As part of the HIMSS Healthcare Cybersecurity Forum virtual event December 6-7, Aimee Cardwell, the chief information security officer for the UnitedHealth Group at Optum Technology, will dig into the subject of ransomware in an educational session entitled “Ransomware: Today’s Threat Landscape.” Optum Technology is UnitedHealth Group’s IT and services subsidiary.
Ransomware continues to expose the vulnerabilities in the global network from the government to infrastructure to hospitals. In this session, Cardwell will discuss the current threat landscape and the ransomware to watch out for.
In a sneak-peek of the session, Healthcare IT News interviewed Cardwell to get her to explain the cybersecurity landscape and some of the best defenses against ransomware.
Q. What is the current threat landscape for healthcare organizations?
A. We see three major categories of threat. First, ransomware. According to the Wall Street Journal, ransomware has become the most lucrative form of malware globally, generating $350 million in 2020, while causing over $20 billion in damages and downtime over the same period.
The healthcare industry makes up 11.6% of all ransomware attacks. As an example, Ireland’s Health Service Executive is responsible for healthcare and social services across Ireland. They were attacked with ransomware that caused a shutdown of all IT systems. Eight weeks after the attack, services were still only 90% recovered.
Second, zero-day vulnerabilities. These refer to a vulnerability in a system or device that has been discovered but is not yet patched. You may recall hearing about PrintNightmare, which took advantage of a zero-day vulnerability in Microsoft’s print spooler, allowing a user on the network to gain elevated access on any system with print capability.
And third, supply chain attacks. These involve tampering with the digital infrastructure of a company’s software to install undetectable malware to bring harm to organizations further down the supply chain network. You may remember reading about Kaseya, a software provider that provides remote management monitoring, which was the victim of an attack by the REvil ransomware group over the Independence Day weekend this year.
The attacker used a previously unknown zero-day attack against the Kaseya platform. By targeting Kaseya’s software, the hackers opened the door to infect more computers in companies that use Kaseya’s products. Kaseya was interesting because it was a supply chain attack that used a zero-day vulnerability to install ransomware, so it used all three major categories in one threat.
Q. What particular ransomware should healthcare CISOs and CIOs be watching for, and why?
A. We don’t look for one specific type of ransomware. Instead, we are vigilant in the prevention of all kinds of attacks and intrusion. Ransomware is a continual evolving risk, and while attacks by organizations like REvil may get more attention than others, they all present an existential risk to the delivery of care.
The impact of a particular variant of ransomware is more dependent upon your controls than the actual ransomware. Your impact can be reduced if you have network segmentation, if you implement zero trust techniques and if you use multifactor authentication. In addition to those strategies, a robust monitoring program can help you catch intrusions early and reduce impact.
The goal is prevention, but prevention has its limits. The next step is impact reduction. To reduce impact, look at all critical systems and applications, both internal and external, and determine how long it would take to recover the application if any were impacted by ransomware.
How much would it cost to shorten that time? Would it be worth it? Rapid recovery, and having your data encrypted at rest and in transit, are the best ways to reduce impact, and thwart ransomware attacks.
Q. What are some of the best defenses against today’s ransomware?
A. To ensure we are protected, we rely on some fundamental techniques to reduce our vulnerability to ransomware:
- Email filtering. More than 90% of the email that comes to our servers is discarded because it is spam, junk or contains malicious content.
- Stronger passwords. Windows Hello allows a computer to recognize an employee using face or fingerprint, improving user experience while reducing the likelihood of brute force password attack.
- Multi-factor authentication. Stolen or reused passwords, as in the Colonial Pipeline attack, take advantage of poorly configured remote access solutions that do not use multifactor authentication.
- Software and operating system patching. An automated, AI-driven approach for vulnerability management enables the application of patches and fixes more rapidly.
- User education. The end user is often the weakest link when it comes to cybersecurity, and that is what attackers are counting on. End user security and awareness training is an inexpensive and effective way to reduce incidents.
Aimee Cardwell will explain more in the session “Ransomware: Today’s Threat Landscape.” It’s scheduled to air from 12:25-12:45 p.m. ET on Monday December 6.