Healthcare has always been a prime target for ransomware actors given its penchant for paying hackers’ demands to maintain care operations. Put simply, when patient care is on the line, waiting for rescue and resuming business makes it difficult for any disruptions to IT systems.
However, recent research from CyberSaint finds that many healthcare organizations don’t rely on backups for ransomware-related incidents, as they’re unable to “wait for them to be instituted.” The stat could explain why over one-third of entities report they’re willing to pay ransoms, even without a guarantee of data recovery.
“But if an entity is not backing up data, they’re going to have to pay the ransom. And even then, there’s only a two out of three chance of getting the data back,” Padraic O'Reilly, CyberSaint co-founder and chief product officer, and Department of Defense adviser, told SC Media.
For O'Reilly, the lack of propensity to back up data and the likelihood of paying ransomware are clear correlating factors in healthcare.
Reported ransomware outages in the healthcare sector have fortunately decreased over the last few months. The high-profile incidents in the last year have pushed ransomware groups into stealth mode a bit on some of these attacks.
While many may be using this “lull” in ransomware attacks as a sign the perpetual target of healthcare is gone, provider organizations should not be swayed into a false sense of security. O'Reilly warns that provider organizations should be using this quieter period to reassess their risk management posture and pivot to a more proactive stance.
“Ransomware is going to come back around again. It’s some of the most advanced criminal teams on the planet refining these things all of the time," O'Reilly said. "They’ve backed off a bit because there were so many high profile incidents, like the health service in Ireland."
As such, it’s the ideal time for embedding a broader risk management approach into the healthcare setting. A number of agencies have already provided the sector with a range of free resources to bolster this effective approach to ransomware, including Mitre and the Department of Health and Human Services.
It’s time to get out of the “whack-a-mole” mentality and into a more proactive, preventative posture, explained O’Reilly. “It can be expensive, but it needn't be prohibitively expensive if you do the analysis properly.”
Consider the Colonial Pipeline incident and how the attackers got in. Reports show it was likely caused by credentials or not having multi-factor authentication on the remote desktop protocol. “That’s not an expensive fix.”
“So a lot of this is identifying the cost effective way to be proactive, but you have to do the analysis, and you have to take it seriously in order to do that,” he added.
A call to improved communication, risk management
For healthcare, the people who make the decisions on resources can wind up getting stuck on the likelihood of an incident. “It’s not a good place to be with risk management because that sort of throws it back into the ‘angels dancing on the head of a pin’ and who knows anything," O'Reilly said.
“That's not what boards and senior executives want to hear: they want some tangible ideas around risk and financial exposures in order to make decisions about what can be done,” he explained.
Without being alarmist, it’s safe to say that many of the recommended measures for the healthcare sector frequently fail to take into account that mid- to smaller-sized entities are facing budgetary constraints and knowledge gaps that further put them behind the curve, particularly in comparison with larger entities.
As O’Reilly explained these smaller entities tend to be a bit more ad hoc with their security programs. Under the current state of threats, these organizations still need to take security more seriously.
But for many healthcare organizations, the communication between the chief information officer (CIO) or the chief information security officer (CISO) and the board is just not as mature as it needs to be. But there's a serious gap in communication, and security leaders must work to mature the business logic with senior leadership.
Mid-tier healthcare organizations are trying to grasp these communication needs and the needed vocabulary to describe possible impacts. The disconnect stems from a lack of deeper understanding about the 3% to 6% currently spent on cybersecurity and where that money goes — and if it’s effectively allocated.
Security leaders can better communicate those issues as it relates to security best practices by gaining insights into the cost breakdown. Past communication efforts around cost would typically center around return on investment, which is not an easy ask for security programs.
But the increasing number of organizations being transparent about the cost of ransomware and related outages has created a new way to communicate risk to the board with a staunch business and operational impact.
Cybersecurity investment and the cost of events
Some of the costliest events over the last two years are attributed to Ireland Health Service Executive ($600 million), Universal Health Services ($67 million in lost revenue), and Scripps Health (over $113 million), just to name a few. Those stats provide a key talking point for gaining needed investments for healthcare cybersecurity.
The increased data confirming cybersecurity is a patient safety risk has fueled more productive conversations with the board, as well. Security leaders can advocate for increased support by highlighting the potential for delayed procedures amid cyberattacks, which have a “real human impact.”
“You can measure security in dollars and cents, but there's arguably another dimension in healthcare, which is suffering. And that's what happens in class-action lawsuits,” said O’Reilly. “If you value privacy, step up and do something more systematic about it. And here's the thing that I don't get: It's a business opportunity.”
But healthcare’s complexity, in terms of communication silos and network complexity, makes it difficult for some organizations to pivot and reshape their security programs and investments. O’Reilly added that “as someone who's built a company, [hearing] that can be immensely frustrating because the answer is plain as day.”
The answer lies in risk management, evaluating loss models, the likelihood of attack, possibility of extended downtime, and the like. For some sectors, a month offline could kill a business.
Security leaders need to be able to better describe what needs to be done, in terms of segmenting networks, implementing MFA on RDP, and similar efforts, by framing it in a way that outlines the potential financial impacts and the possibility of impacts. These conversations must be adjusted to meet specific situations, framing cybersecurity as a core business function.