Agencies Combat Ransomware in Digital Health

As the cybersecurity threat landscape expands in the digital era, protecting medical data is becoming an increasing priority across the federal government.

“Because digital transformation is more penetrated across the sector… there are more threats on that infrastructure,” said Centers for Medicare and Medicaid Services CISO Rob Wood during GovernmentCIO Media & Research’s CyberScape: Health Care virtual event. “The interesting thing about the health care sector is that there are different parts that are going digital … and all of them have different maturity curves and unique security challenges and threats.”

With the expansion of the “cyber physical landscape,” there is a greater attack surface for bad actors, noted Jim Jones, director of the Department of Homeland Security Center of Excellence for Criminal Investigations and Network Analysis at George Mason University.

“Criminal hackers are opportunists. They see this opportunity that has been created, so they pivot very quickly,” Jones said. “Criminals are not wed to a particular line of business they’re in, they’re wed to making money. When they see an opportunity, they take advantage of it.”

Jones contributed the rise of ransomware to requiring a minimal skill level and to being able to easily monetize. Because using ransomware creates a “one-to-one” transaction, there is greater value for the attacker.

Additionally, bad actors and adversaries are able to quickly learn environments, then pivot and tailor attacks, said Troy Ament, CISO for health care at Fortinet. Within the health care sector, adversaries have adapted to the electronic health records environment, and they are able to quickly identify vulnerabilities.

“They know that infecting the underlying infrastructure can cause a greater operational downtime, which lends itself to organizations following the money. That’s what the adversaries are about. They’re more likely to pay the ransomes when their operations have been impacted,” Ament said.

Jones noted that this model of “ransomware as a service” has two primary implications: attackers have the ability to specialize expertise and they’re incredibly resilient. With the potential of increased cyber strikes, it’s important that organizations “get the basics right,” Wood said.

This includes having a strong security foundation before integrating new technologies, like being able to recover in the event of backups, ensure that there’s monitoring and isolate attacks.

“Basics are good, but at the same time, you have to move toward design principles like zero trust, which is interesting for threats like ransomware,” Wood said. “With microsegmentation and time-based, limited access to things, you could potentially slow the propagation of malware strains if something gets into your environment.”

Wood recommended that organizations take a threat model-based approach to better understand its most critical systems or operations, whether it be functionality, data or users, then work concentrically around these priority areas to gain the greatest impact and value.

“It’s smaller, isolated work that you can get done quickly, show return on investment and also protect what really matters,” Wood said.

Vulnerability and patch management and multi-factor authentication should be cornerstones of security strategies, Ament said. In order to ensure these components are in place, organizations should measure preparedness through tabletop exercises, adversarial analyses and maturity models, Wood added.

“The point is getting away from squishy measurements and getting toward something that’s more objective and repeatable to figure out where you are now, where you want to go and what you need to get there,” Wood said.