In the past weeks, U.S. and international health agencies have issued urgent and dire warnings of ransomware and other cybersecurity threats for the healthcare industry.
Last month at the Congress on Healthcare Leadership, Rachel Wilson, who heads cybersecurity technology for Morgan Stanley’s wealth management business and formerly led global cyberterrorism defense efforts for the National Security Agency, delivered a Hot Topic session on building the infrastructure to mitigate these risks.
Wilson shared actionable advice for healthcare executives working hand in hand with their HIT leaders to ensure patients’ personally identifiable information is secure and engender confidence in their customers that their healthcare provider is doing everything possible to protect them.
The “three Rs” that are keeping Wilson up at night: Russia, ransomware and resiliency.
Russia
In the past, North Korea and Iran have topped the list of nation states looking to fund their governments or disrupt our nation’s government and industry through cyberattacks. These countries still pose a sizeable threat—a recent U.N. report shows that North Korea has successfully hacked banks in 27 countries to the tune of $3 billion over the last three years. Now, Russia is resurfacing as a major player, especially since its February invasion of Ukraine.
Russia has a history of using cyberattacks as part of their arsenal. In 2015, they created a massive power outage in Crimea when they moved to annex the region. Clearly, an attack on a central utility like this would significantly impact healthcare and critical services. There are also the proven misinformation campaigns on social media around U.S. elections as well as the recent actions against Ukraine.
Though big tech is fighting back like never before, with Facebook, Google and Twitter all taking steps. There was a seven-fold increase in March 2022 of phishing campaigns from Russia. Wilson describes it as the “democratization of cybertechnology allowing for more direct campaigns against individuals with the goal of getting into as many computers as possible.”
Ransomware
Ransomware attacks, Wilson says, are opportunistic crimes. “They are not targeting you because you are you, they are targeting you because you are vulnerable.”
Most ransomware cases begin with phishing with the aim of installing malware. In addition, malicious actors utilize botnets— “borrowed” processing capabilities from, say, hacked smart appliance networks—to throw tens of thousands of stolen usernames and passwords against your patient portal to see what sticks.
The single biggest step you can take is to install all patches as soon as possible. Even as these updates are released, hackers are looking at the mitigations they provide and reverse engineering them to attack those who have not yet patched. It’s critical to have everyone patch before they figure it out.
“Network segregation” is also vital as we move even further toward smart technology and buildings. Keeping smart mechanical and electrical systems that access the internet walled off from patient data and hospital operations will help protect your patients and employees. Including IT teams at the planning table early, and thoroughly vetting vendors (especially start-ups), will help ensure you’re prepared.
Resiliency
Wilson describes the current environment as “when, not if”—it’s only a matter of time before someone attempts a cyberattack against your organization. To prepare for this, create frequent, comprehensive backups. Wilson says the “3-2-1 rule” is an oldie but a goodie: three backups, in two geographical locations, with one entirely offline. Just as important as having the backup is practicing the process of restoring “from bare metal.” It’s vital to have full team exercises to find out if, and how long, it will take to get back to whole. The practice will also help you identify and revise gaps in your plans.
It’s also vital to provide regular, up-to-date employee training on avoiding risk. “Your employees are both your biggest risk and your first line of defense,” says Wilson. Teach employees to ensure that every email comes from who it says it’s from and contains what it should contain. Encourage the use of strong authentication measures, particularly password managers that create unique, complex passwords and store them in an encrypted state.
Healthcare is very familiar with the idea of a “just culture” from efforts around zero harm. We’ve encouraged employees to speak up if they see anything that might compromise patient safety, even if it’s their own mistake. Cybersecurity is something that protects patient safety, and leaders should encourage reporting of suspicious emails and potential data breaches, and reward transparency to help protect the healthcare system.
Don’t forget to include your patients in this education! Just as your bank will tell you, “We will not ask for this code over the phone,” when verifying your password change, your patients need to see and hear these security messages from your healthcare organization.
Wilson noted that for smaller, rural and safety net hospitals with limited budget, prioritizing patches and password hygiene technology are priorities, followed closely by employee training. You can even limit access to web-based email, web browsing and even printing to further tighten the guard. In addition, don’t be afraid of leveraging cloud technology. Even an “out of the box” setup is likely going to be less expensive and more secure than what you can design.
Remember, it’s not what you have that matters to the hacker, but rather what you would pay to restore what is most important to you. This may be your patient data or access to your smart buildings or even turning on the power to your ORs, so you’ll need to be prepared. With relatively simple processes like backups, patches, network segregation and password hygiene, you can help prevent access by malicious actors and make sure every system, network and application is as time-tested, battle hardened and hackerproof as possible.