/assets/images/CISO logo 2-color cropped.png Responding to Ransomware Series Part IV: What We’re Doing Isn’t Working | True Digital Security

Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

Request a Consultation

Responding to Ransomware Series Part IV : What We’re Doing Isn’t Working: Exploring New Strategies for Ransomware Prevention & Response

It seems that ransomware attacks have skyrocketed amid the pandemic, likely due to increased use of remote work and increased attack surface, combined with new corporate-style models for ransomware cybercartels. While this trend has certainly affected a number of verticals, healthcare seems to have been hit particularly hard, with hospital resources accessible online. I have read several estimates that put 2020 numbers in the 20+ Billion-dollar cost to healthcare. IBM placed an industry incident average of 9.23MM. It’s not realistic to go backwards from here, as persisting outbreaks in the pandemic reiterate the need to keep much of the workforce remote. The danger here is that the financial impact of these attacks further increase the cost healthcare, threatening the financial viability of providers.

What Industry Leaders Are Saying

In a recent interview with Becker’s Health IT, Joel Klein. Senior Vice President and CIO of University of Maryland Medical System (Baltimore) said:

In my opinion, by far, the biggest and fastest-changing concern we face in healthcare is the threat of ransomware attacks. Cybercriminals and nation-states are distracting the industry and trying to pull us away from our core mission of caring for patients. Whether it’s more vigorous, recovery-driven enforcement, providing forums for the free exchange of incident details so we can learn from them, managing the consequences of cryptocurrencies on an international scale, strengthening the cyber insurance market or establishing cyber practices that define a liability safe harbor, healthcare needs more help to avoid further driving up the cost of care.


Rick Keller. Senior Vice President and CIO of Ardent Health Services (Nashville, Tenn.):

In the current environment in healthcare IT, one of our main concerns is not new but ever more threatening: the increase of ransomware attacks and the attack on [internet-of-things] medical devices which all want/need access to our networks. We are taking a layered defense approach...


These statements both highlight the continued need to do more in terms of PREVENTION and RESPONSE. To PREVENT, I would agree with Keller on using a layered defense approach. Recent ransomware attacks point to data theft and extortion threats around publication of that data. With Patient Health Information (PHI) still at the top of the list for most valuable sensitive data for bad actors, that has translated to attacks where not only are systems encrypted, but unless additional payments are made, attackers will make PHI public. In many cases, they do this anyway, even after extortion monies have been paid. The financial fallout in these cases is much steeper, because then an organization is also looking at compliance fines, legal battles, and brand loss.


PREVENTION: Supporting Better Data Protection

One new emerging solution that TRUE is working with is QNet Security. QNet is a company that provides silicon-based point-to-point encryption (P2PE), which greatly reduces the burden of managing a large number of devices. Device security is a significant component of the struggle for healthcare, where you have– in addition to all of the back-office employees now working remotely– a never-ending supply of IoT devices. This includes more than just laptops, desktops, iPads, and mobile phones used by doctors and caregivers, extending to all of the IoT-connected heart devices, monitors, breathing machines, imaging machines, security or patient monitoring cameras, even printers. Add up the amount of beds in any health system, then consider that there are going to be, at minimum, 1-2 IoT devices per patient in any given hospital. Now add back in the amount of employees working from home. The attack surface can be vastly reduced by securing data as it flows through or sits at rest in these endpoints.


RESPONSE: Working Better as a Collective Will Help Individual Responses

Klein’s comment on the need to increase enforcement, post-incident information sharing, standardization, and organized responses highlights the need to better respond to the threat. I have said regularly that much of the loss from a Ransomware attack is directly related to the response. Colonial Pipeline is a good example of that, as it was their response that actually shut down the pipeline, not the Ransomware attack, itself. Most healthcare organizations have implemented at least some responsive measures, such as Security Information and Event Management, and certainly those can always be added to or improved with add-ons like Security Orchestration, Automation, and Response that drive down TTR. Ultimately, TTR is where it gets terribly expensive, because for every minute of downtime, organizations are losing productivity and revenue. Beyond improving or adding to the solutions you have in-place, though, healthcare needs a bigger, more transformative way to engage.


Improved Information Sharing Models Could Reduce Time to Remediate

So, how can we better respond? Access to Information Sharing and Analysis Organization (ISAOs) incident information, which will be more efficiently managed by a team of experts like TRUE. An information sharing model that makes threat intelligence more widely available places experts as guides. With experts like TRUE engaged in the process, not only would this become a PREVENTATIVE measure, but it will greatly reduce time to remediate (TTR) in the event of incident.


TRUE is proud to lead the way with Ransomware Response. Jerald Dawkins is working with other industry leaders to grow and build U.S. security communities that facilitate better information sharing and stronger collaborations.


Our 100% U.S.-based, 24/7/365 Security Operations Center (SOC) provides world class Incident Response, endpoint and network security monitoring services, and more.

Ask A Question