In this episode, we are joined by Jenna Waters, cybersecurity consultant for True Digital Security, to discuss how malware and ransomware attacks could affect your HIPAA compliance standing.
Highlights of this episode include:
- Ways in which healthcare facilities are more vulnerable to malware attacks in 2021.
- Why ransomware is a dominant attack method on healthcare organizations.
- Why small to mid-size healthcare organizations need to worry about OCR audits.
- What additional steps can hospitals take to sufficiently protect themselves from a successful cyberattack?
- And more…
Mike Passanante: Hi, this is Mike Passanante and welcome back to the award-winning Hospital Finance Podcast®. Even as COVID-19 remains the focus of our health care providers, cybersecurity threats loom. Today’s guest, Jenna Waters, works as a cybersecurity consultant at True Digital Security, where she specializes in assisting clients with cybersecurity program development, cloud security, and threat intelligence. She collaborates with clients to create and execute strategies to assess, test, and improve cybersecurity strategies, controls and compliance. She is also a dedicated consumer and data privacy advocate. Jenna, welcome to the show.
Jenna Waters: Hi, Mike. Thanks for having me.
Mike: So, Jenna, we have a lot to cover here today, so why don’t we jump right in. When you think about 2021 in a healthcare provider’s facility, what are the risks of getting hit with malware?
Jenna: Think of all the possible avenues. A modern health care facility, whether that’s a clinic or a hospital, it can have any number of avenues of attack vectors and honestly, COVID-19 has only expanded the attack surface for these organizations. I mean, they range from laptops used at the front desk to iPads used by doctors and nurses to access important patient records. A hospital or a health care provider has countless of IoT network-connected devices and so you’re just looking at a very large attack surface. And it’s only growing especially now that we’ve added in telehealth or remote care devices for at-home patient care, as well as the rise of remote work for non-essential employees so people like accounting, records, and even us IT folks. Home networks and devices aren’t exactly known for their robust security so they’re often left unprotected and quite vulnerable to attack when they’re not connected to, say, the hospital asset, which would often go through a VPN, which would add to their protection but as soon as they’re offline, they become open to attack. So we’re really seeing a huge increase through these facilities.
Mike: Yeah, it’s’ probably not surprising that there’s more vulnerabilities out there. Now, Jenna, when most people think of malware, sometimes it gets sort of joined with the idea of a ransomware scenario. So you come to work. You can’t access your systems. Patient care can’t happen until you pay some sort of a ransom. How has that changed in 2021?
Jenna: So, well, ransomware is still a very dominant attack being perpetuated against organizations within the health care industry. We are starting to see a rise in what’s called cyber extortion. So it’s kind of like in the old mafia days. Cyber extortionists basically access your data. They either exfiltrate a copy or retain persistent access and basically tell the organization that you have to pay them X amount of money, which is usually a lot for the safety of your business and to protect that sensitive or critical data. These cyber extortionists typically can harm your reputation, your property, or leak or sell this information online. And we’re talking very sensitive patient data PII information and sometimes even patented information or trade secret type information. And this attack is highly targeted and layered attacks in which malware or the ransomware cryptolocker malware that we’re used to hearing about is only one part of that process. But it’s more about the retrieval of the data than it is the encryption or destruction of it. And the main concern with this sort of attack is that a backup can’t be your get-out-of-jail-free card anymore and cyber insurance can only help mitigate immediate financial loss if there is any. So because once the criminals have that sensitive data or access to that critical system – and remember, it’s a persistent access so they’re going to be in multiple avenues – then you may not find all of them. There’s really not much you can do about it. And even if you do pay them– I mean, these people aren’t angels so they could release or sell this information anyway. So because of this, prevention and mitigation strategy is really imperative for organizations to put their focus on.
Mike: So Jan it’s 2021, why aren’t most people catching these attacks by now in this day and age? I mean, we have antivirus, we’ve got all this technology. How are they still getting through?
Jenna: Well, so traditionally, antivirus kind of works through signatures. Essentially a signature is like a fingerprint associated with a malicious attack and it really requires recognizable attack types and malware strains and signature-based malware detection software often looks for these signatures in order to quarantine, block, and protect your assets from a known attack. But attackers are smart. Security is constantly a game of Whack-a-Mole and they’ve advanced in their malfeasance. Their attacks are now designed to circumvent traditional antivirus detection, specifically these signature-based technologies and even some sandboxing capabilities. So these targeted attacks keep coming in and they’re going to find a way in especially if they’re dedicated and motivated to get through. So what we typically recommend is that entities be able to assess the potential intent of an attacker by identifying sensitive and critical data. And ensuring that we’re implementing a more robust heuristic technology on top of your traditional antivirus that can provide a lens into behavior-based clues, anomalies and threat themes as a layered security approach instead of just relying on antivirus, as we have been.
Mike: Jenna, a lot of experts looked at reports of lower cyber incidents in 2020 as essentially people neglecting to report those incidents due to pandemic chaos because all the other numbers showed a likelihood of increased attacks. What’s your take on those trends?
Jenna: So you’re right. I mean, plenty of the turbulent events exposed some pretty volatile vulnerabilities, particularly within the health care industry. And I mean, we saw in October 2020 from the FBI and other federal agencies that there was a lot of credible information of an increased danger of cybercrime attacks, particularly targeting the health care industry, such as the ransomware and the extortionware. And even in September 2020, we saw a ransomware attack that crippled like 250 US facilities of the universal health services. Well, this forced doctors and nurses to rely on paper and pencil for record keeping and patient tracking, and it slowed lab work all in the middle of a pandemic. So, yes, we are seeing less reporting of these events. Absolutely. But that’s because we’re in the middle of a pandemic and that’s likely to continue to be the trend so long as we continue to strain our health care system unfortunately. Because if I was an attacker, this is the precise time I would be striking. You always attack when your adversary or target either at least expects that or when they’re at their weakest. And COVID-19 has forced hospitals and health care providers into that corner. So we’re going to continue to probably see a very low trend of actual reporting. But over time, the trend of attacks that we’re going to see are going to probably go up.
Mike: That’s not very encouraging is it?
Jenna: Not really.
Mike: So Jenna, I want to talk to you about facilities that are not necessarily the hospital. So typically non-enterprise healthcare organizations don’t maybe worry as much about OCR audits where they could be fined for violations like exposing patient data. But we know many doctor’s practices do the bare minimum for IT in cybersecurity. They don’t worry about those audits as much. Do mid-sized or smaller health care organizations have anything to worry about?
Jenna: Well. yes. That’s the short answer, yes. Given enough time, what we’re likely to see in the way OCR audit fines have been set up for a number of years now is that previous year’s fines go towards hiring new auditors, which bills out their oversight capabilities for the following years. So we’re seeing an increase of auditors and a broadening scope of audits and enforcements to reach smaller organizations. And what we’re also seeing in the current federal leadership change is that the current Biden administration is actually starting to signal a focus on efforts to protect citizens data privacy, which will include patient rights and strides towards patient data protections that align with HIPAA and high tech. And we’re going to see that shift very quickly over the next few years. We’re likely to see OCR audits start going into these smaller organizations and we’re going to start to see them being more regularly audited and held accountable. So it’s really good to keep that at the forefront of your mind if you’re a smaller– a doctor’s office or a smaller clearing house, that perhaps you should look at HIPAA and high tech a little bit more closely and see what you can do to strengthen your security posture now rather than waiting for OCR to come knock at your door.
Mike: That sounds smart. Jenna, how can people protect themselves against malware and is compliance with HIPAA’s security and privacy criteria sufficient to protect hospitals or other entities from a successful cyberattack?
Jenna: So the basic– but my basics tend to be very different from other people’s basics. So the first thing that organizations, no matter what size, they can do is identify your sensitive and critical information. So your PII data, your electronic health data, your employee– this will include also your employee information, and then ensure that you have adequate controls in place, specifically around access control and monitoring. And the reality is that a lot of times, outsourcing this type of work, particularly for smaller organizations, may seem like a big hit at first. But it’s a little– but it’s better to outsource it to experts who know what they’re doing, who– can monitor your back end 24-7, 365 using expert security operation scenario. Rather than relying on that one great IT guy who’s really smart and intelligent but who is really busy and stretched way too thin. So that’s an avenue that people can definitely look at is– look at outsourcing that type of activity, because, again, a hospital or a healthcare provider, their focus is on patients. Not on their active directory. And they need analysts watching systems who are ready and trained to jump in and stop an attack at a moment’s notice. We’ve already listen the vast amount of the tech factors that could be used.
So even if you do everything you can, the chances are you’ll miss something somewhere. And it used to be the only enterprise-grade organizations could afford those outsource-type, third-party solutions. But a lot of times, many of these organizations have become much more accessible and cost-effective, even for the smaller healthcare provider. And you really have to look at it as a cost and benefit scenario.
Now, a three-year compliance question, does compliance with HIPAA equate to protect you from a successful cybersecurity attack? Ultimately, no. So, compliance with any federal regulation or industry regulation should not lull anyone into a fake sense of safety or security from hackers. It’s a great starting place. It’s absolutely essential you need these compliances just for the sake of your business continuity. But these threats can be both internal or external. And I work with white hat hackers every day. I can tell you from experience that the level of creativity these guys can demonstrate when faced with a challenge is unparalleled. So, we have a saying at our office that compliance doesn’t equate to security. And I believe that. I think that you can’t look at compliance and say I’m secure. But the way that security– doing your due diligence, implementing adequate security strategy, that layers technical, control, and tools, and expertise, even if you have to kind of outsource some of that, and regularly testing and assessing your security posture is really the only way to truly mitigate the risk of cyberattacks. And in that case, security, if you do it– if you do your due diligence, and you implement a really well thought out security strategy, and you take advice from experts who know how to do this, then that can eventually equal compliance. So that’s really my answer to that one.
Mike: That’s great advice, Jenna. If someone wanted to get in touch with you and learn more about what you do at True Digital, where can they go?
Jenna: They can go to www.truedigitalsecurity.com. Or if they want to reach out to me directly, I am on LinkedIn under Jenna Waters.
Mike: Jenna, thank you so much for joining us today on the Hospital Finance Podcast.