Ransomware is a trending topic for healthcare in 2020. So, this week we are discussing ransomware with CynergisTek’s CEO, Caleb Barlow. Should you pay a ransom, or not? Does cyber insurance help cover anything? Is it legal to pay a ransom? Caleb answers these questions and more in this week’s episode of The Risk Perspective. Listen now to hear a CEO’s expert opinion and recommendations on how to prep and respond to ransomware during the time it’s at an all-time high.
Subscribe to CTEK Voices: The Risk Perspective
Hello and welcome back to The Risk Perspective!
You’re listening to season 2 Episode 3, an Episode on Ransomware Preparedness.
I’m your host Lauren Frickle and am here today with Caleb Barlow CTEK’s CEO & President.
Hey Lauren, how are you doing today?
I’m doing well, happy to have you here.
To begin, tell us a little bit about your background and tell us a bit about why you took the role as CEO here at CynergisTek.
Well, I came into the rollback in, August of last year, and prior to that, I’d been running the threat intelligence organization at IBM security.
What really got me intrigued about CynergisTek was just how tight we are with our clients. I mean, particularly when you’re responding to a breach or in this case, what we’re talking about today is ransomware incident. It’s not just as simple anymore of going, “OK, what happened, who is likely the bad guy, what they do”?
These situations now, Lauren, are business level incidents, you know, it’s a business crisis, not just an IT crisis. And I really felt, you know, one of the things CynergisTek brought to the table was that deep understanding of the clients so you can really help somebody out in their worst day.
Awesome! Well, let’s dive right into ransomware shall we?
How pervasive is the ransomware problem in healthcare?
You know, healthcare has two challenges when it comes to breaches and ransomware. And in fact, no new data that actually came out just in the last couple of weeks here, coming out of (interesting half-mile team at IBM), where they go and do a study on the cost of data breaches continually find that data breaches in the healthcare space are more expensive than really any other industry. And in fact, a breach now in healthcare averages over $7 million. Now, that’s 10% higher than last year, and almost double the cost of a breach in any other industry.
And that’s due to a couple of things.
One, the data’s worth more because a health care record has lots of personally identifiable information, health information, it’s worth a lot more on the dark web, but also the impact of causing a disruption in health care. Particularly when we’re talking about a ransomware incident, it’s significant. It has a kinetic impact on people.
And in many cases, health care institutions that were impacted by ransomware, particularly in 2019, if they didn’t pay the ransom, more often than not, they were diverting patients, closing down their ER, because they couldn’t access medical records. And that becomes not only costly, because you can’t access medical records, you can’t build very easily, but it also directly has an impact on your patients.
So let’s set a scene here. Say I’m a CEO at a hospital that has just been hit with a ransomware attack.
Do I pay the ransom or not? And will insurance cover anything?
Well, you know, that’s a complicated question. And the first thing to realize is these ransoms can vary greatly.
If we look back in 2018, the average cost of ransom was about $28,000.
Fast-forward to 2019, it’s about $300,000.
The largest demand in 2019 was over $18 million, and, you know, and already in 2020, we’ve seen numbers much higher than that.
So, first of all, cyber insurance is an important piece of this, and in some cases, it will pay, but it’s not a complete, get you out of Jail Free Card.
The other thing to keep in mind is just because you pay, it’s not necessarily going to give you your data back.
They’re going to give you an encryption key which might take weeks or months going around system to system to unlock that system and get the data back.
It also doesn’t alleviate them from potentially stealing the data as well, and we’ve seen lots of examples of that.
So, the short answer to your question is, there is no good answer.
But it is a conversation that you want to think about with your board, your C Suite, and have a couple of plans in place. Both a plan of what are we going to do, ideally to maintain business continuity if we lose access to our IT systems and, in particular, our electronic healthcare records system.
But also, if we do need to pay this, how are we going to do it?
Because the one thing I can assure you, for sure is time matters.
Companies that pay fast and early pay a whole lot less than those that take days or weeks to figure out if they’re going to pay or not. Because this is a volume business for the bad guys.
If they send off a ransom request, somebody pays quickly, they just move on to the next victim.
If you spend a couple of days or weeks, they then try to figure out, who are you? What do you potentially worth? Did I ask for enough money?
The ransom demand may go up, or they may extort you in other ways. And even in just the last year, we’ve seen extortion, even the Health Care institutions that decided not to pay.
The bad guys would then steal the data, either publish it, or extort them in some other way.
So, could I get in trouble for paying a ransom, or are there any risks to paying?
Well, there are a variety of risks. And I mean, the first thing to keep in mind is you’re effectively paying terrorists, and your, by paying a ransom. You’re facilitating the ability of someone to commit this crime on someone else.
The question of legal liability is a tough one, and, you know, of course, my default answer would be to consult your own attorney, but I think the way you’ve got to look at this is you have to keep in mind. In some cases, these are criminal entries and you’re paying an extortion demand, like any other. In some cases, however, these are nation-state actors, and, you know, in some cases, this is how nation-states, get access to money and currency If they’re under sanctions.
Probably a fairly recent case that’s particularly interesting that happened just in the last couple of weeks, is Garmin was allegedly impacted by ransomware.
In this case, The ransomware variant was run by a group that is actually, kind of on a sanction list from the US. State Department and a Russian group, you gotta love the names of this known as Evil Corp using a ransomware variant, known as wasted locker.
But here’s the question. In this case, now, it’s still early, Lauren, so we don’t really know all the details for sure, but it’s going to be very interesting to see how this unfolds because it does look like someone paid the ransom.
I’m not sure if that’s Garmin directly or not.
But it will be interesting to see what the government response is in this case because Evil Corp is on a sanction list.
So, generally speaking, law enforcement is going to recommend that you do not pay ransoms, but it was is also very rare to see a company kind of held the tax for paying a ransom.
And look, in some cases, you don’t have a whole lot of choice.
If your entire company is locked up, you know your choice might be pay the ransom or go out of business. And we’ve seen this happen in healthcare.
We’ve seen multiple healthcare practices actually have to close because they couldn’t afford to pay the ransom and it was too risky to see patients without access to their prior histories, allergy information, medications, etc…
So they closed.
OK, so as CEO of this hospital again, and whether I pay the ransom or don’t, do I need to disclose if I’ve been subject to a ransomware incident and is a ransomware incident considered a data breach?
OK, this is a really gray area, when the attorneys’ come into the room and you know, I see a lot of parsing of this.
And you’ll see interesting legal language when people pay a ransom that’ll say things like we have no evidence that the data was exfiltrated.
You may also see things like an acknowledgment that the ransom was paid and that the attacker agreed not to release the data.
There was a case just in the last week where an organization that raised money for a lot of schools was impacted, and in that particular case the company that was impacted indicated that they had basically paid an extortion request and the bad guy was agreeing not to go and release that data.
Well, you have no idea what the bad guys actually going to do. It’s not like they’ve signed a legal contract that in some way binding. It’s not like you have a recourse.
So let me pivot this out of kind of the legal discussion where, again, you may see lawyers parsing this with interesting phrasing.
From my perspective, as a security professional, it’s pretty simple.
If you lost control of your systems, to the point at which someone was able to access your files in order to encrypt them all, then they could have just as easily exfiltrated the data. And it could have just as easily gotten access to it.
So, from my perspective, and I’m admittedly a bit draconian in this, a ransomware incident is absolutely a data breach. And it absolutely needs to be disclosed if you’ve met the disclosure threshold, as if any of that data was locked up, was also disclosed to put simply, you’ve lost control of it.
How do I prepare and prevent a ransomware incident?
Well, you know, preparation and preventing a ransomware incident is actually a lot easier than people realize.
So, the first thing is, you need to have good backups, and those backups need to be sequential and they need to be offline, meaning that a lot of companies over the years move to online backups, where you’ve got your primary system and your secondary cloud was making an instantaneous copy of it as you went well, problem with that is it’s going to make an instantaneous copy of the now encrypted file when ransomware hits.
You need to be keeping those files at least one of them needs to kind of be on ice where it stores either offsite. You know, a lot of people, or in some cases, even going back to tape or you have some sort of incremental copy, that can’t be easily changed, right?
So, you know, a lot of times, we will see, bad guys realize that the backups rotate out every 30 days. They’ll infect the system, but they won’t detonate until the 31st day to make sure that they got not only the primary systems but also the backups.
So, your backup strategy is key, but, most importantly, what you’re trying to prevent here is two things, one is what’s called lateral movement, meaning the bad guys get onto beachhead system, and then they can move throughout your organization.
The second thing you’re trying to prevent is privilege escalation, meaning that they get access to maybe one low-level resources account, but they use a series of tools to elevate their credentials up to that of an admin and get control of the whole domain.
The primary ways you need to protect yourself are two things, one, Endpoint Protection.
So I’m not talking about antivirus, I’m talking about tools like Crowd Strike, Carbon Black Cylance, these are kind of next generation tools that run on the endpoint that will detect malware or a ransomware attack in progress and protect that endpoint.
That’s going to protect you both from that privilege escalation as well as the lateral movement. But they’ve got to be deployed pervasively meaning literally every system.
The second thing you need to do is segment your network.
If you are impacted by a ransomware incident, you want to make sure that both the administrative privileges, as well as the network itself, are segmented.
So, yes, maybe they took down your surgical suite, but they didn’t touch your emergency room. They didn’t touch your backend administration. You know, you want to limit that blast radius as much as possible. So think of it this way, You don’t want to have super users that have admin accounts that have access to everything.
You’ll want to make sure that those things are limited, and they’re only used for administrating that limited domain. Does that make sense, Lauren?
It sure does!
Thanks for that information. It was very helpful.
Now stepping out of my CEO role at a hospital and stepping back into my role as Lauren Frickle, podcast host…
I want to end this episode by asking: How does CTEK help with ransomware?
Well, the biggest thing we can do from a ransomware perspective is help you to have a plan in place. The time to make a plan is not on that idle Tuesday when you get woken up at 6AM, and someone’s calling to tell you that every system is down, that’s not the time to put a plan in place.
You need to have a comprehensive plan in place early, and that plan needs to look at two things, one, from an assessment perspective, are there steps you should take to limit your susceptibility ransomware?
Some of the things we talked about a few minutes ago, like limiting privilege escalation, and lateral movement, segmenting your network. And we can help companies identify where they may have particular weaknesses within their organization or their architecture.
But the second thing we do, in fact, what I think is the most valuable, is we can help you build a comprehensive plan, a run book.
So that when and god forbid, if that happens, you’ve literally got a paper binder on the shelf, you pull down, and it has everything you need to do immediately, who you need to contact, what systems you need to isolate and shut down, what your plan is to maintain business continuity while you’re working through the crisis.
Who to call, how to negotiate?
I mean, the thing to remember about a ransomware response, it’s a lot like having a major medical event, right?
If you have a heart attack, you probably want a specialist working on you, ideally, maybe a cardiothoracic surgeon.
Well, just like with a ransomware incident, you want to call in a team people, not just your security team, but communications, legal, people that do this every day. This is a specialty, And there are certain things that companies can do to help you get out of a mess, but you want to make sure you’ve got those relationships in place, with everything from law enforcement, to crisis communications, to incident response. You want to make sure that those decisions are already laid out.
Because back to your earlier scenario, Lauren, what happens when the CEO is on a plane for the next 12 hours?
You don’t want to wait till they land to make decisions. You’ll want to know what those decisions are you’re going to make ahead of time and be able to process through the speed.
And on that note, that’s the end of this episode.
Thank you Caleb for your time and expertise. And thanks to our listeners for listening, we’ll catch you next week.