Avoiding Your Own “Internal State of Emergency"


Just this week, two more hospitals in the US publicly announced that they were hit by ransomware.  Alvaro Hospital Medical Center and King’s Daughters’ Health joined the ranks of Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital of California that were attacked and their data held for ransom. Although these organizations are said not to have paid, a previous attack on Hollywood Presbyterian Medical Centre in Los Angeles cost that organization nearly $17,000.

While ransomware has been around for a decade, healthcare organizations have become a prime target because of the high value of clinical data.

We maintain that the bigger threat to data security is the belief that “it won’t happen to us.” It’s not a scare tactic, but a present reality that a security incident is more a matter of “when” and not “if.” Additionally, hospitals have been notoriously slow to train staff to identify potential threats and what to do if something is suspicious.

Consider: 81% of healthcare executives say their organizations have been compromised during the past two years. The near-universal assumption that cyber-attacks only target "someone else" precisely is what creates the environment that allows cyber-crime to thrive.

How can your organization not just minimize the likelihood of ransomware, but respond in an effective and timely manner when a ransomware attack occurs?

1. Stay fit and fast
A well-exercised incident response plan is critical, but speed-to-response is equally as important. Your incident response plan should be created or amended as part of a vulnerability assessment and risk analysis, including a business continuity and impact plan. But what’s key to a plan is that it be alive and active. Every three to six months, your incident response team should review the plan, test it, and update as needed. We believe that the best ways to stress test an incident and response plan is to engage in “real world” drills and also conduct tabletop simulation exercises.

2. Prepare for the next attack
While a breach or incident, like a ransomware attack, is disruptive, an organization should ensure that the vulnerability that led to the exposure is remedied before your data is restored. Once a vulnerability is discovered, hackers will try to maximize the opportunity, which means you’re still at risk following an incident. As part of any incident plan, there should be a second-tier process to identify the current gap and assess for other vulnerabilities. In fact, restoring too quickly after a ransomware attack can give criminals access to still more data to compromise as they lock up your back-up data as well. This is why a hybrid approach to back-up is prudent, ensuring that you have an off-site, off-line version of the latest data available and not just online back-ups.

3. Realize that there may be some data loss
Any breach takes some time to launch the incident plan and take action. It’s important to include steps to continue operations despite some data loss. That loss could be, at a minimum, a half- to a full-day of data. With that in mind, your incident plan should include continuous redundancy and frequent back-ups to minimize disruption.

4. Circle the wagons
Before and after a data compromise, like a ransomware attack, your security support should review your maintenance procedures for those blind spots that tend to give covert access. Areas like employee security awareness and missing software patches are easy-to-exploit vulnerabilities in most organizations. Employee training and BYOD policy scrutiny are also critical. Organization-wide vulnerability assessments are your best bet to identify cracks and holes in your security program and capabilities. And, because an efficient security program is not just a concern for the IT department, all organizational units should contribute to and adopt updated procedures.

At BluePrint Healthcare IT, we offer full-scale security, privacy and compliance services for healthcare organizations and other covered entities. As a HITRUST assessor and advisor, we can help you plan, prepare and respond effectively.

To learn more about our Vulnerability Assessment and Risk Analysis, our tabletop simulation service or our virtual CISO program, contact Vikas Khosla, Pressident and CEO at vikas.khosla@blueprinthit.com. 

More about the author...

Doug Vitale, a Senior Information Security Analyst for BluePrint Healthcare IT, specializes in gauging organizations’ end-to-end security postures, performing in-depth vulnerability assessments, and producing accurate reports for efficient deficiency remediation and security program improvement. These activities are performed with detailed knowledge of leading cyber-security frameworks such as the NIST Special Publications, the NIST Cybersecurity Framework, ISO 2700x, CIS Critical Security Controls, PCI-DSS and HIPAA/HITRUST.