Fre­quent em­ployee train­ing helps stave off ran­somware

Modern Healthcare - - NEWS - By Rachel Z. Arndt

Chil­dren’s Health re­ceives nearly 28 mil­lion emails a month. While about 90% of ma­li­cious mes­sages are caught by a so­phis­ti­cated fire­wall, some still man­age to sneak through. The Dallas-based health sys­tem isn’t alone. Get­ting hit by ran­somware seems al­most in­evitable lately, with thou­sands of new at­tacks daily and lit­tle hope for relief any­time soon. These at­tacks are easy and cheap for hack­ers to de­ploy, and they can wreak havoc on com­puter sys­tems, some­times tak­ing them down com­pletely and hold­ing pa­tient records hostage. What seems to be a purely tech­no­log­i­cal prob­lem ac­tu­ally isn’t, and it’s all too easy to lose sight of one very, very im­por­tant—and ana­log—fac­tor: peo­ple.

Peo­ple are of­ten the weak­est link in pro­tect­ing against an at­tack, but they are also one of the most im­por­tant pieces of the so­lu­tion. Hos­pi­tal lead­ers who re­al­ize this have turned to em­ployee train­ing pro­grams to re­in­force their cy­ber­se­cu­rity ef­forts, com­ple­ment­ing tech­nolo­gies such as an­tivirus soft­ware with re­spon­si­ble be­hav­ior and vig­i­lance.

“You want peo­ple to be in touch with the re­al­ity of the sit­u­a­tion,” said Pamela Arora, chief in­for­ma­tion of­fi­cer at Chil­dren’s Health.

Train­ing takes a con­certed ef­fort that cuts across the en­tire hos­pi­tal. From the board to the C-suite to front­line staff, every­one needs to know how vul­ner­a­ble their or­ga­ni­za­tions are to at­tacks and the dan­gers of un­leash­ing a virus or mal­ware. Train­ing must teach em­ploy­ees how im­por­tant it is to be un­ceas­ingly care­ful. And then, af­ter all that, it takes per­se­ver­ance and the un­der­stand­ing that guard­ing against all kinds of mal­ware, in­clud­ing ran­somware, is more than a one-time class—it’s an en­tire mind­set nec­es­sary not only for pro­tect­ing the or­ga­ni­za­tion’s rep­u­ta­tion, but for pro­tect­ing pa­tients.

“Cy­ber­se­cu­rity is not just an IT is­sue,” said John Riggi, an FBI veteran who heads BDO’s cy­ber­se­cu­rity and fi­nan­cial crimes unit. “It’s a pa­tient safety is­sue, first and fore­most.”

The on­slaught

More than 4,000 ran­somware at­tacks hap­pen across all in­dus­tries daily, ac­cord­ing to the U.S. gov­ern­ment, and Ver­i­zon found that

72% of mal­ware at­tacks on health­care or­ga­ni­za­tions were through ran­somware. Still, most health­care or­ga­ni­za­tions are spend­ing 4% or less of their in­for­ma­tion tech­nol­ogy bud­gets on cy­ber­se­cu­rity, ac­cord­ing to a re­port is­sued ear­lier this year by KLAS Re­search and the Col­lege of Health­care In­for­ma­tion Man­age­ment Ex­ec­u­tives.

That may leave holes in their de­fenses. In the first four months of 2017, there were an av­er­age of 27 health­care data breaches per month that af­fected 500 or more pa­tients in the U.S., ac­cord­ing to HHS, which does not spec­ify which of those breaches were due to ran­somware. That num­ber could be low, since some hos­pi­tals don’t re­port breaches caused by ran­somware at all.

What’s clear is that ran­somware is on the rise. “It’s re­ally easy to de­ploy, it’s re­ally ef­fec­tive, and you don’t have to have any level of tech­ni­cal ex­per­tise or so­phis­ti­ca­tion to do it,” said Bob Wice, a cy­ber un­der­writer at spe­cial­ist in­surance provider Bea­z­ley.

And peo­ple get duped: About 30% of the time, peo­ple open phish­ing emails, ac­cord­ing to Ver­i­zon.

Ran­somware at­tacks typ­i­cally fol­low a sim­i­lar tra­jec­tory. Af­ter mal­ware gets into a net­work, of­ten through phish­ing emails or a com­puter vul­ner­a­bil­ity—as was the case when the Wanna De­cryp­tor ran­somware spread around the world in May—it en­crypts pa­tient data and hack­ers de­mand pay­ment (of­ten in bit­coin) in ex­change for de­cryp­tion. In the May at­tacks, the ran­som was just $300, though in other breaches the prices were much higher. Hol­ly­wood Pres­by­te­rian Med­i­cal Cen­ter in Los An­ge­les paid $17,000 in ran­som in Fe­bru­ary 2016.

If pa­tient data are ac­tu­ally stolen, there’s an even higher cost. “Los­ing ac­cess to the data is in­creas­ingly a side event to the real event, which is the steal­ing of the data,” said David Reis, chief in­for­ma­tion of­fi­cer for Burlington, Mass.-based La­hey Health. “There’s value in health­care in­for­ma­tion now,” he said. “Stolen data has been mon­e­tized.”

Pa­tient records are now some­times bought and sold on the dark web, Wice said. “It’s just a wealth of in­for­ma­tion.” Some es­ti­mates sug­gest that pa­tient records are 10 times more valu- able on the black mar­ket than fi­nan­cial records.

It’s not just about fi­nan­cial losses. Pa­tient safety may be put at risk, too, as providers lose ac­cess to med­i­cal records. “If you can’t ac­cess the med­i­cal records, you’re go­ing to have a dif­fi­cult time pro­vid­ing care,” Wice said.

Hos­pi­tals’ rep­u­ta­tions also take a hit, as pa­tients and providers lose trust. “It’s go­ing to cost money, and it’s go­ing to hurt the busi­ness and its rep­u­ta­tion in the com­mu­nity and un­der­mine the con­fi­dence of the peo­ple they care most about, which is pa­tients and doc­tors,” said Mac McMil­lan, CEO and co-founder of Cyn­er­gisTek, a pri­vacy and cy­ber­se­cu­rity con­sult­ing firm.

Health­care is an in­dus­try built on trust, said Karl West, In­ter­moun­tain Health­care’s chief in­for­ma­tion se­cu­rity of­fi­cer. “When there’s a breach, we de­stroy that trust re­la­tion­ship that is part of health­care de­liv­ery.”

The de­fense

De­spite hack­ers’ per­sis­tence in tak­ing health­care providers down, the sit­u­a­tion isn’t com­pletely hopeless. “We have lay­ers upon lay­ers of se­cu­rity be­cause one in­di­vid­ual layer may fail,” said John Houston, vice pres­i­dent of in­for­ma­tion se­cu­rity for the Pitts­burgh-based UPMC health sys­tem. One of those lay­ers is em­ployee train­ing, which, when over­laid atop a strong tech­no­log­i­cal de­fense—an­tivirus and threat-de­tec­tion soft­ware, email gate­ways, fire­walls, re­stric­tions on brows­ing, two-fac­tor au­then­ti­ca­tion—can help keep providers’ data se­cure.

Right off the bat, it’s im­por­tant for every­one to stop rush­ing so much. “We’re in a bit of a hurry in this en­vi­ron­ment,” West said. Skep­ti­cism when view­ing emails and brows­ing the web can eas­ily fall by the way­side, open­ing up en­tire sys­tems to ma­li­cious soft­ware. Plus, peo­ple are us­ing mo­bile de­vices, which make sus­pi­cious emails harder to spot. So it’s nec­es­sary for them to take the time to fig­ure out whether those emails are safe.

That can be chal­leng­ing when hack­ers are so good at what they do. “When some­thing looks au­then­tic and is so­cially en­gi­neered to have in­for­ma­tion that ap­pears to be per­ti­nent and rel­e­vant, then peo­ple are go­ing to click on it and fall for it,” West said.

Sim­i­lar to Chil­dren’s Health, In­ter­moun­tain’s first line of de­fense is to fil­ter all email through a third-party in­spec­tion and then through a sand­box, which blocks emails based on rules. Eighty per­cent of what comes in from out­side the sys­tem is blocked. The sys­tem also la­bels all mes­sages from out­side the or­ga­ni­za­tion with a warn­ing. “Our peo­ple are tak­ing it se­ri­ously,” West said.

Know­ing that sus­pi­cious emails will get through, how­ever, makes train­ing that much more im­por­tant. In­ter­moun­tain, Chil­dren’s Health and oth­ers suss out em­ploy­ees who could put their net­works at risk by send­ing fake phish­ing mes­sages, test­ing em­ploy­ees’ email in­tel-

ligence. If an em­ployee clicks on a test email, he or she will be redi­rected to a page ex­plain­ing what should have been done in­stead. Mean­while, the sys­tem tracks who suc­ceeds and who fails. At In­ter­moun­tain, se­cu­rity lead­ers talk about cat­e­gories of em­ploy­ees who tend to be more and less suc­cess­ful, en­cour­ag­ing those in the lat­ter group to be more vig­i­lant. At Chil­dren’s Health, em­ploy­ees who iden­tify and re­port the most phish­ing emails get awards.

That en­cour­age­ment—rather than pun­ish­ment—is im­por­tant, McMil­lan said. “It’s crazy to put a penalty on it,” he said. “Are you re­ally go­ing to start fir­ing nurses be­cause they’re click­ing on phish­ing? A bet­ter way to ad­dress this is where every­one par­tic­i­pates and looks at it as a com­pe­ti­tion.” Par­tic­i­pa­tion might even ex­tend to em­ploy­ees’ fam­i­lies: “Ev­ery­body needs to have bet­ter in­ter­net aware­ness,” McMil­lan said. “If you’re not help­ing your chil­dren be­come smarter in­ter­net users, you’re re­ally set­ting them up for trou­ble.”

Arora at Chil­dren’s Health agreed, ex­plain­ing that em­ployee com­pre­hen­sion of the risk is nec­es­sary to achieve se­cu­rity across var­i­ous en­vi­ron­ments. Mea­sures like two-fac­tor au­then­ti­ca­tion might seem like a nui­sance to an em­ployee work­ing from home, for in­stance—un­less the em­ployee un­der­stands ex­actly why that step is nec­es­sary.

For this strat­egy to work, all em­ploy­ees must be in­vested, Riggi said. “The CEO and the board have to be­lieve in it. Reg­u­la­tory pres­sure alone does not cre­ate a cul­ture of cy­ber­se­cu­rity aware­ness.”

No mat­ter how far the train­ing goes, as with prac­tic­ing any­thing, rep­e­ti­tion is im­por­tant, McMil­lan said. “Or­ga­ni­za­tions that phish-ex­er­cise their staff at least four to eight times a year have dra­mat­i­cally bet­ter aware­ness than or­ga­ni­za­tions that don’t do it or do it just once or twice a year.”

Smaller changes also help, said Sameer Dixit, se­nior di­rec­tor at Spirent Com­mu­ni­ca­tions. “Pick up ev­ery key­board and look at ev­ery mon­i­tor to see if there’s a sticky note with a pass­word at­tached,” he said. “Change the de­fault pass­words.”

The dilemma

“No mat­ter how well you train peo­ple, some­body can still make a mis­take,” McMil­lan said.

Plus, some­times em­ploy­ees con­sider it bur­den­some to do ev­ery­thing right. “Peo­ple are just not fol­low­ing poli­cies,” said David Chou, chief in­for­ma­tion and dig­i­tal of­fi­cer at Chil­dren’s Mercy Kansas City (Mo.). One mit­i­ga­tion strat­egy is to cre­ate bet­ter tech­no­log­i­cal in­fra­struc­tures that pre­clude the need for un­safe work­arounds. Hos­pi­tal sys­tems can use enterprise file-shar­ing sys­tems that are com­pli­ant with the Health In­surance Porta­bil­ity and Ac­count­abil­ity Act, for in­stance, and they can pro­vide em­ploy­ees with ac- cess to vir­tual desk­tops.

Even with those kinds of safe­guards in place, McMil­lan said, there will be prob­lems. Ran­somware will in­evitably suc­ceed, at least some­times, as years of mount­ing at­tacks have made clear.

Next comes the ques­tion of what to do when ran­somware has suc­cess­fully in­fil­trated a net­work. Again, train­ing is key. “Some or­ga­ni­za­tions have their emer­gency pre­pared­ness only once a year, and if you’re never prac­tic­ing these drills, you’re never go­ing to be good at it,” Chou said. “Think about how many times we talk about hand-wash­ing in health­care. I think se­cu­rity is now at that point, where we have to prac­tice it and make it part of the rou­tine.”

Emer­gency pre­pared­ness means hav­ing a script for em­ploy­ees to fol­low should there be a breach. “In the com­pa­nies that are do­ing this best, there are writ­ten play­books and scripted pro­cesses,” West said.

A cru­cial first step is no­ti­fi­ca­tion: “It’s im­por­tant that em­ploy­ees tie un­ex­pected be­hav­ior of their com­put­ers to some­thing they’ve re­cently done, like open an email,” La­hey’s Reis said. “The IT depart­ment has to have a very tuned radar as to whether it sounds like a ran­somware event is un­der­way.”

If em­ploy­ees don’t tell any­one that they think mal­ware has got­ten in, the mal­ware could get deeper and deeper into a net­work. “Do not make this puni­tive,” In­ter­moun­tain’s West said. “Oth­er­wise peo­ple will be fear­ful and they won’t call us.”

Then there’s the ques­tion of whether to pay ran­som. “You’re play­ing into the hands of crim­i­nals,” Bea­z­ley’s Wice said. While pay­ing can help pro­mote fu­ture at­tacks, since it proves to hack­ers that their tech­niques worked, it can some­times be nec­es­sary. But giv­ing in to pay­ment de­mands might not solve the prob­lem, since hack­ers may ei­ther not fol­low through or make mis­takes in de­cryp­tion.

“It may not be the best thing to do, but I’m damned if I do and damned if I don’t, and I might as well get my busi­ness back up,” McMil­lan said.

Of­ten, ran­som is de­manded in bit­coin. “Be­lieve it or not, we’ve ac­tu­ally had hos­pi­tals tell us that they have opened bit­coin ac­counts just for con­tin­gency,” McMil­lan said. Some or­ga­ni­za­tions are con­sid­er­ing banding to­gether and creat­ing a col­lec­tive sup­ply of bit­coin they could use should any one of them be hacked, said Michael Mor­gan, co-leader of law firm McDer­mott Will & Emery’s global pri­vacy and cy­ber­se­cu­rity prac­tice.

But pay­ing the ran­som at all should be the last re­sort, since tech­nol­ogy and train­ing should have pre­vented the at­tack in the first place.

Still, as West noted, peo­ple do make mis­takes. “We can be beat, we know we can,” he said. “But we’re try­ing ev­ery day to do bet­ter.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.