Kidnapped Hospital Data Was Probably Preventable
By the time you read the ransom note it is too late for your patients/clients, your organization’s reputation, and maybe your career. But it doesn’t have to be.
You can deal with Security and Compliance at the executive level now, and invest adequate attention and resources, or you can deal with it later trying to explain to an angry public why you had a data breach or an IT security crisis.
Security and compliance are executive level challenges, not something to be delegated to mid-level managers and IT staff. Don’t believe me? Ask yourself, if you suffer an IT security failure or data breach, who in your organization will be dealing with your board of directors, your clients/patients, investors, lawyers, and the media. It’s better to prevent a crisis than try to explain it to your stakeholders. Public opinion is everything. You need to get involved.
“…no organization is immune to outbreaks of malware that’s designed to forcibly encrypt all data stored on PCs and servers. Hollywood Presbyterian Medical Center, based in Los Angeles, declared an “internal emergency” after staff noticed an apparent ransomware outbreak begin on Feb. 5, reports NBC. The attackers have demanded 9,000 bitcoins, currently worth about $3.6 million, reports Fox News.
The hospital couldn’t immediately be reached for comment. But as of Feb. 12, multiple patients had been transferred to other hospitals as a result of the attack, electronic patient records remained inaccessible, and all hospital departments – lacking email access – were attempting to communicate via “jammed fax lines,” NBC reports.
In an open letter, Allen Stefanek, Hollywood Presbyterian Medical Center President & CEO (I told you so) said they paid $ 17,000 to gain access to their data. On February 15, ten days after they were infected. After transferring patients. After national embarrassment, even though their letter says, “this incident did not affect the delivery and quality of the excellent patient care you expect and receive from Hollywood Presbyterian Medical Center (“HPMC”). Patient care has not been compromised in any way.”
Really? What do the patients who were transferred have to say?
How did not having access to medical records, or medical devices controlled by computers, affect patients? How many will sue for malpractice? How many will die?
Everyone wants to know what the cause is, but that will have to wait for later. In the meantime, how would you feel if you had a loved one as a patient there, or if you were a patient? Will anyone trust the hospital in the future? I can only imagine the lawyers who are circling.
Whose heads do you think will roll, after the investigation that will probably show that this attack could have been prevented or resolved with little impact? Every executive in every type of business needs to selfishly think, “How would an attack like this affect my career, my family, and my future?”
This type of crisis can be avoided. Recently a doctor in a small medical practice clicked on a link in a phishing e-mail and a few minutes later the practice received a ransom note that all of their data had been encrypted. Instead of paying the ransom (which doesn’t always get your data back,) they called their IT provider who was able to recover their data from the previous hour’s backup and get them working again. They had to re-enter a few medical notes but otherwise they were unaffected.
There are lessons to be learned from every breach. The Sony and Target hacker attacks were both based on phishing e-mails. In the Target breach the hackers accessed the network by compromising an air conditioning vendor, not the company itself. Neither CEO survived the fallout of these attacks.
Here are some things you can do right now to prevent a similar situation in your organization.
- GET A SECOND OPINION
Engage an outside organization to evaluate your security and compliance with regulations, and make sure the report goes directly to your CEO, Managing Partner, or the board of directors. Our assessments always find holes – sometimes very large ones- in IT security because most IT departments (and outsourced IT service providers) are made up of desktop computer and network specialists, not IT security specialists. There is a big difference.
The FBI alerted health care organizations in 2014 that the greatest risk to the security of their data was the belief their IT departments had that their efforts were working, when the evidence showed otherwise.
When someone in your organization says they “have Security and Compliance handled” you should be worried… very worried. The stakes are so high that it’s time for a second opinion. You need an ‘under the skin’ evaluation of your security and advice from an experienced expert who can explain the findings in business terms you understand, not IT lingo. You need an external auditor’s opinion about your HIPAA or other compliance efforts.
- KNOW WHERE YOUR DATA IS
This sounds simple, but many organizations we work with start out not even being able to identify all the locations of their data. Data is a valuable asset, like gold, but is often treated casually and no one cares until it is lost, stolen, or held for ransom. Why do you leave it on unsecured local PC’s and laptops? Why isn’t it backed up in case of accidental loss or hard drive failure? Why do you allow it to be shared through unsecure consumer-grade cloud services? Knowing the locations of your data is even more critical if your data is protected by laws like HIPAA.
- KNOW YOUR BACKUPS REALLY WILL WORK WHEN YOU NEED THEM
Backups aren’t any good if they don’t protect your data AND if they cannot be restored both within your required timeframe and with minimum data loss. Backups need to be test-restored regularly to ensure that your functions can be restored, not just some data or a server.
We still see organizations that back up to tape, local hard drives or consumer-grade cloud services. These are cheap solutions that can take days to restore and sometimes fail completely.
What is your real cost of being down? Hollywood Presbyterian Medical Center has already lost revenue and will have to spend a lot to secure its network and recover its reputation. A law firm managing partner once estimated their cost of downtime at $ 64,000 per day, and was shocked when their IT director confirmed our estimate that their backup strategy would keep them down for three to four days. A medical practice whose backups we discovered were not going offsite told us they would have to go out of business if their building burned down and they lost all their patients’ records.
Once you figure out your real cost of downtime you will realize it is worth the investment for secure backups that run throughout the day and allow you to recover servers quickly (usually less than an hour) to a local recovery appliance, or to the cloud if your building burns down. What may seem like high monthly fees will pay off when you can quickly recover and avoid the high costs and embarrassing publicity of a disaster.
- FUND THE SECURITY YOU REALLY NEED
Security is more than anti-virus software and firewalls (which we often find are not properly configured, anyway.) Funding an effective security program is critical to your mission.
Security starts with how your network shares are configured, and who has access to critical, sensitive, or regulated data. It’s amazing when we see critical and sensitive data on network shares set to be accessed by ‘Everyone.” We also find that terminated employees still have access to the company networks, and their passwords are set to never expire. Duh.
In late 2015 the FBI notified two hospitals that their data was for sale on the Internet. Subsequent forensic analyses revealed that one of them had been breached in 2012 and the other in 2013, meaning the hackers had been stealing data for over two years. You need systems that log your network activity AND detect unauthorized access. More than anything, you need to employ or contract with IT security specialists (not your average IT guys) who can properly configure secure tools and address any incidents.
- DATA SECURITY IS MORE THAN TECHNOLOGY. TRAIN YOUR STAFF!
The weakest links in any secure environment are people, who are the last line of defense against an attack. Even with the best IT security systems in place users need to be trained and reminded against falling for the lure of phishing emails that bait them into clicking on dangerous links. They need to be wary of official-sounding phone calls asking for their logins and passwords. They need to know it is OK – actually required- to stop strangers in restricted areas to ask who they are.
Training is critical for all staff, not just new employees. It shouldn’t be a meaningless 5-minute 2‑slide presentation just to get a requirement out of the way. Authorize the time to make sure your staff receives effective cybersecurity and compliance training. Include those in the executive suite where the bosses sometimes think they are too important or too busy. Management should set an example.
Research into data breaches shows that most of the financial impact is in reputation damage and lost business. Regulatory fines can exceed a million dollars. Executives can lose their jobs.
Remember, SECURITY AND COMPLIANCE ARE STRATEGIC NOT TACTICAL.