Attacks on the healthcare industry are on the rise as noted in a recent article published in CYBERSECOP.  Healthcare providers of all sizes are subject to attack and in this case, CHRISTUS Health learned of “unauthorized access” likely similar to 254 ransomware incidents targeting patient care facilities between June 2020 and April 2022 worldwide.  Patients are at risk, both their health and their PII where threat actors can alter and/or add to patient billings with no notice of impropriety.  The true impact will be hard to discern until more time and data are collected but we know one thing for sure, the healthcare industry needs to take cybersecurity as seriously as they do patient care and follow their own advice; Plan, Prevent, Protect and Respond.

Plan – Get a Risk Assessment to identify and understand your cybersecurity vulnerabilities is one of the most critical steps as the awareness will lead to a prioritized remediation plan.  Even a chink in the armor will have your patients, employees, and community concerned as a cyber-attack will likely affect critical operations because the prize is financial data, patient, and employee Personally Identifiable Information (PII).

Prevent - After an assessment is completed, you need a trusted and reliable security cyber organization to assist in leveraging the right framework and controls to be measured by such as HITURST, HITECH, HIPAA and PCI.  These guidelines assist in defining the appropriate critical security controls for effective cyber defense.  These efforts can be awareness training, policy creation & enforcement, and security controls as well as incident response readiness and governance.  It’s a journey, not a sprint.

Protect – Within most remediation plans include investments in endpoint protection dark web monitoring and focusing on digital trust goals to ensure the technology investments already made as well as those in the future work in harmony.  Like a Rubik’s cube, the goal is to have every facet of your organization in order, not just celebrating a single win.  It is important to have a managed security partner to protect your patients, employees, devices, and data with monitored protection systems along with managed & encrypted backups with a Security Operations Center staffed with certified security professionals watching and engaging on your behalf 24x7x365.

Respond – Did you know that a threat actor will live in your ecosystem for an average of 121 days mining sensitive data, passwords, organization charts, and behaviors before acting?  Nearly 95% of ransomware attacks are preventable so what starts as a threat becomes a technology issue, then a business risk issue, and eventually decision-making and communications issue at the board level.  Do you pay the ransomware or not?  Are we able to recover our data?  Has the threat actor accessed our PII?  And equally important is how do you keep from reaching this point again.  Having an incident response assessment and plan might be the one thing you do if you don’t buy into everything else.  You should receive an IT assessment of “how capable are we to thwart an attack?” and “how able are we to recover if breached?”  Buying cyber insurance is not the silver bullet it used to be so having an incident partner who is proactively focused on your company’s sensitive data and reputation is paramount.

Not unlike a hospital, there are two main ways to address cyber security by coming through the Emergency Room or the front door proactively for testing; I recommend the latter.  A proactive health check is the best step to understanding your ability to fight off an attack like a stress test.  The results may drive adjustments in behavior and readiness, such as point endpoint detection, policy creation & enforcement, and security training.  If you enter the ER, then don’t panic because you read this blog and signed up a reputable security partner to react & respond, including quarantining affected systems to prevent the ransom spread, resetting all passwords, checking your backups, activating your existing crisis/DR plans and negotiate with the threat actor if that is the best business decision communicating carefully along the way with detailed documentation.  The moral of this story is that hope is not a strategy, so know your security scorecard and realize cyber readiness is a journey, not a sprint.

Author: Christopher Yula

Cybersecurity breaches have cost many organizations some of their largest clients. While most organizations quickly hire legal experts, public relations teams, and a cyber security firm like CyberSecOp, the reputation damages have already begun. For example, your client may not have access to your services for hours before you realize that your system was affected.

Prime attack time

Attackers are strategic with time selection to minimize their activities being seen by employees.  Most attackers operate on weekends or at night, knowing that most organizations’ employees do not access or monitor systems at this time.

When does reputation damage begin?

Reputation issues may begin long before the organization knows about an attacker. Some attackers disclose information on social media so that the organization will act quickly to their demands. Most cybercriminals spend an average of three months on clients’ systems before they act, but by this point, they may have already sold your data on the dark web or to your competitor.

Disclosing sensitive information violates privacy policies and requirements such as CCPA, GDPR, and some states’ and countries’ data protection regulations or requirements. The data disclosed may also include clients and your client’s customer information, putting your clients at risk. They, too, need to report the breach to their customers and provide the necessary protection to protect their customer’s credit and identity.

Reputation damage extends to your client.

 At this point, not only is your organization’s reputation is in jeopardy, but also the reputation of your client and your client’s customers. All of these expenditures may be a liability to your organization if the breach is on your side, especially if there is evidence that you didn’t take due care regarding your organization’s security posture.  

Conclusion

Defense-in-depth security program

Having a defense-in-depth security program such as those offered by CyberSecOp, cannot only save your business money but can also help you compete against other companies that have not implemented a security program.  Most organizations have implemented a vendor management program to mitigate their threat against a third-party risk. A security program that includes third-party risk management is critical to identifying and remediating internal and external threats.