HIMSS16: Protecting your data from ruthless ransomware

High-profile security breaches of medical data have physicians and concerned patients asking a lot of questions. How are attackers able to steal so much information? What can stop them?

Stephen Cobb, CISSP, senior security researcher for ESET, discussed the security of medical data at the HIMSS Annual Conference today in Las Vegas. He is a longtime security expert and has written numerous books on the subject.

Cobb’s presentations cover a wide range of topics, but there is one aspect of cybersecurity on everyone’s mind right now: ransomware attacks.

Providers such as Titus Regional Medical Center in Mount Pleasant, Texas, and the Hollywood Presbyterian Medical Center in Hollywood, Calif., have been hit hard by ransomware in recent weeks, being forced to either pay the attacker’s ransom or risk losing valuable patient data forever.

Ransomware is a serious threat, but Cobb detailed the various ways providers can stay secure.

“Your first line of protection against ransomware is good employee security training,” Cobb told Clinical Innovation + Technology. “Your second line of defense is anti-malware, and the third line of defense is your backup and recovery.”

It’s properly backing up your data, Cobb said, that may be the most important defense against these threats.

“The issue with backup and recovery is that you should really have it in place anyway,” Cobb said. “What if the hard drive fails? What if there’s a lightning strike? The first book I wrote, 25 years ago, had a long chapter in there about backup, because there are so many things for which backup is the last line of defense. It’s your baseline of defense in a way.”

Without the right backup, Cobb said, hospitals are leaving themselves exposed to attackers. And if ransomware hits a provider that is exposed, there’s no way around it: they’ll have to pay up.

“If you don’t have backup, then if the ransomware is properly written, you’re not going to get the data back unless you pay,” Cobb said. “Knowing the criticality of radiology results and the need to have access to those in a timely fashion, I think that’s an issue.”

Cobb added that finding the attackers responsible for these security breaches is a complex, difficult task. And part of the problem is a lack of resources.

“We—talking as a country—have miserably failed law enforcement in this regard,” Cobb said. “We have not equipped law enforcement with the resources that we would have if, say, your physical prototype of your next x-ray machine has been stolen and is being held for ransom. You’ve got law enforcement trained and resourced to respond to physical ransom situations. There are two main challenges when it comes to cyber ransom: It is actually more difficult to identify actors in cyberspace, and then you have the lack of resources on the part of law enforcement.”

With cybersecurity grabbing more and more headlines, Cobb said he’s watching closely to see if anything changes in 2016. Perhaps this will be the year that cybercrime gets the attention and resources it deserves.

Cobb also detailed some of the reasons attackers have been successful at obtaining medical data. User errors play a big role, he said, ranging from lost laptops to entire departments sharing a single username and password.

Cobb also noted that government has pushed hard in recent years for the healthcare industry to use EHRs, and that may have inadvertently led to some of the problems organizations face today.

“The federal government, over the last five years, has paid out a lot of money to encourage the adoption of the electronic health records,” Cobb said. “I don’t think that was done in a way that adequately prepared organizations for the challenges of cybercrime. I don’t think there’s any excuse to say, ‘We didn’t really know criminals were that interested in that data.’ The dark markets that fuel a lot of the cybercrime at the moment were in existence five years ago, ten years ago. I have a lot of sympathy for people in healthcare IT who, on one hand, are being pushed down the road of adoption and are, at the same time, struggling to get resources.”

He added that if the healthcare industry had been allowed to progress at its own pace, it would have still likely led to the widespread use of digital health records.

“If you look at how IT was being adopted in healthcare prior to the incentivizing, organizations were moving to electronic records, but they were doing it more organically, more slowly,” Cobb said.