Ransomware: Healthcare Security

“All truths are easy to understand once they are discovered; the point is to discover them” – Galileo Galilei

Seems simple, right? Unfortunately, that’s not necessarily the case. At least in healthcare… For the past few months, we have seen an acceleration of ransomware attacks on healthcare facilities. From California to Maryland, these attacks have caused chaos in the infected facilities and hindered their ability to properly care for their highest value asset: the patient. These attacks will not go away; instead, these attacks will increase in number, escalate in severity, and continue to hinder patient care. In fact, the latest attack occurred right in our own backyard at MedStar[1], which has locations in Virginia, Maryland, and D.C. This attack actually caused MedStar to turn patients away! If that is not an indictment on the state of healthcare security and the impact it has on patient health, then I am not sure what is.

However, as Galileo says, we must discover the truths. In this case, these truths are critical to implementing sound security programs that protect patient health. Healthcare organizations continue to appropriate bandwidth and resources in order to accomplish two things: remain compliant and protect patient records. Unfortunately, these actions do not harmonize with the mission of the hospital, which is to care for people. People are the asset. Patient health is what we have to secure!

But there is good news. Those truths I mentioned…….we’ve discovered them. And they’re easy as to understand.

Truth: Patient health is the highest value asset. By realizing that patient health, and not patient records, is the asset to secure, healthcare organizations can assume the right posture, supported by the right perspective, to effectively defend against targeted attacks. Patient records are a sub-set of patient health, and defending them is leaving the primary asset exposed. As the attack surfaces in healthcare continue to grow, this exposure will become easier and cheaper to exploit by smarter and more capable adversaries. These types of attacks directly affect patient health! As mentioned above, those needing medical care were actually turned away by the infected facility. And even worse, those currently admitted for care were at risk; their care being dependent on a system from the 1960’s1.

Truth: Healthcare assets will continue to be victimized in targeted attacks by sophisticated adversaries. At ISE, we’ve been talking about targeted attacks on healthcare ecosystems for nearly 3 years, and they are of grave concern to us. By understanding the real asset to be defended, born out of an updated threat model specific to healthcare and laser focused on each specific facility, the implementation of an effective security program can take place. Sophisticated adversaries want to target healthcare assets, as they are highly valuable and extremely exposed. Imagine the headlines when a ransomware attack targets a specific patient! What is the value of the guy in room 239? How much is baby Jane worth in the NICU? Attackers will continue to take advantage of these circumstances, leveraging their increasing skill-set to capitalize on that big payday. The attacks will not stop with a ransom unfortunately; they will eventually escalate until an adverse event on patient health is realized. Attackers will evolve, and security programs must evolve as well and quit relying on regulatory bodies to lead the way in protecting patient health.

Truth: There is a solution. We’ve spent the last 24 months studying healthcare ecosystems to determine how best to defend them, and released the results of our research here: Securing Hospitals Report What we found from investigating 12 healthcare facilities, 2 healthcare data facilities, 2 healthcare technology platforms, and 2 active medical devices was that remote adversaries (I’m looking at you Mr. Ransomware guy) could execute attacks that target and compromise patient health. In addition to an incredible amount of knowledge gained in this study, we also developed a blueprint (just click the link above…it’s all there) that we have provided to the healthcare community free of charge. This step-by-step action plan, rooted in empirical data, is a proven path to securing patient health and defending against targeted attacks by sophisticated adversaries.

Our research has led to the discovery of critical truths needed to drive the direction of security programs in healthcare facilities. We’ve discovered them for you, and they’re really easy to understand. You just have to want to do it.

References

  1. Medstar Paralyzed as Hackers

Additional Information

Readers interested in further details about this topic can reach us at: contact@www.ise.io