This transcription is provided by artificial intelligence. We believe in technology but understand that even the most intelligent robots can sometimes get speech recognition wrong.
Today in health it, the story is learnings from living through a ransomware attack. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in Health IT a channel dedicated to keeping health IT staff current. I. And Engaged Health Lyrics is my company. I provide executive coaching, advisory services and board participation for health leaders around technology and it.
If you wanna learn more, check out health lyrics.com. Alright, here's today's story. This is a continuation. As you know. I found a 50 minute video on YouTube that is a recording from the CIO at Sky Lakes Medical Center in South Central Oregon. And they were talking about their six month journey after a Rauch ransomware attack back in the fall.
This is a conclusion to that story and they share what they learned and we're gonna go through that and then I'm gonna share what I learned or what do we learn from this. If you missed it, go back and listen to Tuesday and Wednesday shows. Tuesday we describe the experience, what it's like the day after the ransomware attack and experience going into day 30 of a major system outage Wednesday.
We talked about the steps they took. And are taking to bring everything back online. And today, the so what for this story, what did they learn and what do we take away from the story? So here we go. Here are their findings. And their findings are big takeaways. This is the title from the slide paper, right?
So you have to have the tools of the old ways in order to make it work. Paper tone or paper processes, those kinds of things. Another thing to remember is that you probably have some . Providers within your system that have only worked in the EMR, they have not worked with paper processes before and you may need to educate them on those paper processes.
A lot of times what we do is we do all of our downtime procedures when it's least obtrusive to us, so we'll do it to the night shift. So our night shift is phenomenal at working without the EMR, but our day shift not so much. So just keep that in mind. Another thing they share is massive backlog of paper post outage.
So they have, uh, stuff to be scanned, coding, billing clinics, MD signatures, you name it. They have to do all that stuff. They share this, how to prevent this in the future. Good backups, obviously, number one. Number two, security operations center, seven by 24, 365. Education is your first line of defense. Uh, I'm not sure I agree with that, but education is an important line of defense.
Uh, playbook for extended outages, absolutely. Plan for rapid deployment of new systems. Absolutely need to do that as well. Get down to as few images as you possibly can. Make sure you can roll them out very quickly. Make sure you have images of the servers and the, uh, lower level operating systems for your primary systems.
And you know, documentation. Just document, document, document. Know what you have, be able to access that. Don't put it on your shared drive and lose access to your shared drive and can't get it right. So they have strategic recommendations and priority. This looks like it is a slide that was given to them from their consulting organizations and they used two during this.
And so they have priority and they have recommendation. High priority items are implement multi-factor authentication. That makes sense. Number two, continuous monitoring makes sense. Medium centralized log repository. Also medium Incident response team on retainer. Okay, low response incident response plans and playbook.
And also a security awareness program. I'd probably add a couple things to that, but that's their findings. All right, so we had three slides. Big takeaways. How do we prevent this in the future? Summary of strategic recommendations, and I'm, I'm not gonna speak to that specifically. I'm gonna just say after just hearing the story, what they went through, what the use cases were and how they responded to this.
Here are some of the things that I take away from this. One is. They did not implement their software. The software they purchased from Cisco, I forget the name of it right now, but that was their endpoint security solution. So they had started it. They hadn't finished it, and even on the machines that it was deployed on, it wasn't fully configured.
You know what? Don't buy software if you're not gonna implement it and implement it correctly. It's a waste of money, especially on the security side. You have to follow through on this stuff and follow through as quickly as you possibly can. So don't start software projects. You can't finish. The, the second thing I would say here is it didn't feel to me like they had a strong business continuity, disaster recovery plan if they had one.
Like we had, we had one that was a couple day planned and those kind of things, but we were in Southern California, so we had earthquake preparedness and we expected it to have major systems down for, uh, weeks, if not months at a time. . And so we had BCDR plans around a multi-week outage, and I think we need to go back and look at our plans, make sure that they're succinct, easy to read, and you don't want a big binder.
You want something that people can grab. See it very quickly, visually see what systems are critical, which systems aren't, are guests? On Monday's show is Carl West, former CSO for Intermountain, and currently with Sirius Healthcare, and he shares . They had a criticality matrix, so they took all of their applications, they identified the criticality of each one, which one needed to come up for patient care immediately, and then so forth and so on down the line until you got to the systems, quite frankly, that you could probably do away with, but they just happened to still be on your network.
So a good BCDR plan did not seem to be in place, and I got that from the fact that they were making lists of which machines to bring up first, or which systems to bring up first. That should all be done before there's any kind of problem. And the primary reason you want to have that done today is because if not, you get into a a back and forth.
I. Is what happens when you're down. You don't want to be trying to figure out which one should we bring back up. You want that that to be in place because it's somewhat a political conversation. 'cause somebody will say, well, you need this, you need this, you need this. And if you're in the middle of an emergency, you're gonna have trouble really triaging all those requests.
You just want to know, this is most important. We decided this. This went through governance, and that's the way it goes. You know, patch management. I didn't hear much about patch management and those kind of things. I also didn't hear that the right tools were in place prior to this, so I would really go back and look at the right tools.
The email that came across on this should not have gotten through. It was a pretty unsophisticated email. The links were obviously to Google Drive. They're probably a Microsoft shop. There's a lot of things that we're really suspect about this. The email just shouldn't have gotten through a, a Proofpoint solution or something like that.
Would've would've caught this and kept it from getting to the user. Not that they're foolproof. You still need to do education. Education is very important, but the right tools being in place are gonna reduce the amount of times that the user's given the opportunity to click on the wrong thing. The other thing is it sounds like they did not have proper network segmentation.
It sounds like they got to a single computer and they were able to get to everything. They were able to get to the crown jewels. Of the health system through that one computer. That would lead me to believe that segmentation was not in place. That should not be allowed to happen. You shouldn't have a, a zone that is that big or go that far across the health system.
Now I understand how this happens. You have a small IT team. You want to make things as as not complex. You wanna simplify everything as much as possible, but that is not the case in the network. We used to think that way in the network back in the early . At about 20 10, 20 11, we think let's you know, let's flatten the network and make it easier.
That went by the wayside as cybersecurity professionals came in and educated us on the fact that you need this network segmentation in place. I. So that you can limit the flow of traffic and how traffic moves across your network. And yes, it does increase the complexity. And yes, from time to time that will cause someone not to be able to get to something you think they should be able to get to.
So it does require some thought. It does require some work, but network segmentation is your friend, especially during a ransomware attack. One last thing, and this is probably more of a pet peeve than anything, but we need to stop using this phrase. It's not if, but when. I'm not sure where it came from, but it's, it's just bad.
It communicates the wrong thing to your staff and your organization. You will be attacked. I will agree with that a hundred percent. We were attacked relentlessly when I was a CIO for a health system. I mean, we used to look at the logs and see, you know, how many attacks were coming in a day. We had, uh, I don't know how many ransomware type attacks and, and those kinds of things.
Infiltration attempts and whatnot. So you will be attacked. You know, from that perspective, it's not if, but when, but that's happening every minute on your network if you're a healthcare system, right? So, uh, the next thing is you will be infiltrated. And so if you're saying it's not if, but when you'll be infiltrated, you've already been infiltrated, expect them to get it.
There are too many ways for them to get it. Expect them to get on your network. They could do it physically, they could do it in your lobby. They could do it through some kind of email phishing attempt or which is their number one way of getting in these days. But you will be infiltrated. Design around that.
They should not be able to get away with your crown jewels. They're, that really is the role of it. Your job is to ensure that you have the right tools, process, education, architecture, partners, services, and policies to ensure that even if they get in, they can't do much harm. They definitely shouldn't be able to lock down all your systems from a single person in your organization clicking on a link.
You know, that's the level of service we have to deliver as it, and if you're saying it's not if, but when that we succumb to a ransomware attack, I. You are communicating absolutely the wrong thing to your organization. Yes, they will get in, but you need to have the mechanism in place to detect that very quickly, to respond very quickly and to recover very quickly.
It needs to become a minor incident when they do get in and they do initiate a ransomware attack. If you can't deliver that level of service, you need to be honest with your management and your board. I'm willing to say that you and I can't do miracles. If you don't have the budget people and, and commitment from the organization, you're not gonna be successful.
There is no magic bullet. I can't make it happen. No consultant's gonna come in there and make it happen for you. You, you need those things. You need budget, you need people, you need commitment from the organization, period. All right. And Sky Lakes likely didn't invest in it, at least at the right levels.
They likely look to it for budget cuts. They place demands on them for new capabilities, services and applications, but don't wanna spend any money on patching, upgrading hardware or security. Who does? It doesn't drop to the bottom line. It doesn't look real fancy. It doesn't create a press release of any kind, but that's the price of admission.
If you're a CEO and can't convince your board to invest in cybersecurity, you may as well go back to paper right now and stay on paper because you're just a sitting duck in this world that we live in. Alright, that's all for today. Don't forget to check back on Monday on our Newsday episode. I take this same video and I go through it with Carl West, the former CSO for Intermountain, and current advisor with Sirius Healthcare, who has extensive experience.
With ransomware attacks and cybersecurity in general. So we, we go through this and we pick it apart. So if you really wanna go into this even more, Monday is a great show. I learned a ton from him. If you like this kind of three day look at this kind of content, let me know. Bill it this weekend, health it.com.
All right. If you know of someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week, health.com, or wherever you listen to podcasts. Apple, Google Overcast, Spotify, Stitcher. You get the picture. We are everywhere. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, VMware Hillrom, Starbridge Advisors, McAfee and Aruba Networks.
Thanks for listening. That's all for now.