When asked to describe what it’s like to deal with the constantly looming threat of ransomware, Chad Wilson, the Director of Information Security at Children’s National Medical Center in Washington D.C., didn’t beat around the bush.
“I’ll sum it up in one word: It’s scary,” Wilson said at a Federal Trade Commission workshop Wednesday.
“It’s a technical problem, they’re attacking us technically,” Wilson said, “the number of attacks and the sophistication of attacks has really grown exponentially over the past couple of years. There is no one particular vector that they’re using, they’re using multiple techniques to trick doctors and administrators.”
Wilson was one of four experts to speak Wednesday afternoon on a panel, “Best Defense Tactics Against Ransomware,” part of a workshop put by on the FTC at the Constitution Center in Washington. The event, moderated by Ben Rossen of the FTC’s Privacy & Identity Protection division, was the first in the agency’s annual fall technology series.
While education– training employees not to click on suspicious links – can help, many panelists agreed that better basic cyber hygiene can do a lot to help eliminate the problem up front.
— FTC (@FTC) September 7, 2016
Keith McCammon, the Chief Security Officer at Red Canary, a cybersecurity firm that detects threats based on user behavior analytics said that from an organizational perspective, taking stock of your exposure can be invaluable.
“I think one of the most common problems we see when we walk into organizations, particularly large ones, they think they have 2,000 computers, when they really have three,” McCammon said, “Understand what’s there and the scope of your responsibility… understand what controls you can and can’t put in place and be really vigilant about itemizing those things, research risks and mitigate what you can.”
In the aftermath of a ransomware attack, having a backup strategy is helpful, but not everything has to be backed up, Wilson said. Instead of going overboard when it comes to backing up their data, businesses should pinpoint what’s valuable to them and isolate that data to take away any financial incentive for hackers.
“Backup is absolutely critical but I don’t think you can see it as a complete panacea,” another panelist, Bill Wright, Director of Government Affairs at Symantec said, stressing that ransomware trends are changing, some strains are already going after backups and others will try to disrupt a user’s ability to recover data via backups in the future.
— FTC (@FTC) September 7, 2016
Wilson says the Children’s Hospital operates with a “if you can’t see it, you can’t protect it” mentality; if companies aren’t sure where data is and which systems are used to access it, then they’re likely putting its users trust in limbo.
“If you’re not doing that as a business, then you’re really not taking the necessary steps to retain that trust and confidence of the people you have the data for,” he said.
At one point during the panel, McCammon told a story about one of the firm’s client, a hospital that he didn’t name, that got hit but had spent to ensure such an attack didn’t knock them offline.
“It only had to get into one system before it started running rampant on all the other systems and the next thing you know you’ve got portions of a hospital infected,” McCammon said, “They prepared well though, from a corporate standpoint, they had good hygiene, they’d taken a lot of time and pain and made big investments on prevention.”
McCammon said that while the incident was a problem for the IT team – “people worked late, it probably wasn’t enjoyable” – it didn’t disrupt health care delivery.
“What are the things I can do? They may not be cheap but they’re probably really simple to just reduce impact and risk overall,” McCammon said.
Sometimes in the healthcare industry they’re not easy however. When it comes to medical device security, Wilson said hospitals are frequently limited by their own vendors and partners, adding that the Children’s Hospital was particularly hamstrung a few years ago. Medical device manufacturers often fail to provide up front controls in devices to protect them; there’s often a charge to have a technician come out and re-image devices like MRI controllers to ensure they’re FDA compliant after the fact.
“We often have to go the extra mile to get information from a provider, we have to ask specific questions: What modalities do [the devices] need to talk to? When I put a firewall here, does that stop the device from functioning?” Wilson said. “If the devices don’t need to talk to each other for business, then why do we allow it?”
Wilson says the hospital tries to follow the four Red Cross life saving steps: Stop the bleeding, start the breathing, protect the wound and treat for shock.
“When you stop the bleeding make sure you know what assets are there, where you are hemorrhaging, and what data is leaving the organization you’re not aware of,” Wilson said, “Take a look and see what’s happening in your environment, then move forward from there.”