hospitals still
rely on dated systems and lack a sufficient approach to ensure cutting-edge
cybersecurity.

Additional financial woes stem from higher industry competition, lower
reimbursement rates and increases in overhead costs, leaving little room
(or funding) left for a robust security program. Indeed, an increasing
amount of U.S. hospitals are facing closure — but security has become an
expense worth pursuing.

Life or death in the digital world

On the black market, a health record can be worth as much as 20 times more
than a stolen credit card. Hospitals and the healthcare industry have
become prime targets for ransomware hacks because everything from patient’s
confidential records to hospital revenue streams depend on unimpeded access
by multiple parties, from doctors to nurses, billing departments to
pharmacists. If they hope to survive a hacker attack, hospitals must have a
plan. Similar to their work with patients, hospitals need to view their IT
infrastructure from a life or death point of view. Here are a few ways
hospitals can secure survival, mitigate damage and ensure business
continuity in a world where ransomware attacks are on the rise.

Prevention – the basics

The basic steps for preventing all attacks are the same. Educate users
about the current threat environment, provide examples of suspicious email
links and attachments, and then test your user pool regularly for
diligence. A hospital IT department can send out fake emails to capture
user vulnerabilities and increase education tactics from there.

Another elemental step in preventing attacks is to keep all software up to
date — that includes frontend and back-end software and virus definitions.
Security fixes are released to address known threats and this means threats
known to both the software manufacturer and the hackers looking to
undermine them.

Preparation – dedicated security

Hospitals have security guards because relying on regular staff to guard
the facility while tending their regular responsibilities would be
ludicrous. IT is the same way. While all personnel, from the help desk
staff to the CTO can be part of the solution, it is essential to have a
separate and dedicated team whose sole responsibility is security. In the
Office of Personnel Management (OPM) hack announced last year, the lack of
a dedicated security team was identified as one of the key factors behind
the breach. A dedicated security team can help the rest of the IT team to
prioritise updates and patches because they know which security flaws are
being exploited in a timely manner. More than anything, they will have
plans in place for both preventing attacks and triaging the situation in
case of an intrusion.

Beyond backups – operational resiliency

Today’s IT leaders are constantly asked to find new ways to deliver higher
levels of service at lower costs and with fewer resources. Many current
hospital systems rely on antiquated backup mechanisms and redundant
infrastructure. This not only increases complexity and cost, but
drastically limits IT’s ability to quickly respond to incidents, outages
and security breaches.

To ensure recoverability from a security breach like a ransomware attack,
it’s always advisable to make certain systems are backed up. But even this
advice needs an update. Many organisations are moving to external Disaster
Recovery as a Service (DRaaS) platforms to leverage the capabilities of
cloud computing for both power and simplicity.

DRaaS is an active part of IT and security infrastructure. With services
from simple backup to full server failover, organisations can and do find
point solutions for their unique needs. One of the best parts for the
healthcare industry is that DRaaS is capable of supporting HIPAA compliance
with standard security features for access control and data encryption.

More recently, the category of DRaaS has expanded to include platforms that
put many functions of IT resiliency in one place. These so-called
hyper-converged solutions help institutions recover data quickly if it is
lost, and stay operational in the process. Cloud-converged solutions take
this one step further by eliminating the need for additional data-center or
on-premise secondary infrastructure, putting all aspects of IT resiliency —
data protection, disaster recovery, business continuity, testing and
developing, data warehousing, analytics, archiving and compliance — in the
cloud and available on demand, all from a single deduplicated copy. By
supporting these non-production workloads and ensuring full IT
productivity, cloud-converged platforms are an innovative way to reduce
complexity and mitigate hospitals’ strapped IT budgets.

Back to business

The threats that ransomware imposes revolve around catastrophic loss —
either financial or rooted in information loss — but by focusing on
prevention, preparation and recovery hospitals can avoid the loss of
productivity and damage to reputation that disrupts their important work.
Strategic IT initiatives combining innovative technology, educated users
and the power of cloud services to form comprehensive data protection,
moves beyond DRaaS to provide the antithesis to growing threats of
ransomware. This unique combination empowers organisations to get back to
business faster and more efficiently if and when disaster strikes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160805/2a553928/attachment.html>