September 9, 2021: Our news-cycle has been dominated for years by the concept that systems can be overtaken in minutes. We are experiencing a frenetic pace within the industry to protect against malicious attacks – including destruction-ware, phishing, ransomware, and virus-based activities. We must have a vision, not only from the vulnerable sets of systems, but from looking through the lens of an attacker. Using the defensive-stance will improve the present-state posture and allow for the evolution of consistent and distributed awareness and control-models. Why is healthcare being targeted in these vicious attacks, and how is this going to be resolved? Is there a clear-path forward?
Join our webinar “Coming Through a Ransomware Event – Best Practices and Lessons Learned” on Thursday, October 7th at 11:00 AM eastern time. We are going to take a unique look at the Sky Lakes Medical Center ransomware event with guests:
S6: Evolution of Ransomware Protections with Sirius and CrowdStrike
Transcript – September 9, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: Thanks for joining us on This Week in Health IT influence. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged. Our topic for today is the evolution of ransomware protections. Our sponsor for today’s segment is CrowdStrike.
[00:00:24] We want to invite you to a special event that we have coming up Thursday, October 7th at 11:00 AM[00:00:30] eastern time. We are going to take a unique look at a healthcare ransomware event, an actual event that occurred. We have the CIO for Sky Lakes Medical Center, John Gaede, joining us. That is a health system that was ransomed.
[00:00:43] And we have Lee Milligan the CIO for Asante. Asante is the EHR host for Sky Lakes. They’re the community connections for Sky Lakes and they’re going to recount the events and the effects that it had on the interconnected health systems. Some of the things that they did that [00:01:00] they believed, worked pretty well and some of the things that they think could have prepared them better for the event.
[00:01:06] We’re also happy to be joined by our guest today, Matt Sickles, who has walked many health systems through the early stages of a cybersecurity event, straight through to the end. And I believe with his insights and the CIO’s experience, this discussion is going to provide valuable insights into the best practices that are being adopted across the industry and maybe that you could adopt. So we would love to have you join us. [00:01:30] And if you want, you can provide us questions ahead of time. It’s in the sign up form, and we will make sure we address as many of those as we possibly can. So there’s a webinar Thursday, October 7th at 11:00 AM. Eastern time, you can sign up on our website thisweekhealth.com/register.
[00:01:47] Our topic for today is the evolution of ransomware protections. Our sponsor for today’s segment is CrowdStrike and let’s get to it. Matt. This is probably the most timely topic [00:02:00] going. Why is healthcare being targeted in these vicious attacks and how is it going to be resolved?
[00:02:05] Matt Sickles: So it’s the easy attack vector right now. There is chaos with the COVID pandemic. We already have resources who have been giving everything that they have to a hospital system. It’s tiring and everyone is exhausted. I think that that is one of the compelling reasons that healthcare is being targeted, not so much for the perceived maturity level of [00:02:30] any hospital system but because it can inflict some of the most pain.
[00:02:34] As we take a look at this, we’re starting to see the dialogue change from cyber attacks into cyber terrorism. And this is really what we have seen with the pipeline that was attacked, that impacted fuel on the east coast, all the way to the meat processor that was global impacting. And now we have these organizations that are really organized crime corporations going around.
[00:02:58] They’re looking [00:03:00] for where they can inflict the most revenue. And the most impact for people in a very straightforward manner. So healthcare during a pandemic has been a logical target.
[00:03:11] Bill Russell: I think I know the breadth of the problem because I’m in healthcare, I’m talking to a lot of people, but every day I hear different stories.
[00:03:17] And yesterday I heard a two dentist’s practice that was ransomed. Two dentists’ practice. That was ransom because it’s just email goes in, somebody clicks on it, they take control of it. Two dentist’s [00:03:30] practice. They asked for some Bitcoin and it really is a criminal practice. My guess is I don’t really, even with all the people in healthcare I’m talking to, I don’t really grasp the scope. How pervasive is ransomware at this point?.
[00:03:45] Matt Sickles: So these figures are probably about two weeks old. I went into the office of civil rights. I went into the exceptions report to find out how many healthcare systems are under investigation for a breach or other [00:04:00] disclosure event. They are now investigating over 800 events from 2019 and 2020. 20 21 there’s an additional 250. So we’re dealing with nearing a thousand events that are being investigated. Through the portal you can actually see if it is a hacking or an it incident. When we get this type of compelling information, we know that there is a real risk here, but think about this ransomware problem on a larger basis [00:04:30] while healthcare does the tracking and publishes that information.
[00:04:34] There’s a lot of corporations that don’t, they’re dealing with the same problems they have already solved for X, but they’re just not sharing how they did it. Everyone is so introverted now on their security capability, they don’t want to share that in healthcare right now. The compelling change is now that these ransomware events are getting so fast and furious because they know that the hospital system is the last chance for patients with COVID-19.
[00:04:59] That to me [00:05:00] is one of the compelling events on top of another dynamic. That’s quite interesting. During the pandemic, we did see the cost of standard cryptocurrency and when that actually was elevated, let’s just use Bitcoin as the example in late 2019, we were seeing trading of 15 to 20,000 us dollars for one Bitcoin.
[00:05:21] Well, now we’re ranging anywhere from 40 to 60,000. So when you all of a sudden have a revenue source, that’s four times greater just by giving a [00:05:30] ransom of 70 Bitcoin. Now you’re talking millions and millions of dollars impacting an organization that may only have cyber insurance that covers up to a ceiling of a million.
[00:05:40] And the demand is for four and a half to 5 million. So we’re seeing these attacks, healthcare systems are getting impacted, but the bigger question is this, a ransomware attack can turn into a destruction event very quickly as the code and the lateral movement. And all of the intelligence are being deployed.
[00:05:59] [00:06:00] Once they have decided to drop the payload and impact your organization, there’s a lot that can go wrong. So even if you do get back there, You might not have complete data. So now we start to question, should we even buy our data back? Is our data going to be guaranteed that it wasn’t already exfiltrated shared and used for other nefarious purpose.
[00:06:21] And most importantly, are we going to be able to get Pandora back into the box ever in healthcare over time possibly, but the ransomer [00:06:30] problem has affected healthcare in an order, in an inordinate manner. I’ve seen a lot of the attacks now become so sophisticated. That is now where sophistication is focusing healthcare, healthcare systems and the vulnerable systems that are online.
[00:06:48] Bill Russell: So Matt, you’ve been at the table with these response units and those kinds of things. Talk about what that’s like. Talk about the phone call that comes, sitting with the team, sitting with the [00:07:00]leadership. What do the conversations look like and how are the conversations changing?
[00:07:03] Matt Sickles: New Year’s Eve, I got my first phone call for 2021 for the ransomware for NetaCISM that was going on. That was actually an event that woke me up. I had never seen an attack that fast. And I was just awestruck by what happened. Fast forward about 60 days and we had one of the largest healthcare breaches that we got involved in.
[00:07:29] We [00:07:30] actually had a call from their director of security at around six 30 in the morning. They wanted to know if we had been hearing about any type of attack, they were losing connectivity with their systems seven 30. We had their leadership team assembled with their CIO and their CISO on the phone.
[00:07:48] And we were starting to walk through what they should do to stop what was happening. By 8:00AM they had over 3000 machines that had been previously online when we started the [00:08:00] conversation at 6:30 in the morning that were now offline and locked with crypto ware. So they were all of a sudden sitting with 3000 boat anchors in their organization.
[00:08:09] They had no ability to restart computers, restart network equipment. Their phone systems were down. Their automatic voice response systems were down. The PAC system, the scheduling system all down by the time that the clinics opened that morning.
[00:08:24] Bill Russell: Wow. Part of me that wants to ask is this a fad? Is ransomware a fad? Or are we going to have [00:08:30] the same thing, same focus three years from now?
[00:08:33] Matt Sickles: Yeah. It will be a Wolf in sheep’s clothing with a different name. We’re going to have something new. If I had to read the tea leaves of what I’m seeing for the sophistication, the trending that’s going on in ransomware.
[00:08:45] As I mentioned earlier about destruction ware, that can be an inadvertent exception you can start to destroy. But I think that targeted medical information is going to be a real possibility. Think about all the people who were in the public eye, who that, if they had [00:09:00] manipulated data information around their healthcare it could lead to a different outcome.
[00:09:06] There could be health qualifications for someone running for a presidential office that are manipulated. We could have someone who is running for state and local government, those targeted attacks. I think that may be one of those future states in our threat vector that we have to look for.
[00:09:22] So let’s go ahead and look at some of those capability and possibilities right now. What do we have that could be effective in [00:09:30] mitigating or controlling those types of things? But one of the key pieces of ransomware is you always have to think about your data validation. When do you know the data you have been trusting is your source of authority and your source of record for your operations in the continuity of care has been violated. That data provenance is going to be one of the capabilities we really need to come up to speed on to protect against ransomware and the outcomes for that in the next 12 to 24 months.
[00:09:56] Bill Russell: Okay. I’m thoroughly scared. You’ve got my attention. I [00:10:00] think it’s gotten the attention of everyone, right?
[00:10:01] So you have the president’s initiative president of the United States, President Biden’s initiative. You have focus at that level. You have focus across several industries. At JP Morgan this past year, better than half of the CEOs in healthcare got up and said, cybersecurity is a priority, but what does that mean?
[00:10:23] Well, when they say cyber securities is a priority and me as a as a journalist, what’s the follow on [00:10:30]question to say, is it a priority? Are we making it a priority? What do they need to do to make it a priority moving forward?
[00:10:37] Matt Sickles: Yeah, say it out loud. Say it often. Repeat it and make it part of the beginning of every discussion related to information. So if it’s information technology, information security, it just has to be omnipresent in the conversation. We saw a lot of activity. Take a look at what strides we have taken over the last 24 months. [00:11:00] We went from the identification of a retrovirus out in the wild to a vaccine that is in the arms of a large portion of the United States and the world.
[00:11:10] As we’re starting to see how we can affect security why not go ahead and do some of those analytics go ahead and build up some of those net new things. Operation cyber speed should be a priority for the government right now, the states, the organizations, private industry, because [00:11:30] if we don’t collaborate and start to share, what’s really going on in an open format.
[00:11:35] We’re going to be at a disadvantage. We’re not going to have the intelligence and information for when the next compelling event occurs. We know now that a lot of the endpoint detection response systems are early warning indicators. A lot of our partners, as they run their security operation centers for the intelligence of that data, they now are making some of the first phone calls.
[00:11:57] I think that one of the most important [00:12:00] things we’re going to have to do to circumvent the pace of ransomware is to protect the keys to the castle. We have to make sure that all of our information is isolated. Then we have to make sure that we’re looking at how we can not only technically control this, but administratively controlled this information, because that is going to be one of the most important pieces.
[00:12:24] We know that we have gotten a great response from doing education [00:12:30] around phishing attacks and other mail malware vectors. But what we don’t have right now is that holistic understanding that broad understanding of how the day-to-day operations of healthcare system can impact patient data. And it can also affect the revenue stream or a hospital system.
[00:12:48] Bill Russell: Yeah. You know what Matt, a lot of times I hear leaders talk about how much money we’re spending on cyber security as the metric. I hear, oh JP Morgan spends X [00:13:00] amount of money on cyber security. That means it means something, I don’t know what it means, but that’s the metric I hear the most.
[00:13:06] What I want to ask you though, is what is the metric? If I were to hold health system leaders feet to the fire, it’s not necessarily how much money they spend, it’s really outcomes. So what kind of metrics would I look at to say, all right, we’re being effective?
[00:13:22] Matt Sickles: Yeah, you brought up an interesting point. So think about this. Security and the securing of patient information may [00:13:30] not be a return on investment. It may be a return on expense. So we have to come up with some calculus that we understand what it’s going to cost. You can get that out of your electronic health system. We have some clients who have gone through breaches that have seen costs between $8,000 and $10,000 a minute as they’re taking downtime in a ransomware event. That’s the revenue impact. That’s the ability to provide care. So what we have got to do is we have to come up with a lot of these [00:14:00] controls for visibility, knowing early that something is going on. Having an incident response plan, that response plan being modern and now being able to ensure that it is going to be reliable.
[00:14:13] One of the most horrible things that we’re seeing in almost every ransomware attack is the elevated permissions to the active directory are integrated with backup systems. Once the backup systems have access, they’re going into deleting the schedules. They’re going into leading the data on the [00:14:30] back end and they’re rendering any recovery from your backups unavailable.
[00:14:35] You cannot restore. So you have to start from scratch. We’ve seen this multiple times now. In fact, we’re a hundred percent on that attack approach is one of the first systems that gain control love is a single sign on accessible backup system with the keys to the castle and the history of the company.
[00:14:53] And they’re able to destroy that and now start to go through all of these side [00:15:00] systems and the attached systems and the attached companies, third-party agreements, and then infiltrating them as well. So that’s where we have got to focus. Our energy is a lot of protection. We have to also focus on awareness and then most importantly education.
[00:15:17] Bill Russell: Final questions, are the title of this is evolution of ransomware protections. Are we seeing tools? Are we seeing new protections come about as a result of what we’re learning?
[00:15:28] Matt Sickles: We are. And I think some of the most [00:15:30] compelling changes in the technology is a lot of that threat modeling. We’re seeing the threat intelligence and the application of threat modeling and intelligence to the tool sets that is advanced intelligence machine learning that’s coming in and being a real tipping point.
[00:15:49] That is where we see a lot of the change coming. As I look for I’ve been in this 30 years, I have to start to think about what is going to be [00:16:00] my exit strategy from the industry. Do I want to teach, do I want to lead or do I want to turn wrenches? Security, lets you do all of that, right?
[00:16:09] So we have to be effective in our controls. We have to also be having those open conversations of what is our limit, what do we really want to do? And you said let’s not look at the dollar amount, but it is complete and utter. Buy-in from leadership. From the medical side, the administrative side and the operation side in a [00:16:30]concerted effort. That’s the only way that we’re going to have any resolution or advanced protection is that single culture change that gets us down that path.
[00:16:40] Bill Russell: Matt, that’s fantastic. Special thanks to CrowdStrike for their partnership in making this content possible. Matt, as always thank you for your time. And I learned just a ton from these conversations.
[00:16:49] Matt Sickles: Awesome. Thank you Bill. Really appreciate it.
[00:16:51] Bill Russell: What a fantastic conversation. We want to thank our sponsors, Sirius healthcare and CrowdStrike, who are investing in our mission to develop the next generation [00:17:00] of health leaders. Thanks for listening. That’s all for now.