Frequent employee training helps stave off ransomware
Children’s Health receives nearly 28 million emails a month. While about 90% of malicious messages are caught by a sophisticated firewall, some still manage to sneak through. The Dallas-based health system isn’t alone. Getting hit by ransomware seems almost inevitable lately, with thousands of new attacks daily and little hope for relief anytime soon. These attacks are easy and cheap for hackers to deploy, and they can wreak havoc on computer systems, sometimes taking them down completely and holding patient records hostage. What seems to be a purely technological problem actually isn’t, and it’s all too easy to lose sight of one very, very important—and analog—factor: people.
People are often the weakest link in protecting against an attack, but they are also one of the most important pieces of the solution. Hospital leaders who realize this have turned to employee training programs to reinforce their cybersecurity efforts, complementing technologies such as antivirus software with responsible behavior and vigilance.
“You want people to be in touch with the reality of the situation,” said Pamela Arora, chief information officer at Children’s Health.
Training takes a concerted effort that cuts across the entire hospital. From the board to the C-suite to frontline staff, everyone needs to know how vulnerable their organizations are to attacks and the dangers of unleashing a virus or malware. Training must teach employees how important it is to be unceasingly careful. And then, after all that, it takes perseverance and the understanding that guarding against all kinds of malware, including ransomware, is more than a one-time class—it’s an entire mindset necessary not only for protecting the organization’s reputation, but for protecting patients.
“Cybersecurity is not just an IT issue,” said John Riggi, an FBI veteran who heads BDO’s cybersecurity and financial crimes unit. “It’s a patient safety issue, first and foremost.”
The onslaught
More than 4,000 ransomware attacks happen across all industries daily, according to the U.S. government, and Verizon found that
72% of malware attacks on healthcare organizations were through ransomware. Still, most healthcare organizations are spending 4% or less of their information technology budgets on cybersecurity, according to a report issued earlier this year by KLAS Research and the College of Healthcare Information Management Executives.
That may leave holes in their defenses. In the first four months of 2017, there were an average of 27 healthcare data breaches per month that affected 500 or more patients in the U.S., according to HHS, which does not specify which of those breaches were due to ransomware. That number could be low, since some hospitals don’t report breaches caused by ransomware at all.
What’s clear is that ransomware is on the rise. “It’s really easy to deploy, it’s really effective, and you don’t have to have any level of technical expertise or sophistication to do it,” said Bob Wice, a cyber underwriter at specialist insurance provider Beazley.
And people get duped: About 30% of the time, people open phishing emails, according to Verizon.
Ransomware attacks typically follow a similar trajectory. After malware gets into a network, often through phishing emails or a computer vulnerability—as was the case when the Wanna Decryptor ransomware spread around the world in May—it encrypts patient data and hackers demand payment (often in bitcoin) in exchange for decryption. In the May attacks, the ransom was just $300, though in other breaches the prices were much higher. Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in ransom in February 2016.
If patient data are actually stolen, there’s an even higher cost. “Losing access to the data is increasingly a side event to the real event, which is the stealing of the data,” said David Reis, chief information officer for Burlington, Mass.-based Lahey Health. “There’s value in healthcare information now,” he said. “Stolen data has been monetized.”
Patient records are now sometimes bought and sold on the dark web, Wice said. “It’s just a wealth of information.” Some estimates suggest that patient records are 10 times more valu- able on the black market than financial records.
It’s not just about financial losses. Patient safety may be put at risk, too, as providers lose access to medical records. “If you can’t access the medical records, you’re going to have a difficult time providing care,” Wice said.
Hospitals’ reputations also take a hit, as patients and providers lose trust. “It’s going to cost money, and it’s going to hurt the business and its reputation in the community and undermine the confidence of the people they care most about, which is patients and doctors,” said Mac McMillan, CEO and co-founder of CynergisTek, a privacy and cybersecurity consulting firm.
Healthcare is an industry built on trust, said Karl West, Intermountain Healthcare’s chief information security officer. “When there’s a breach, we destroy that trust relationship that is part of healthcare delivery.”
The defense
Despite hackers’ persistence in taking healthcare providers down, the situation isn’t completely hopeless. “We have layers upon layers of security because one individual layer may fail,” said John Houston, vice president of information security for the Pittsburgh-based UPMC health system. One of those layers is employee training, which, when overlaid atop a strong technological defense—antivirus and threat-detection software, email gateways, firewalls, restrictions on browsing, two-factor authentication—can help keep providers’ data secure.
Right off the bat, it’s important for everyone to stop rushing so much. “We’re in a bit of a hurry in this environment,” West said. Skepticism when viewing emails and browsing the web can easily fall by the wayside, opening up entire systems to malicious software. Plus, people are using mobile devices, which make suspicious emails harder to spot. So it’s necessary for them to take the time to figure out whether those emails are safe.
That can be challenging when hackers are so good at what they do. “When something looks authentic and is socially engineered to have information that appears to be pertinent and relevant, then people are going to click on it and fall for it,” West said.
Similar to Children’s Health, Intermountain’s first line of defense is to filter all email through a third-party inspection and then through a sandbox, which blocks emails based on rules. Eighty percent of what comes in from outside the system is blocked. The system also labels all messages from outside the organization with a warning. “Our people are taking it seriously,” West said.
Knowing that suspicious emails will get through, however, makes training that much more important. Intermountain, Children’s Health and others suss out employees who could put their networks at risk by sending fake phishing messages, testing employees’ email intel-
ligence. If an employee clicks on a test email, he or she will be redirected to a page explaining what should have been done instead. Meanwhile, the system tracks who succeeds and who fails. At Intermountain, security leaders talk about categories of employees who tend to be more and less successful, encouraging those in the latter group to be more vigilant. At Children’s Health, employees who identify and report the most phishing emails get awards.
That encouragement—rather than punishment—is important, McMillan said. “It’s crazy to put a penalty on it,” he said. “Are you really going to start firing nurses because they’re clicking on phishing? A better way to address this is where everyone participates and looks at it as a competition.” Participation might even extend to employees’ families: “Everybody needs to have better internet awareness,” McMillan said. “If you’re not helping your children become smarter internet users, you’re really setting them up for trouble.”
Arora at Children’s Health agreed, explaining that employee comprehension of the risk is necessary to achieve security across various environments. Measures like two-factor authentication might seem like a nuisance to an employee working from home, for instance—unless the employee understands exactly why that step is necessary.
For this strategy to work, all employees must be invested, Riggi said. “The CEO and the board have to believe in it. Regulatory pressure alone does not create a culture of cybersecurity awareness.”
No matter how far the training goes, as with practicing anything, repetition is important, McMillan said. “Organizations that phish-exercise their staff at least four to eight times a year have dramatically better awareness than organizations that don’t do it or do it just once or twice a year.”
Smaller changes also help, said Sameer Dixit, senior director at Spirent Communications. “Pick up every keyboard and look at every monitor to see if there’s a sticky note with a password attached,” he said. “Change the default passwords.”
The dilemma
“No matter how well you train people, somebody can still make a mistake,” McMillan said.
Plus, sometimes employees consider it burdensome to do everything right. “People are just not following policies,” said David Chou, chief information and digital officer at Children’s Mercy Kansas City (Mo.). One mitigation strategy is to create better technological infrastructures that preclude the need for unsafe workarounds. Hospital systems can use enterprise file-sharing systems that are compliant with the Health Insurance Portability and Accountability Act, for instance, and they can provide employees with ac- cess to virtual desktops.
Even with those kinds of safeguards in place, McMillan said, there will be problems. Ransomware will inevitably succeed, at least sometimes, as years of mounting attacks have made clear.
Next comes the question of what to do when ransomware has successfully infiltrated a network. Again, training is key. “Some organizations have their emergency preparedness only once a year, and if you’re never practicing these drills, you’re never going to be good at it,” Chou said. “Think about how many times we talk about hand-washing in healthcare. I think security is now at that point, where we have to practice it and make it part of the routine.”
Emergency preparedness means having a script for employees to follow should there be a breach. “In the companies that are doing this best, there are written playbooks and scripted processes,” West said.
A crucial first step is notification: “It’s important that employees tie unexpected behavior of their computers to something they’ve recently done, like open an email,” Lahey’s Reis said. “The IT department has to have a very tuned radar as to whether it sounds like a ransomware event is underway.”
If employees don’t tell anyone that they think malware has gotten in, the malware could get deeper and deeper into a network. “Do not make this punitive,” Intermountain’s West said. “Otherwise people will be fearful and they won’t call us.”
Then there’s the question of whether to pay ransom. “You’re playing into the hands of criminals,” Beazley’s Wice said. While paying can help promote future attacks, since it proves to hackers that their techniques worked, it can sometimes be necessary. But giving in to payment demands might not solve the problem, since hackers may either not follow through or make mistakes in decryption.
“It may not be the best thing to do, but I’m damned if I do and damned if I don’t, and I might as well get my business back up,” McMillan said.
Often, ransom is demanded in bitcoin. “Believe it or not, we’ve actually had hospitals tell us that they have opened bitcoin accounts just for contingency,” McMillan said. Some organizations are considering banding together and creating a collective supply of bitcoin they could use should any one of them be hacked, said Michael Morgan, co-leader of law firm McDermott Will & Emery’s global privacy and cybersecurity practice.
But paying the ransom at all should be the last resort, since technology and training should have prevented the attack in the first place.
Still, as West noted, people do make mistakes. “We can be beat, we know we can,” he said. “But we’re trying every day to do better.”