This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Thanks for joining us on this week in Health IT Influence. My name is Bill Russell, former Healthcare, CIO for 16 Hospital system and creator of this week in Health it a channel dedicated to keeping Health IT staff current and engaged. Our topic for today is the Evolution of Ransomware Protections. Our sponsor for today's segment is CrowdStrike, but we're also happy to be joined by our guest today, Matt Sickles.
th at:We have the CIO for Sky Lakes Medical Center, John Getty joining us. That is a health system that was ransom. And we have Lee Milligan, the CIO for Asante. And Asante is the EHR host for Sky Lakes. They're the community connect partner for Sky Lakes, and they're gonna recount the events. And the effects that it had on the interconnected health systems, some of the things that they did that, uh, they believed worked pretty well and some of the things that they think could have prepared them better for the event.
Uh, we're also happy to be joined by Matt Sickles, who has walked many health systems through the early stages of a cybersecurity event straight through to the end, and I believe with his insights. And the CIO's experience. This discussion is gonna provide valuable insights into the best practices that are being adopted across the industry and maybe that you can adopt.
th at:Our topic for today is the Evolution of Ransomware Protections. Our sponsor for today's segment is CrowdStrike, and let's get to it. Matt, this is probably the most timely topic going. Why is healthcare being targeted in these vicious attacks, and how is it going to be resolved? So it's the easy attack vector.
Right now. There is chaos with the Covid Pandemic. We already have resources who have been. Giving everything that they have to a hospital system, it's tiring and everyone is exhausted. I think that that is one of the compelling reasons that healthcare is being targeted. Not so much for the perceived maturity level of any hospital system, but because it can inflict some of the most pain.
As we take a look at this, we're starting to see the dialogue change from cyber attacks into cyber terrorism, and this is really what we have seen. With a pipeline that was attacked, that impacted fuel on the East coast all the way to the meat processor that was global impacting. And now we have these organizations that are really organized crime corporations going around.
They're looking for where they can inflict the most revenue. The most impact for people in a very straightforward manner. So healthcare during a pandemic has been a logical target. I think I know the breadth of the problem 'cause I'm in healthcare, I'm talking to a lot of people, but every day I hear different stories.
And yesterday I heard a two dentist practice that was ransomed, two dentists practice. That was ransom because it's just email goes in, somebody clicks on it, they take control of it to dentist practice, they ask bitcoin. And it, it really is a, a criminal practice. Uh, my guess is I, I don't really e even with all the people in healthcare I'm talking to, I don't really grasp the scope.
events from:2021. There is an additional 250, so we're dealing with nearing a thousand events that are being investigated. Through the portal, you can actually see if it is a hacking or an IT incident. When we get this type of compelling information, we know that there is a real risk here, but think about this ransomware problem on a larger basis while healthcare does the tracking and publishes that information.
There's a lot of corporations that don't. They're dealing with the same problems. They have already solved for X, but they're just not sharing how they did it. Everyone is so introverted now on their security capability. They don't want to share that in healthcare right now, the compelling change is now that these ransomware events are getting so fast and furious because they know that the hospital system is the last chance for patients with Covid to 19.
in as the example. I. In late:Well, now we're, you know, ranging anywhere from 40 to 60,000. So when you all of a sudden have a revenue source that's four times greater, just by giving a ransom of 70 Bitcoin, now you're talking millions and millions of dollars impacting an organization. That may only have cyber insurance that covers up to a ceiling of a million, and the demand is for four and a half to 5 million.
So we're seeing these attacks. Healthcare systems are getting impacted, but the bigger question is this, A ransomware attack can turn into a destruction event very quickly. As the code and the lateral movement and all of the intelligence are being deployed, once they have decided to drop the payload and impact your organization, there's a lot that can go wrong.
So even if you do get back the key I. You might not have complete data. So now we start to question, should we even buy our data back? Is our data going to be guaranteed that it wasn't already exfiltrated shared and used for other nefarious purpose? And most importantly, are we going to be able to get Pandora back into the box ever in healthcare over time?
Possibly. But the ransomware problem has affected healthcare in an ord, in an inordinate manner. I've seen a lot of the attacks now become so sophisticated that is now where sophistication is focusing healthcare, healthcare systems, and the vulnerable systems that are online. So Matt, you've been at the table with these response units and those kinds of things.
I got my first phone call for:I had never seen an attack that fast and I was just awestruck by what happened. Fast forward about 60 days, and we had one of the largest healthcare breaches that we got involved in. We actually had a call from their director of security at around six 30 in the morning. They wanted to know if we had been hearing about any type of attack.
AM they had over: all of a sudden sitting with:Wow. Part of me that wants to ask, is this a fad? Is ransomware or fad, or are we gonna have the same thing, same focus three years from now? Yeah. It, it will be a wolf and sheep's clothing with a different name. We're going to have something new. If I had to read the tea leaves of what I'm seeing for the sophistication, the trending that's going on in ransomware, as I mentioned earlier about destruction, wear, that can be an inadvertent exception.
You can start to destroy. But I think that targeted medical information is going to be a real possibility. Think about all the people who are in the public eye, who that if they had manipulated data information around their healthcare, it could lead to a different outcome. There could be health qualifications for someone running for.
Presidential office that are manipulated, we could have someone who is running for state and local government, those targeted attacks. I think that may be one of those future states in our threat vector that we have to look for. So let's go ahead and look at some of those capability and possibilities right now.
What do we have that could be effective in mitigating or controlling those types of events? But one of the key pieces of ransomware is you always have to think about your data validation. When do you know the data? You have been trusting as your source of authority and your source of record for your operations and the continuity of care has been violated.
That data provenance is going to be one of the capabilities we really need to come up to speed on to protect against ransomware and the outcomes for that in the next 12 to 24 months. I'm thoroughly scared. You've got my attention, and I think it's gotten the attention of everyone, right? So you have the president's initiative, president of the United States President Biden's Initiative.
You have a focus at that level. You have focus across several industries. At JP Morgan this past year, uh, better than half of the CEOs in healthcare got up and said, cybersecurity is a priority, but what does that mean? When, when they say cybersecurity is, is a priority, and me as a, as a journalist, what's the follow on question to say?
Is it a priority? Are we making a priority? What do they need to do to make it a priority moving forward? Yeah, say it out loud, say it often. Uh, repeat it and make it part of the beginning of every discussion related to information. So if it's information technology, information security, it just has to be omnipresent In the conversation, we saw a lot of activity.
Take a look at what strides we have taken over the last 24 months. We went from the identification of a retrovirus out in the wild to a vaccine that is in the arms of a large portion of the United States and the world. As we're starting to see how we can affect security, why not go ahead and do some of those analytics, go ahead and build up some of those net new things.
Operation. Cyber speed should be a priority for the government right now, the states, the organizations private industry, because if we don't collaborate and start to share what's really going on in an open format, we're going to be at a disadvantage. We're not going to have the intelligence and information for when the next compelling event occurs.
We know now that a lot of the endpoint detection response systems are early warning indicators. A lot of our partners, as they run their security operation centers for the intelligence of that data, they now are making some of the first phone calls, so. I think that one of the most important things we're going to have to do to circumvent the pace of ransomware is to protect the keys to the castle.
We have to make sure that all of our information is isolated. I. Then we have to make sure that we're looking at how we can not only technically control this, but administratively control this information because that is going to be one of the most important pieces. We know that we have gotten a great.
Response from doing education around phishing attacks and other mail, malware vectors. But what we don't have right now is that holistic understanding, that broad understanding of how the, the day-to-day operations of healthcare system can impact patient data and it can also affect the revenue stream for a hospital system.
You know what Matt? A lot of times I hear leaders talk about how much money we're spending on cybersecurity as the metric. I hear, oh, JP Morgan spends X amount of money on cybersecurity. That means it means something. I don't know what it means, but that's the metric I hear the most. Uh, what I want to ask you though is what is the metric?
If I were to hold health system leaders feet to the. It's not necessarily how much money they spend, it's, it's really outcomes. So what, what kind of metrics would I look at to say, alright, we're being effective here. Yeah, you brought up an interesting point. So think about this. Security and the securing of patient information may not be a return on investment.
It may be a return on expense. So we have to come up with some calculus that we understand what it's going to cost. You can get that out of your electronic health system. We have some clients who have gone through breaches that have seen . Cost between 8,000 and $10,000 a minute as they're taking downtime in a ransomware event.
That's the revenue impact. That's the ability to provide care. So what we have got to do is we have to come up with a lot of these controls for visibility. Knowing early that something is going on, having an incident response plan, that response plan being modern, and now being able to ensure that it is going to be reliable.
One of the most horrible things that we're seeing in almost every ransomware attack is the elevated permissions to the active directory are integrated with backup systems. Once the backup systems have access, they're going and deleting the schedules. They're going and deleting the data on the backend, and they're rendering any recovery from your backups unavailable.
You cannot restore, so you have to start from scratch. We've seen this multiple times now. In fact, we're a hundred percent on that attack approach is one of the first systems they gain control of is a single sign-on accessible backup system with the keys to the castle and the history of the company.
And they're able to destroy that and now start to go through all of these side systems and the attached systems and the attached companies third party agreements. And then. Infiltrating them as well. So that's where we have got to focus. Our energy is a lot of protection. We have to also focus on awareness.
And then most importantly, education. Final questions are the title of this is Evolution of Ransomware Protections. Are we seeing tools? Are we seeing new protections come about as a result of what we're learning? We are, and I think some of the most compelling changes in the technology is, uh, a lot of that threat modeling.
We're seeing the threat intelligence and the application of threat modeling and intelligence to the tool sets that is advanced intelligence machine learning that's coming in, uh, and being a real tipping point. That is where we see a lot of the change coming as I look for. I, I've been in this 30 years, I have to start to think about what is going to be my exit strategy from the industry?
Do I want to teach? Do I want to lead or do I want to turn wrenches? Security lets you do all of that, right? So we have to be effective in our controls. We have to also be having those open conversations of what is our limit? What do we really want to do? And you said, let's not look at the dollar amount.
But it is complete and utter buy-in from leadership, from the medical side, the administrative side, and the operation side. In a concerted effort. That's the only way that we're going to have any resolution or advanced protection is that single culture change that gets us down that path. Matt, that's fantastic.
Special thanks to CrowdStrike for their partnership and making this content possible. Matt, as always, thank you for your time. I learned it just a ton from these conversations. Awesome. Thank you Bill. Really appreciate it. What a fantastic conversation. We wanna thank our sponsors, Sirius Healthcare and CrowdStrike, who are investing in our mission to develop the next generation of health leaders.
Thanks for listening. That's all for now.