With Healthcare Under Constant Ransomware Attack, Experts Advise Just Say No

The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.

It’s time to stop paying ransoms to criminal organizations that lock up vital corporate data, two experts urged healthcare organizations attending a panel discussion at the RSAC 2021 Conference on Monday.

“As long as we keep paying them as a society, we’re the venture capitalists for the next incident,” said Caleb Barlow, CEO of CynergisTek who added that the recent $5 million ransom paid by Colonial Pipeline will simply fund more hacker development teams to extort other companies.

Co-panelist Robin Ford, manager information systems security Palomar Health, agreed. “Ransoms are enticing the bad guys to keep on [hacking].” As well, paying a sanctioned entity causes big problems. “You can break federal laws.”

Barlow acknowledged that refusing ransoms is difficult. Healthcare organizations are now facing more incursions from ransomware hackers with more advanced tools. Most target electronic health records. In the past, black hats would sell the information on the dark web or place records in a nation-state repository for later use, said Barlow. That didn’t cause down time.

Not anymore. Hospitals generate an ocean of record data. Ford recalls one provider had enough paper after a two-week IT down period to fill an entire conference room floor to ceiling. Often attacks take down an organization for four to six weeks.

The key is preparation, said Barlow. That includes formulating detailed play books to handle a potential ransomware breach. Many hospitals fall short. “Who’s in charge?” he asked. “It’s never really clear. Organizations that are resilient limit the impact of when you are breached so that not only can you get back up and running faster but you can make and process through those decisions.”

Ford reports she’s seeing more phishing attacks on the C-suite and financial departments. “You need to start thinking about not just your vendors but other companies you might communicate with. When people are finally attacked, they may already have had the bad stuff in their environment before they’re locked out. Maybe you’ve already got the infection.”

As well, pandemic-related telehealth has opened vast new avenues to hackers. Barlow explains these sessions are often not held on applications designed for it but on less secure platforms like Zoom. “People have been cobbling stuff together to get things done. Now go back and do a compromise assessment.” Ford strongly recommends doing those screenings on enterprise software and not free versions.

Attackers are getting more ambitious. Earlier ransomware incursions were usually an organized crime outfit pulling a one-off. “Now they’re targeting entire systems and cause mass disruptions,” said Barlow. “You can’t insure your way out of it.” New on the scene are so-called triple extortions where a hacker locks up data while threatening to both release it and tell patients about the breach. “This is a new level of scumbag,” he said.

Most companies now depend on cyber security insurance to cover such unfortunate events. But the cost is skyrocketing while underwriters are limiting the situations they will cover. It’s easy to get left holding the bag.

“Sixty-six percent of America’s hospitals cannot pass a NIST security assessment at level 3 or above,” said Barlow. “They are investing in security but not fast enough.”