Attacks on the healthcare industry are on the rise as noted in a recent article published in CYBERSECOP. Healthcare providers of all sizes are subject to attack and in this case, CHRISTUS Health learned of “unauthorized access” likely similar to 254 ransomware incidents targeting patient care facilities between June 2020 and April 2022 worldwide. Patients are at risk, both their health and their PII where threat actors can alter and/or add to patient billings with no notice of impropriety. The true impact will be hard to discern until more time and data are collected but we know one thing for sure, the healthcare industry needs to take cybersecurity as seriously as they do patient care and follow their own advice; Plan, Prevent, Protect and Respond.
Plan – Get a Risk Assessment to identify and understand your cybersecurity vulnerabilities is one of the most critical steps as the awareness will lead to a prioritized remediation plan. Even a chink in the armor will have your patients, employees, and community concerned as a cyber-attack will likely affect critical operations because the prize is financial data, patient, and employee Personally Identifiable Information (PII).
Prevent - After an assessment is completed, you need a trusted and reliable security cyber organization to assist in leveraging the right framework and controls to be measured by such as HITURST, HITECH, HIPAA and PCI. These guidelines assist in defining the appropriate critical security controls for effective cyber defense. These efforts can be awareness training, policy creation & enforcement, and security controls as well as incident response readiness and governance. It’s a journey, not a sprint.
Protect – Within most remediation plans include investments in endpoint protection dark web monitoring and focusing on digital trust goals to ensure the technology investments already made as well as those in the future work in harmony. Like a Rubik’s cube, the goal is to have every facet of your organization in order, not just celebrating a single win. It is important to have a managed security partner to protect your patients, employees, devices, and data with monitored protection systems along with managed & encrypted backups with a Security Operations Center staffed with certified security professionals watching and engaging on your behalf 24x7x365.
Respond – Did you know that a threat actor will live in your ecosystem for an average of 121 days mining sensitive data, passwords, organization charts, and behaviors before acting? Nearly 95% of ransomware attacks are preventable so what starts as a threat becomes a technology issue, then a business risk issue, and eventually decision-making and communications issue at the board level. Do you pay the ransomware or not? Are we able to recover our data? Has the threat actor accessed our PII? And equally important is how do you keep from reaching this point again. Having an incident response assessment and plan might be the one thing you do if you don’t buy into everything else. You should receive an IT assessment of “how capable are we to thwart an attack?” and “how able are we to recover if breached?” Buying cyber insurance is not the silver bullet it used to be so having an incident partner who is proactively focused on your company’s sensitive data and reputation is paramount.
Not unlike a hospital, there are two main ways to address cyber security by coming through the Emergency Room or the front door proactively for testing; I recommend the latter. A proactive health check is the best step to understanding your ability to fight off an attack like a stress test. The results may drive adjustments in behavior and readiness, such as point endpoint detection, policy creation & enforcement, and security training. If you enter the ER, then don’t panic because you read this blog and signed up a reputable security partner to react & respond, including quarantining affected systems to prevent the ransom spread, resetting all passwords, checking your backups, activating your existing crisis/DR plans and negotiate with the threat actor if that is the best business decision communicating carefully along the way with detailed documentation. The moral of this story is that hope is not a strategy, so know your security scorecard and realize cyber readiness is a journey, not a sprint.
