.jpg)
29 June, 2017
During dinner on February 5, 2016, Steve Giles took the call from his CEO that key executives dread: access to the computer system was stopped at Hollywood Presbyterian Medical Center in Los Angeles.
By 3:00 a.m., the hospital declared an “internal disaster,” and Giles, the hospital’s chief information officer, faced a pending ransom. The Microsoft technology had been locked with ransomware virus CryptoWall RSA-2048. By the morning of February 6, the demand—pay the ransom or face a lockdown of computers and data loss—showed up as an icon throughout the medical center, which made it impossible to keep the attack quiet.
Fortunately, the hospital laboratory, radiology department and medical cabinets remained operational, and patient care was never compromised, Giles says. e organization paid hackers 40 Bitcoins, or just under $17,000, to unlock the hospital’s network and decrypt hundreds of crippled IT devices.
“Being open about what happened as soon as you can is one of the most positive things that can be done,” he says. “ The message that I want to deliver and also the message that this organization wants to get out is you can survive this. You just have to be prepared.”
Another critical part of a response plan, he notes, is having sta in place to deal with immediate operational needs. For Giles, that meant meeting with teams from the California Department of Public Health, California Board of Pharmacy, Los Angeles Police Department, FBI, CIA, an attorney and insurance provider, and its cyber security vendor McAfee Corp.
Giles says regulators, while cooperative, had no technology experience, so working with them after the attack “diverted a lot of resources and was very time- consuming,” and he had to help the teams understand the magnitude of the incident.
Similar scenarios played out worldwide in May 2017 when companies from Telefonica in Spain to FedEx were hit by the WannaCry ransomware. e worm and several variants crippled unprotected Microsoft operating systems—particularly Britain’s National Health Service.
Robert Shaker has seen both sides, today as global product manager for incident response services at Symantec Corp. and in a prior career as CISO in the nancial industry. e worm capability of WannaCry makes it especially dangerous to networks by targeting documents, desktops and removable drives. When the network administrator responds by blocking traffic, fearing data being stolen, it triggers the worm function to begin a lateral spread.
“We really feel badly for those who were a ected by this,” Shaker told an online webinar audience on May 15, urging any ransomware victims NOT to pay and to ignore ransom requests. WannaCry attackers, for example, did not respond to requests for decrypting locked data and abandoned Bitcoin wallets where ransom was paid.
“It is a zero-sum enterprise you will get nothing back for it and you want to stay away from that as it happens. As the copycats are coming out, paying the ransom will only fuel more copycats,” he noted, adding that payers are identified in the Dark Web as profitable future targets.
Each day in 2016, there were an estimated 4,000 ransomware incidents
“By funding those operations, you’re actually funding a future attack against yourself.”
SO MUCH MORE THAN TECHNICAL
Managing the external information about the incident was another nontechnical and frustrating part of Giles’ experience. Flawed news reports on the incident had to be corrected, including one claim that the hospital had paid $3.6 million. It hadn’t. “ They also declared it a breach when, in fact, no data was breached,” Giles says of media reports.
He advises a balanced view of keeping stakeholders informed, monitoring news reports and remaining aware of the risks connected to reputation loss.
Because of its highly interconnected systems with doctors, payers, insurers and other parties, healthcare industry medical records are among the most frequently targeted for ransomware attacks. And, instead of stealing identities for resale, hackers now recognize the money to be made by holding business systems hostage.
A US government interagency report from law enforcement agencies (download) provided technical guidance to CIOs and CISOs on preventing and responding to ransomware attacks.
Each day in 2016, there were an estimated 4,000 ransomware incidents, up from the 1,000 attacks per day reported in 2015.
Industry experts see no letup in the trend. e Experian (download) 2017 Data Breach Industry Forecast predicts the healthcare sector will continue to be the focal point for hackers with “new, sophisticated attacks emerging.”
Healthcare executives are in the crosshairs, and prevention is not the only solution. Hospitals and providers also need to invest to harden systems, secure data and maintain operations—in addition to community missions of providing treatments. That balance is straining budgets, especially in smaller, community hospitals.
MEDICAL RECORDS WILL REMAIN A PRIME TARGET
Hospital staffs require patient data, medical orders and other details without fail during a health emergency.
That creates an ideal target for hackers who prey on the need for time-sensitive, critical data and a target willing to pay for data recovery.
Electronic health records (EHRs) can be susceptible if healthcare organizations fail to manage exposure risk, and lost data can often be used to re-identify or complete pro le and personal nancial data gleaned from other public sources.
Preparations include multiple working backup les in case one set is disabled by an outage or ransomware attack. Another is a rapid-response plan for removing infected devices from the company network or public Internet. Because failover systems take time, an interim solution for critical data to maintain operations is just as essential.
Giles says the cyber-attack had some positive outcomes: Sta recognized the reality of threats, and he received calls of help from other CIOs. He encouraged more interdepartmental face-to-face communication and bolstered the real-time readiness plan.
Before the attack, the hospital had a part-time system network administrator on the security team. Today there are two full-time security people, and Giles might hire an additional overnight staffer.
In addition to collaboration with Santa Clara, Calif.–based McAfee following the cyber-attack, Giles says he is more con dent that not every threat will rise to an executive- level matter.
“We’ve quadrupled our budget with these guys, and it’s paid off,” Giles says, describing an April 2017 incident. “We discovered a rogue router that someone had applied to our system and ended up on our network. We took the router out and eliminated that as an access point for an outsider.”
Mapping networks and spotting weak connections is only a portion of the work being done. Having a fallback plan to use pen and paper during power outage or network emergencies requires a keen understanding of a hospital’s complex interactions and communications.
Scott Borg, chief economist at the US Cyber Consequences Unit, an independent, nonpro t research institute, told Healthcare IT News that health industry executives consider the economics of cyber security, and they tailor security to t their organizations while maintaining operations, down to the smallest functional detail.
“ They must also clearly understand what their organizations actually do.”
Coordinate IT, Finance and Strategy. STAT.
WHAT CFOS SHOULD KNOW ABOUT HEALTHCARE STARTUPS
The always-accelerating world of information technology is shaking up traditional healthcare industry players, finding ways to quicken the pace with new tech. And CFOs hold the key, balancing the traditional finance role with a forward leaning mindset to integrate new ideas and technologies, a realm that until now was kept as far from the finance department as possible.
Hospitals, insurers and frontline medical offices are using data in unique new ways, spurred by electronic health record (EHR) standards, real-time medical research and millions of consumers using mobile devices for programs ranging from drug adherence to health monitoring and communication.
“Five years ago, if a digital startup from a young company out of Silicon Valley would have pitched Blue Cross Blue Shield, or a major hospital, more often they would have been laughed right out the door,” says Chris Edell, CEO of Elevar. “These organizations just didn’t deal with small, untested vendors because of risk.”
Elevar, a four-year-old Silicon Valley–based accelerator, is pioneering in the healthcare space by investing in early stage digital solution companies. Consumer mobile apps and devices have spawned an entire category called mHealth or digital health including Chicago incubator MATTER and San Francisco nonprofit seed investor Rock Health.
“You are witnessing technology solutions emerging that very deeply impact the way people perceive and are influenced by care providers,” says Tim Kan, a BRG managing director in San Diego. He adds that accelerators and incubators are creating a “bridge between two groups that didn’t exist before.”
Care is becoming more multidisciplinary as a research technologist joins doctors on rounds, checking on treatment options and articles in real time. Kan sees a number of reasons why CFOs from healthcare enterprises, especially care providers, should capitalize on—and in—emerging technologies. CFOs understand their organizations’ capacities to invest and adjust accordingly.
Often, CFOs see the bigger view of complex industry networks such as their company’s wireless providers, organizational budgets and strategic initiatives. Integrating new products and services will be a difference maker, says Aetna Inc. CISO Jim Routh, who focuses on Silicon Valley and Tel Aviv for investing.
“Most innovation comes from early stage development companies,” Routh told HealthCare IT News. “What I’m suggesting is buy earlier in the lifecycle. Before the company has investors, before it gets market share, you can get really compelling technologies.”
For further information, please contact:
Stuart Witchell, Managing Director, Berkeley Research Group
switchell@thinkbrg.com
