As cyber attacks become more sophisticated, frequent, and malicious, health systems need the right tools to detect potential threats. Jim Brady, Vice President of Information Security & Operations and CISO at Fairview Health Services and Ryan Witt, Industries Solutions and Strategy Leader at Proofpoint, outlined security strategy and navigating threats, ransomware, and supply chain attacks.
Using a sporting analogy, Witt described the current level of cybersecurity in healthcare to a football game.
"Cyber criminals are essentially running the ball right now, and they're going to keep running the ball until healthcare institutions can stop the run. And right now, healthcare institutions are not stopping the run," he said.
While most attacks come in the form of ransomware, it is integral to watch out for email and other fraudulent base attacks. According to Witt, health systems lost more money through fraud than ransomware attacks.
Credentials are the Nirvana state for cybercriminals, Witt said, which is connected to the rise in fraudulent attacks. Once criminals have access to credentials, it is easy to access networks and begin their real work.
Attackers are sophisticatedly launching attacks from well-known data repository sites like Office365 and SharePoint. The trust of the sites leads people to trust links they click on, Brady explained. He recommended email isolation technology to combat the never-ending battle of clicking phishing links.
Isolation technology has allowed users to open links and attachments from incoming external emails. They can be routed to a container, preventing a potential bad link from spreading through the organization.
According to Witt, the good news is that healthcare does not have to wait for new technology to be developed or roadmaps to be accelerated. However, the bad news is that this technology is tried and tested, readily deployed for years; it simply is not in healthcare yet.
With this in mind, many solutions are available like isolation technology, cloud security capability, and DMARC protocols. Technology is a primary way for health systems to move forward in security.
"You just can't train your way out of this. You can't put enough processes in place to get yourself out of this. The technologies are available. Healthcare has got to make much more focus on putting those technologies in place," Witt said.
Technology alone, however, is not the solution. Progress must also include how health systems process and think.
The healthcare industry has only begun dealing with data breaches and fines over the last 10-to-15 years. Now, as health systems are shutting down for weeks due to attacks, organizations need to acknowledge the problem. Systems must take ownership of the problem from the top-down, Brady explained.
Like a neighborhood watch committee, building awareness with reporting malicious activity can help alleviate the number of successful threats. Progress will continue as awareness spreads, according to Brady.
When it comes to presenting cybersecurity to a health system's board, a 50-page report on firewalls and packet encryption will not win them over, Brady explained. It is important to quantify the risk by focusing on the finances.
According to Brady, the first step of preparation is a risk assessment. He also recommended looking at high-priority gaps and the likelihood they will occur, which may require engaging the system's insurance company or broker. Altogether, this information creates an overall picture of the impact and financial volatility from an actuarial perspective.
The next step is connecting this data to the lines of business, Brady elaborated. Based on how the health system makes money, this step is creating a potential plan for covering the finances necessary to implement security measures, which minimizes the probabilities of loss without closing security gaps.
This process goes for large and small health systems alike, as the extent of security holes outnumbers the money most systems will have to invest.
"I think it's just giving the board and the leadership the tools and details so that they can make the right decision on how much should we invest in cybersecurity to address a potential loss," Brady said.
According to Witt, if health systems are fighting a ransomware battle, they are fighting the wrong battle. This is because the likelihood of bad actors already being within the network is high. They are likely already in, having an understanding of the environment, and setting up a control center.
Data shows that bad actors can be in an environment for up to six months before detection. Witt compared this to someone living in a spare bedroom for months, understanding how a family runs its household; cybercriminal are squatting in the walls of the network, observing and stalking their victims.
"You need to work very strongly to keep people out of your environment to keep people away from getting credentials," he said.
User credentials are powerful because they unlock parts of the network, data that cyber criminals do not use lightly. Their goal is to exploit the network in the most beneficial areas to maximize their ROI.
Witt suggested locking down external-facing systems pointed to the web and preserving credentials as the primary focus for cyber activity.
Multi-factor authentication (MFA) is a must-have for most organizations. However, it is not enough to keep internal applications safe because many are legacy and unable to support MFA, Brady explained.
MFAs focuses primarily on cloud-based applications, leaving a significant gap where cyber attacks can enter.
"I think we spend a lot of time trying to prevent people from coming in, but not enough time detecting, are they in?" Brady said.
Being able to respond to attacks requires more detection efforts. Threat intelligence and technology that detect anomalies are important to have as part of a system's cybersecurity arsenal.
"We can't just think that we can just block everybody from coming in because they're going to sneak in. And then once they get in, if they're allowed to have stayed for a couple of months, they have the ability, I guarantee you at most organizations, to go undetected, with a regular account," Brady said.
Staffing is expensive if systems want to keep higher-end employees on staff to manage services. Brady estimated over 50% of a potential one million dollar budget allocated to staffing costs. A way to reduce rates is by looking at outsourcing or strategic sourcing. Lower rates are available at cyber security operation centers, for example.
If it were achievable, Witt also estimated a 50% allocation to staffing. However, he emphasized the need to view technology as more of a solution, as it is not as readily deployed as he would hope.
For example, isolation technology is a strong tool and only 15 - 20% of healthcare institutions deploy it. MFAs are not used enough, nor are tools like micro-segmentation, Witt elaborated.
"I'm not trying to say it's all about technology, but there are some easy wins out there," Witt said.
If systems have not made initial investments, there are easy wins that can pay exponentially higher initial dividends. If an organization is already down the path, Witt recommended focusing on processes investments. Therefore, they can see where the system fits on frameworks for benchmarking and guidelines.
Witt compared preparing architectures to the way athletes begin spring training; they are in shape and ready prior to the season starting.
"We need to rethink our expectations, our attitudes towards the whole way we look at our IT architectures with the idea of getting much closer to that hundred percent sort of patching," he said.
Healthcare is on a long runway with an unprecedented level of cyber attacks. Attacks will not dissipate until the industry finds a way to keep bad actors away, Witt explained.
He encouraged systems not to let up and focus on understanding the most valuable assets in the environment, threat vectors, and how to protect critical people in institutions.
During the pandemic, health systems learned how to laser focus on specific tasks and do them well. According to Brady, the same thing is necessary for cybersecurity, as it is an organizational risk. The best way for this to succeed is by getting the top-level buy-in.
Brady also emphasized the need to plan what to do in the case of a ransomware event. A run book is essential to outline what everyone within an organization does post-attack. Emergency preparedness and communication can decrease the mayhem during a potential attack.