Ransomware and healthcare: The silent threat
If anyone understands the security challenges faced by healthcare IT professionals, it’s Christopher Logan. After spending a decade leading information security efforts at Lifespan Corporation and Care New England, Chris now serves as Senior Healthcare Strategist for IT infrastructure provider VMware, specializing in security and compliance.
Although the cyber threats facing healthcare organizations are many, one that has loomed large recently is ransomware. With major incidents at the likes of Medstar Health and Hollywood Presbyterian Medical Center making headlines, I spoke to Chris to find out what’s going on and how VMware is helping organizations protect themselves.
Free: Why are we hearing so much about ransomware in the news lately? It seems like it came out of nowhere.
Logan: It’s not really new. The first known instance of ransomware was back in 1989, something called the “AIDS malware.” It’s been around for a very long time. We started to see a lot of locking based malwares in the early 2000s, and now today there are so many different variants of both encrypting and locking malware that they’re changing almost instantaneously, overnight.
Free: What makes healthcare organizations so vulnerable to these attacks?
Logan: There are many, many malware issues in healthcare. To understand why, think about the applications that healthcare uses to provide patient care. They’re very much legacy-based applications. They’re old and outdated, but they’re doing their jobs, so it is tough to justify their replacement. That creates risk, because over the past 10 years in healthcare, even simple things like applying security patches have been an issue. It creates a very fertile ground for ransomware to propagate itself.
Also, with the American Recovery and Reinvestment Act and the HITECH Act coming to pass in 2009, it really incentivized healthcare organizations to move to electronic medical records. Everybody moved in a very fast and furious pace, without really pausing to think about security. That created a lot of vulnerabilities and spawned a lot of risk to organizations.
Free: What’s different about ransomware compared to other types of malware?
Logan: Spyware and the other general forms of malware are looking to gather credentials, compromise systems and exfiltrate data. Ransomware is just trying to make the data unavailable. It’s a denial of service attack on IT systems and data. Think about it as form of cyber blackmail: I’m going to compromise your system, encrypt all the data on that system, and then tell you that you have to pay me some toll to get that data back.
Free: So if data isn’t stolen per se, what’s the risk?
Logan: In healthcare, if I have a system with critical data on it that’s unavailable, that creates a huge issue for patient safety and delivery of care. Consider MedStar. Earlier this year, they shut down their electronic health record system. Think about the impact to patients. How can I treat this patient if I have zero information on them as they’re rolling into my emergency room? I can’t do it. I have to do one of two things: I either have to try to find paper records or I have to send those patients someplace else.
Free: Do these organizations pay the ransoms, then?
Logan: For the most part, payments for ransomware attacks have been confined to individuals in their homes. Not really something that makes the news. But now we are starting to see larger organizations – like, for example, Hollywood Presbyterian – actually pay to get their clinical data back. The FBI will be the first to tell you never to pay that ransom. But quite honestly, the decision has to be made by the organization that’s being impacted, at the end of the day.
Free: So how do healthcare organizations protect themselves?
Logan: First, the most important thing any organization can do is educate its users. The biggest risk is really the people behind the keyboards, because it only takes one person to click on one bad link to unleash havoc on a healthcare organization’s network. After that, there’s no real technology silver bullet to solving the problem. You need to have the basics in place first and foremost. Proper patching and updating of systems, layered defenses for devices and networks such as anti-malware, content and email filtering, proper authentication and access controls. All of the things that go into what’s often referred to as “defense in depth.”
Free: None of this sounds like new technology – so why do the bad guys keep getting in?
Logan: That’s true, we’ve always had all of these security tools available to us, and this is where we believe virtualization can play a huge role in changing the way healthcare organizations approach security. More and more, we see the need for security to be looked at from an architectural standpoint, not just as a bunch of products deployed throughout an organization. Virtualization is an abstraction layer between the IT infrastructure and applications; as such, it can act as a translation layer; an opportunity to view, manage and control the infrastructure through the lens of applications. We can capitalize on this property to rethink security. This can be done for users through technologies such as Virtual Desktop Infrastructure and Enterprise Mobility Management, or over the network and in the data center with network virtualization. These technologies help create an architecture that segments and isolates attackers from resources, and limits where they can go and what they can access even if they beak in.
Free: And if the worst happens anyway? What then?
Logan: I think technology plays a very big role when it comes time for incident response, but incident response is really based upon people and process. Accidents happen. Mistakes happen. It’s really how we react to those incidents that’s going to define us as an organization. The key is getting an entire organization onboard with, “Bad things are going to happen. This is how we react to them. This is how we prevent them in the future.”