No one wants to think about ransomware events and the absolute havoc they can wreak on an organization. But for healthcare leaders, ignorance is not an option. In fact, one expert advises doing the opposite.
“We want to talk about it as much as possible before we have an event,” said Brian Zegers, Information Security Officer at Lee Health. “We don’t want to try to figure it out in the midst of a storm.”
And the storms have come. Last year, two major ransomware incidents occurred within months of each other, resulting in widespread disruption and financial devastation. “The more we can figure out now, the better,” noted Lee.
While there’s no way to predict when and how a cyber event will happen, there are critical steps that can be taken to ensure teams and organizations are prepared to handle the fallout. During a recent Unhack the Podcast, Lee and Aaron Heath, CISO and Cybersecurity Counsel at the Medical University of South Carolina, shared some of the strategies they’ve employed, from infrastructure realignment to “internal poaching,” and discussed their biggest concerns.
Aaron Heath
One concern at MUSC was the number of freestanding EDs that don’t have sufficient network connectivity, which has led to some “pretty acute problems” for those areas. To remedy that, Heath’s team is looking at different options, including using satellites to maintain connectivity.
As it stands now, an outage can cause serious issues, “because there generally isn’t much infrastructure out there that can run out to them,” he said. “We’ve had cases where we have backup cell coverage to be able to maintain connectivity – they're still running on the same lines.”
It has become clear, he added, how interdependent connectivity is, particularly in rural areas, and how strongly facilities rely on technology. And so, “we’re looking at what type of benefits satellite services can provide for us,” while exploring other ways to increase resilience.
Of course, it isn’t just technical challenges that can get in the way; sometimes, the problems stem from the organizational structure. That was the case at MUSC, where leadership recently pulled infrastructure, network, and endpoint engineering teams into the security office in an effort to align strategically. “We ended up bumping into each other every time there was an issue on the network,” he said, explaining the decision to “get everyone on the same team” and establish “strict alignment.”
The more closely teams are able to work together, the more easily they can identify opportunities – and uncover mistakes. “I can’t tell you how often we’re finding things that a CISO should be concerned about,” Heath said. “It’s all interconnected. That’s where everything is going.”
Because of that connectivity, it’s more vital than ever that organizations have a firm plan in place to manage a cybersecurity event. At Lee Health, Zegers’ team has implemented a ‘recovery from ransomware’ initiative. Through tabletop exercises and sub-work streams, they’re “looking at all the different aspects of what we would be dealing with in a ransomware scenario,” whether its storage capacity or timing to get back online. “Infrastructure might say, ‘we have snapshots’ or ‘we have backups,’ but let’s dig into that,” he said. “Do we have that across the board? What does that mean? And so, it’s letting us have a lot of great in-depth conversations, and get teams outside of cyber to think about what would be involved in this process and try to brainstorm as much as possible pre-event.”
Brian Zegers
To date, his team has developed several sub-work streams focused on updating the response playbook to offline locations for documents to ensure staff have the resources they need. These conversations, he added, are extremely important, and should include teams outside of IT and cybersecurity. “This helps us in preparation of [ransomware] events, but also with our overall disaster recovery planning, because a lot of this stretches into other areas,” Zegers noted. “I’m always hoping it’s not a cyber event that causes us to exercise these things, but it’s hard to get those conversations going and keep people involved. And so, this has really helped us in preparation.”
Another critical step in laying a solid foundation? Building a strong cybersecurity team – something that has proven challenging across the industry. At Lee Health, where Florida residency is required for all staff, Zegers has found that the best candidates may already be in house.
And so, one of the “different avenues” his team has pursued is to identify candidates from other departments and try to recruit them. “In cybersecurity, you need a specific skillset and mentality and an appetite to learn,” he said. “They don’t need prescriptive steps as to what to do next.” Instead, the right candidates are able to pinpoint and figure out problems – and perhaps even more importantly, realize when a problem needs a whole new approach.
“It’s knowing when to call it and say, ‘let me not spend more cycles on something and go down a rabbit hole,” Zegers noted, adding that it’s no easy task. “You also need a good understanding of the infrastructure to be able to do that. Internal poaching has helped us identify really good candidates and bring them in.”
If that’s not an option, he also encouraged peers to cultivate relationships with local universities and other healthcare organizations, and leverage them to connect with candidates. “You have to keep those stokes in the fire” and continue to feed the pipeline, Zegers noted.
Heath concurred, adding that he’s excited for the future and has become “passionate about identifying people who have the right mindset,” and following the steps needed to develop a strong cybersecurity posture.
Because when you are able to change a process or see an improvement, “it is the greatest hands in the air feeling to be able to see that quantitative impact.”
Questions about the Podcast?
Contact us with any questions, requests, or comments about the show. We love hearing your feedback.
© Copyright 2024 Health Lyrics All rights reserved
