Ransomware has impacted several different healthcare organizations over the past few weeks, including Allied Physicians of Michiana and LabCorp. The latest victim is Blue Springs Family Care. I recently reached out to David Finn, EVP of Strategic Innovations of CynergisTek, to get his perspective on the recent ransomware attacks that have been plaguing the healthcare industry.
Question: During Blue Springs Family Care’s (Blue Springs) investigation of the ransomware attack, they found that their computers were already “loaded with malware.” Do you think that the malware they recently discovered has actually been there for a while and that Blue Springs just wasn’t aware of the issue?
Answer: The details coming out of the Blue Springs malware attack is raising many questions. If they found that attackers or in their words, “unauthorized persons” had “loaded a variety of malware programs,” there is a good chance there were prior attacks. In the last few years ransomware has been used for purposes other than ransom. Particularly when attackers want to cover their tracks and this may be the case here. There may have been exfiltration of data for a while and the “unauthorized persons” didn’t want that to be discovered, so they placed ransomware. It sounds like the “unauthorized persons” had uncontrolled access to all of Blue Spring’s data so ransomware may have been the last step to get out rather than the way in, which is usually how it is used – – as a decoy to cover a different kind of attack. The best attackers are truly expert at covering their tracks and removing traces of their presence. But this is just my opinion and we won’t know until Blue Springs releases more information on the incident.
Question: How common is it for organizations to find added potential attacks and malware on their system during an investigation? Do you think it opens the door to finding previously undetected breaches? If so, why?
Answer: It is not uncommon for a thorough forensic investigation to find other issues which could range from unpatched systems to malware to open ports. It seems like malware may not have been set up correctly which could have caused this issue. Often, these are things that someone at that location thought were done, patches completed, processes disabled, and ports closed. Sometimes the task was done correctly but an admin may have gone back into the system to perform some test and turned the controls off and they simply forget to turn them back on. I’ve even seen infected machines pulled from the network for clean-up and moved to a storage area, and then someone in need of a replacement or new device re-deploys the infected machine unknowingly. I’ve seen situations where firewalls are turned off for maintenance or reconfiguration and then they were not re-implemented or turned on again. Now it makes sense to take all the information discovered from the investigation, properly train employees, and update their processes and technology.
Question: Blue Springs says that in the aftermath of the ransomware attack, “we also deployed new technology to prevent future intrusions, including a new firewall. Most recently, we are transitioning to a new electronic health record provider that will provide encryption of all protected health information.” Does this mean they may not have been encrypting patient data and might not have a “good firewall” or worse, had no firewall, to begin with? Are these common mistakes that other covered entities and business associates are making?
Answer: I think you can interpret Blue Springs’s statement about encrypting all ePHI to mean that they were doing minimal encryption, or they have been doing none. Encryption is a critical tool that can be tricky, especially if data is leaving your network. You wouldn’t normally expect the firewall to be part of the encryption process, that is typically being done in the tool to send the data and that can be hardware or software. Sometimes, you can actually encrypt too much. I once saw a hospital completely shut down their entire electronic medical record system (EMR) when they turned on full encryption on the backend database. The issue comes down to really understanding your data and the risk it creates. Some of these systems run many backend processes and these are pretty much invisible processes until something goes wrong with them. If you turn on encryption without making sure all the system processes and sub-processor or other systems can get the data, you can make things worse. When data leaves your EMR and is transferred into emails or spreadsheets, it needs to be encrypted.
Encryption is one of the easiest ways to protect your data. It can be a “get out of jail free card” from breach notification and when you consider how dramatically the cost and headaches of encryption have been reduced, it starts to become a ‘no-brainer’. It has taken the healthcare industry for a long time to get to the level of encryption we have today. The industry, as well as our patients, greatly benefit from more encryption. Like any tool, however, it has to be based on risk and deployed in ways that respect clinical and business operations. You need to be able to afford it and then you need to be able to effectively manage it once it has been implemented.
Question: Based on the information the forensics team and Blue Springs has so far, what do you believe are the most important privacy and or security lessons others can learn from?
Answer: Unfortunately, a lot of healthcare organizations believe they won’t experience any cyber-attacks. They believe they are not big enough, not located in big cities, or they don’t have VIP patients. However, if they are connected to the internet, which most of them are, their chances of an attack are high. The other side of that is that many organizations buy tools, implement technology, and automate security functions and then develop a false sense that an attack can’t happen to them. Buying and installing new tools is a start but mastering them, integrating them into your business, and being able to update, monitor, and train people on how to use them is the harder part. It is also an ongoing commitment.
For example, no one would buy a robotic surgical device and expect it do surgeries by itself. There is still a trained surgeon behind it, in fact, you have to add people to support it. If that robot has a software patch released that makes it better or protects it from known issues, you wouldn’t not apply it. Information security comes down to two things: assessing the risk and managing and controlling the risk through people, process, and technology.
Question: What steps can other CEs and BAs take to try and avoid being in a situation like Blue Springs?
Answer: We have to change gears and focus more on building our team and processes.
- First, we need to implement cyber hygiene, which is basic (e.g. patching, maintenance, and training).
- Next, we must start to automate security, and have tools like anti-malware, encryption, firewalls, network monitors, email gateways, and data loss prevention are completely essential. Not having the proper tools in place hinders your ability to find and manage the issue when it arises.
- Thirdly, we need to start integrating data from all these security tools. Just like we moved to a central EMR to get a better perspective of not just “a patient” but of all patients, we need to have population health for our data and networks. When a cyber incident occurs, we need to make sure all departments are communicating and quickly fixing the issue.
Additionally, the NIST Cybersecurity Framework explains the simple steps: 1) Identify; 2) Protect; 3) Detect; 4) Respond; 5) Recover. Not following these steps could cause the bad guys to win. All these steps need to work hand and hand with one another. And if you don’t have a good response and recovery program, all that other work may be for nothing.
Don’t Be The Next Ransomware Victim
Experiencing a ransomware attack like Blue Spring Family Care or any other kind of cyber incident can sometimes be hard to bounce back from and can tarnish a company’s reputation. Visit CynergisTek’s incident response services page to learn more about how to recognize, prepare, and respond to a cyber incident.