Ransomware has been plaguing healthcare provider organizations for some time now. The onset of the COVID-19, in fact, brought even more attacks.
Steve Smerz is chief information security officer at Halo Health, vendor of a clinical collaboration platform that includes secure messaging, video, voice, alarms and alerts designed to enable clinicians to connect easily.
He says he’s seeing a drive for hospital and health system boards to increase resources to cybersecurity teams as ransomware continues to nail healthcare organizations in the second half of 2021.
According to Smerz, hospitals are the perfect targets for ransomware threat actors. They have large amounts of data that can be encrypted and impact the hospitals’ ability to operate, dollars in the bank to pay the ransom, and a board that is not as tech-savvy as those in other industries.
Smerz sat down with Healthcare IT News to talk about how hospital boards are taking a new look at cybersecurity, how hospitals are adapting to ransomware strikes and priorities CISOs face when confronted with ransomware.
Q. Where are you seeing hospital boards increasing the priority on cybersecurity, funneling dollars to the security cause?
A. Most IT leaders will contend that security has been a focus for a long time. It’s been a core priority. And yet, the level of threat has evolved, as have the methods used by attackers – and their sophistication. It’s up to IT leaders and the health systems they support to keep pace, which of course is a challenge even under the best of circumstances. Security is a risk no one is willing to take.
These decisions and associated investments at seven-figures-plus become board-level matters. This is why we’ve seen cybersecurity technology expand at a rapid pace – there is so much need and opportunities for solutions.
Plus, modern health systems rely on interoperable technology now more than ever. So with a system of record like an EHR – a system of data capture that serves as a hub – the reliant systems can be impacted. All of which creates challenges for health systems.
Q. Why are ransomware threat groups continuing to go after hospitals?
A. Becoming a ransomware target involves three main factors – typically money, a critical use-case and an access point. And health systems have all three. First, money: Hackers target organizations such as health systems that have, or are perceived to have, enough funds to pay a ransom.
Next, a critical use-case: Protecting patient health and well-being is a built-in critical use-case, which creates pressure to react quickly to the attack. Frankly, they are looking for an urgent/emergent setting that relies on information to make decisions. Accessing information when a patient is coding or having an anaphylactic reaction, or in the OR, are all time-sensitive matters – and if clinicians are not able to access the original system of record, it is highly problematic.
And an access point: The attacker needs an opening to enter the organization’s network. Many healthcare organizations use on-premise networks, which can become vulnerable to attacks as they age. And health systems are remarkable examples of people working together, quickly, under busy and occasionally difficult scenarios.
That adds up to a chance for a staff member to click on an email that looks real or to fall for sophisticated phishing efforts. The result is that every hospital or health system is potentially at risk for a ransomware attack. No one should assume it won’t happen to us.
Q. How are hospitals adapting to being hit by these attacks to continue care despite EHRs on lockdown?
A. First, hospitals and health systems should implement a layered, “security in depth” approach.
Today’s ransomware attacks also illustrate the need for redundancy that allows organizations to continue operating while recovering from the threat.
Communication is fundamental, and when the internal network is compromised, alternatives are required. This is where a separate layer of communication is advantageous. Cloud-based clinical collaboration platforms offer a secondary communication channel outside the core EHR infrastructure, which enables teams to continue delivering patient care.
To click a level deeper, hospitals and health systems often use on-premise servers or private cloud infrastructure to support the EHR. However, clinical collaboration platforms operate on a separate infrastructure from the EHR, often with their own security paradigm based on an external secure cloud platform, which uses geographically dispersed data centers to keep data secure, and high availability for maximum uptime.
In a BYOD policy organization, care team members use their own private devices, which provides an additional point of differentiation from the hospital’s main network. These devices can continue communication by operating on cellular networks when WiFi networks are unavailable.
In any case, whether the organization relies on shared devices, BYOD or other mobile device strategies, a clinical collaboration platform enables team members to continue communication in real time to deliver and act on mission-critical information, such as stroke and sepsis alerts.
Q. What should be the top priorities for healthcare provider organization CISOs in the face of ransomware?
A. While there are many priorities, the ongoing area of exposure that changes shift by shift, new hire by new hire, is people.
One of the biggest vulnerabilities at systems and hospitals lies within the staff – as most successful ransomware attacks start with people. So education and training, exposure to the methods of social engineering and phishing, is core to any ongoing program of protection. We have to help our people keep up while the methods of attack evolve.