Breaking news – ransomware is significantly disrupting healthcare organizations.
This headline should appear flippant to senior leaders, especially when we are receiving weekly reports of yet another healthcare organization falling victim. Unfortunately, we still witness too many of our peers standing like a deer in the headlights waiting their turn to be the next target.
When we look at the numbers, we can make a compelling argument for action. In one survey conducted by Kaspersky and reported in Becker’s Hospital Review, one in four healthcare organizations reported being attacked by some form of ransomware in the past year, and one third of those were attacked multiple times. With over 5,500 hospitals in the U.S., we can estimate that over 1,000 hospitals have fallen victim to at least one ransomware attack and 350 have experienced multiple attacks.
Given these statistics, the headline above should not be a new revelation, but a challenge to our assumptions that we are doing enough to prevent and recover from these attacks. A review of the trends of reported attacks suggests that certain groups are not doing enough. We have not heard reports of large organizations succumbing to ransomware since the Colorado Department of Transportation and the City of Atlanta attacks. Attackers are finding their chances for a payoff increase when they focus attacks toward smaller and less prepared targets. The reasons are probably varied, but a common theme is that smaller organizations do not have the same resources as large organizations and therefore are less likely to have robust off-line backups protected from the network.
Supply Chain as the New Attack Vector
With smaller targets, a tolerable payout needs to also be smaller, so attackers are shifting tactics to simultaneous attacks with the goal of compromising many small victims. Attackers are more successful with smaller organizations that are less likely to have robust security management programs. Targeting these organizations is easier by compromising a large organization in the supply chain.
Supply chain attacks are not new, having achieved large success with Not-Petya in 2016. In this attack, a common vendor was used to infect many targets with minimal additional efforts. We have seen a resurgence including a recent coordinated attack against 22 Texas municipalities. The New York Times reported that “the pathway appeared to be through a once-trusted communications channel […]managed by a private systems-management firm.” This first compromise allowed the attackers to easily get into each of the local government systems and install their ransomware. Another report suggested that the organizations’ managed service provider was the conduit for the attack, perhaps because they already had administrative credentials to many of the core systems and servers. Finally, the Dental Data Backup Service has also been attacked with ransomware offering more proof the attackers are going after the higher volume supply chain vendors.
New Risks Requires New Approach
The new wave of attacks routed through the supply chain is going to require a new approach. First, all healthcare organizations need to take a harder look at their supply chain management process. This includes starting with setting more strict vetting standards, including the use of mandatory security and privacy assurances. Managing the privacy rights is equally as important as security to avoid another Cambridge Analytica revelation. Minimum security and privacy standards should be written into every RFP, based on the risk to the organization. This implies the healthcare organization has defined risk tiers based on the type of access granted.
Second, covered entities need to require those vendors representing the higher risks in their supply chain to conduct frequent external audits and report the results back to the covered entities. The use of third-party audits brings impartiality into the assessment process which ultimately reduces risk, but that risk is reduced further when the provider reviews those reports to identify vulnerabilities that can impact their systems. In these instances, the providers need to either expect the vendor to make changes or the provider needs to develop alternative solutions.
Third, healthcare organizations need to conduct frequent incident response exercises and include the supply chain partners. These exercises will identify gaps in the process which can be addressed, ultimately reducing either the probability of an adverse event or the impact of the likely attack.
Finally, develop and practice downtime procedures for if (or when) an attack occurs. These procedures should not only cover clinical operations, but also include back-end workflows like scheduling, financial management, timekeeping and payroll, and even supply chain management. As organizations integrate with suppliers, define ways to manage inventories and reorder new supples.
The cybersecurity landscape is littered with healthcare organizations who have been severely impacted through attacks. This is not a predetermined event, but the result of inadequate planning. The ultimate outcome is dependent on the hard decisions being made today.