Building up a defense

A cyberattack will probably hit you at some point. Here’s what you need to do to be prepared.

Cyberattacks against practices and healthcare facilities continue to increase, so for most doctors, it’s not a matter of if their practice will come under attack, but when. We spoke with Ferdinand Hamada, managing director, MorganFranklin Consulting, Healthcare Cybersecurity Practice, about the growing cyber threat in health care and what steps practices can take to protect themselves.

[Editor's note: The transcript has been edited for clarity and brevity.]

Medical Economics: Why are cyberattacks in health care increasing in number?

Ferdinand Hamada: There's a lot at stake within cybersecurity, within what the targets are for these cybercriminals and threat actors. These threats are real and have gotten even more sophisticated throughout the years. For companies, hospital systems and the like, this has become a top risk. From an enterprise risk management standpoint, it's a boardroom discussion. It's now probably one of the top two or three risks with the executive leadership team. It goes without saying, but the repercussions of a cybersecurity incident is really paramount for any organization, any health system, because of the financial and brand reputation implications that it has.

Now fast forward and we’re dealing with COVID and the issues that we've gone through with this global pandemic, that has created a marked increase in likelihood around the threat level of a cyber event. There's the cyber criminals that are targeting disruption of supply chain, stealing intellectual property, nation-state attacks seeking to influence socio-economic factors—these cyber criminals and malicious insiders are seeking profit and personal gain.

So, really, the bottom line on why the attacks are increasing is because one, there's the notoriety of claiming that you're responsible for the Colonial Pipeline, or the Kaseya attack that took down hundreds of businesses, or the exfiltration, of government sensitive data, or private pharmaceutical formulations of the vaccine as an example. A lot of it is hackers having the benefit of the technological advancements, having increased systems, due to global connectivity, cloud applications used to store personal and sensitive information, all of this type of information leads to financial and monetary gain. The cybercriminals have been taking medical records, which are the most complete sources of information—payment, credit card information, general personal information. And this has been a major target because this is expensive personal data that they put up for sale. It's really around that financial gain. The last thing here is really around ransomware, and the uptick in ransomware throughout the years. Ransomware is run as a business these days, and most high profile ransomware operations are run as affiliate programs and the number of bad actors and affiliates who participate in these programs is increasing. They're seeing the demands because of the increased ransoms, and that's revenue for them. That's growing and encouraging other cybercriminals to enter into that market. So all of this, and the fact that cyber criminals can stay anonymous through the payments of ransomware through Bitcoin, all of this is really why we're seeing an increase in cyberattacks.

ME: How vulnerable are most medical practices to hackers?

Hamada: The unfortunate reality is that no one is really safe these days. You have to have a mindset of not if, but when, you're going to get breached. As I mentioned with COVID and health organizations, the focus should be on patient care, not cybersecurity. And these cyber criminals and hackers are looking to disrupt health care services. Hospital capacity has been a critical concern, and in some areas that could have resulted in loss of life. The cybercriminals have taken advantage of the increased importance of health care by making it a primary target for ransomware attacks, as an example, and the fact of the matter is there's a lack or under investment in the health care sector. Unfortunately, what you would think is fundamental security can cause challenges, and that's usually the root cause of a lot of these cyber incidents these days. They're not being managed appropriately. In addition to that, these organizations have been forced to become increasingly increasingly reliant on technology—digital service offerings, telehealth platforms—which is just another threat vector, which leads to additional risk of exposure and daily leakage of electronic health records. So, bottom line it, medical practices and hospital systems are extremely vulnerable because of these examples.

ME: What is an incident response plan for a cyberattack? And what does it look like?

Hamada: First and foremost, an incident response plan should be a fundamental process that is a core component to any sound security program. Really, what an incident response plan should be is an approach by any organization to really make sure that they're prepared. You don't want to be answering questions that have to be answered in a very stressful situation dealing with an incident or breach or ransomware or what have you, all these questions should be answered as part of your incident response plan. You need to be prepared. It should help you detect the incidents. They say that an incident or breach may not be noticed that for up to six months, so an incident response plan should provide the necessary controls and components to determine if you have an incident in place. The other aspect of an incident response plan is containment and ensuring that you do eradicate and remediate any issues that can happen. But it also acts as a communication plan, as well. Bottom line, you should think of an incident response plan as both an offensive and defensive control for your company. You need to start thinking this not as a cyber resilient, but more business resilience. Everyone has probably heard concepts around disaster recovery and business continuity plans, well, this is just as important. Having the right plan will help you quickly respond and reduce the downtime that you have to your environment, help with brand reputation, and ensure that you don't critically or adversely affect your brand. It can address financial loss quickly, as well, and at the end of the day, restore operations faster, limit downtime, and really maintain that public trust, if you have the right incident response plan in place.

ME: How often should an incident response plan be reviewed, and who should be in charge of it?

Hamada: At least yearly, at the minimum. We review our incident response plan twice a year, and we actually went through tabletop exercises to simulate an incident. I think that's important as well. It's better to fail at a simulation than in real life. It has to be a cross functional incident response plan and tabletop exercises, because the fact of the matter is, there could be other groups involved. It's not just an IT-driven exercise, it's not just an IT-driven plan. And what I mean by that, there's legal implications. There's obviously HR, communications, media—external media implications—depending on the incident, communicating up to your board, communicating up to your executive leadership team, all that comes into play around incident response plans, and timely tests of those plans. As it relates to who owns the plan, that varies depending on the organization. I go back to my point that it needs to be a cross functional plan, and ensures that everyone is involved in that, because of the fact that, if an incident happens, it will be critical for their involvement as part of it. I do recommend, though, that someone that has both the technical aspect that could speak to really understanding what the incident is, dealing with your incident response teams, forensic investigation, external third parties that you would need to bring to bear as part of remediation and resolution of that incident, plus having the kind of business savvy to talk to your customers, your board, etc. I think all those are critical to any incident response plan.

ME: How long can it take an organization to recover from a cyberattack?

Hamada: Unfortunately,the short answer is it could take years. And that is not just the the actual resolution of the incident, but going through and ensuring that this incident doesn't happen again and putting up programs and putting a plan together to address this on a more proactive manner. Implementation of technical solutions can take years, and digging out of the brand and reputational type of issues, that could take a while.

ME: Do you expect the number of cyberattacks against healthcare organizations to continue to increase?

Hamada: I do, unfortunately. Research data showed that health care would suffer two or three times more cyber attacks in 2020, and it happened, and ransomware attacks would quadruple by the end of 2021. And really, we're on track for that. Because of the fact that I mentioned that health care is now a primary target, and it is just so important, I do expect the number of cyberattacks to be increased. Unfortunately, we won't see that come down anytime soon.