Ransomware is the Clear and Present Danger Now
Probabilities, preparedness, and potential impact mean that Ransomware reigns supreme amongst healthcare provider threats. If you can’t treat patients because you don’t have access to medical equipment, records, billing processes, scheduling, or vital 3rd party services, the impact is immediate, pervasive, urgent, and even life threatening, far worse than HIPAA fines and other typical data breach consequences.
The growing incident volume suggests that ransomware attackers see a very favorable risk-reward landscape. Smaller ransomware attacks will collectively dwarf the impact from WannaCry and Not-Petya. Times change and Ransomware can diminish if and when the attackers’ risk-reward flips from lucrative to unprofitable. Maybe a breakthrough in law enforcement in following crypto-currencies would do this. But far more likely, the healthcare providers will have to become too difficult to exploit ransoms.
Exploitation of medical device and infrastructure vulnerabilities for profit and/or terror concerns may eventually surpass Ransomware in total industry and human costs.
The Longer Term and Newer Threat Targets Medical Devices
Already hackable, but no real economic model yet for adversaries to focus upon. That can change quickly. For example, they can simply extend the Ransomware model by denying medical device use until a ransom is paid. The complexity of the medical device supply chain, however, poses even more exotic ransom possibilities. You also have a terrorist threat at some point in both critical infrastructure and medical device scenarios. These risks are hard to quantify. While potential impact is severe, there are no statistically significant probability figures to compel significant readiness improvements.
Healthcare Providers are just Not Prepared for Ransomware
They lack the deep IT Infrastructure and cyber expertise. They must overcome obstacles to cyber hygiene and other preventative practices that Fortune 500 organizations do not. Across all industries, 75% of IT practitioners admit they cannot keep up with software patches.
As bleak as this sounds, the urgency of Ransomware will drive healthcare providers to do things that will also do much to mitigate risks from the other cyber threats. There are practical, affordable, and effective solutions available. The challenge of finding and choosing those solutions may be more difficult than actually implementing them.
No winning strategy immediately makes an organization Ransomware-ready. There are three tactics and stratagems that can help healthcare organizations deal with the Ransomware threat in both the short and long term.
Three Helpful Tactics for the Ransomware Threat
1. Implement back-up and restoration systems and/or conduct realistic exercises to be sure they work in Ransomware scenarios.
2. Test and verify, assumptions about readiness make asses of anybody.
3. Form at least one peer group within 30 days (signed letters of intent) to collectively learn how to better fight Ransomware and to field/hype test cyber products and services before deploying them.
Three Helpful Stratagems for the Ransomware Threat
1. Seek upstream preventative cyber controls that reduce dependence on downstream reactive ones that seem to add a new functional platoon every year to an already large cyber brigade.
2. Avoid choices that rely on chronic cyber hygiene problems disappearing, worsen cyber skills gaps, and hide costly professional services without culpability.
3. Use peer groups to prioritize types of cyber investments and to pierce through industry hype and deceit to get to the ground truth about the effectiveness and TOTAL costs of potential cyber products and services.
More on Cyber Readiness from Tactics Above
Conduct realistic, simulated attacks on your organization. This means avoiding typical employee security readiness training and enterprise penetration testing. Instead, you need programs that seek and fix the human weaknesses that enable and worsen most cyber incidents.
Employee cyber readiness training must focus on the individual and do so continuously. One cannot fix what is not measured. The employee is the Ransomware threat’s preferred target. This employee focus not only reduces your organization’s exposure but it also identifies your most risky employees so that your IT-Ops and Sec-Ops can apply mitigating policies.
The other side of human weaknesses pertains to how well your IT-Ops and Sec-Ops personnel respond to realistic, simulated scenarios. Traditional pen-tests focus too much on technical posture. While good testers find horrifying holes, they generally don’t improve your personnel’s cyber readiness. Seek testers that do. And, don’t let price distract you from getting value.
Most organizations struggle with identifying competent, valuable pen testers. Likewise, evaluating cyber products and services challenges them too. Peer groups can help.
Discuss Endpoint Compromise Prevention with your Peer Groups
Ransom rarely begins anywhere other than the enterprise endpoint. In fact, most cyber costs for tools, personnel, and services stem from chronically compromised endpoints. Start your discussion with a group brainstorm where you list all of the cyber tools, functions, personnel requirements, and cyber services that exist directly or indirectly due to endpoint compromises. Next, discuss how cyber resource allocation would change if endpoint threats were eliminated.
Focus on Prevention in Two Areas to Lower Costs in All Areas
Endpoint protection and employee cyber readiness are upstream of most cyber costs. Fixes in these two areas upstream flow everywhere downstream. These areas are also where the most improvement can be realized. Those that believe upstream issues are not fixable are doomed to spend heavily on many things downstream with only one guaranteed result: your cybersecurity program will look more and more like the Federal government.