Medical Economics: What are the most common cybersecurity mistakes medical practices make?
Dave Grootwassink: The biggest one is not getting formal training to their people, because that’s where most of this stuff starts. Assuming a practice has the basic stuff in place, like a good firewall, infections and breaches are going to come from somebody doing something like clicking on an email, going to a bad website or something like that. And, you know, bad websites aren’t necessarily, you know, porn.com, because infections can get into websites, and it’s not terribly unusual. If you train your people correctly, and they recognize things that don’t look quite right, then you can kind of keep that chink in the armor closed.
Typically, what a breach will do is somebody will get a little tiny infection, somebody opens an email attachment. And some of these email attachments are really insidious PDFs that look like a an invoice or something. If they’ve spoofed the email address that it’s coming from, it may look like it’s coming from one of your regular vendors. There are bugs and holes and things like PDFs that you can use to exploit and put a little bitty piece of malware on your computer. And that little bitty piece of malware then goes out and talks to a command and control server out somewhere and then starts downloading the real bad stuff. So, I’d say that the first mistake they make is they don’t do training. And the other thing that they don’t do is a real risk evaluation. A good risk assessment will point out, where do we need to take a look? And where do we need to correct things? Because there’s a lot of stuff that people don’t realize is going on between devices. Every medical device out there has an operating system under it and most people don’t really think about that it’s not just the PC on the the administrator’s desk, but there are MRI machines, there is everything else. All those devices have operating systems in there that may or may not have been patched for years. There are still medical devices out there that the underlying operating system is Windows XP and it hasn’t had a security patch in 10 years. If they train the people and do a good risk assessment, followed up by a mitigation plan, that will take care of 90% of the issues.
Medical Economics: Why would a smaller practice be targeted by hackers?
Grootwassink: Smaller practices have a bank balance greater than zero, so there’s always a reason for somebody to try to implant ransomware. Sometimes, it’s just purely random, and people go out and scan the internet. There is a website that literally scans the entire surface of the internet, and compiles devices out there that are vulnerable. If you have a vulnerable device, it’s going to get scanned, and that’s a potential place for people to come in. In cases where people will run a website on their system, just to talk to patients, for advertisers, or what have you and haven’t locked that down really real tight, people will come in and find passwords on that.
I’m sure you’ve gotten spam emails for phishing email attacks. But one of the newer scams, and I’ve heard about it but I haven’t actually encountered at the wild yet, is that hackers have teamed up with sets of con artists. What they’re doing now is they will team up with hackers. The hackers will go in and get medical records and pull those out. And then based on the medical records, they will come up with, “Well, you know, patient X has this going on. So, what would a legitimate charge to Medicare look like?” And they’ll start sending invoices to Medicare based on information from a patient’s record. And that’s going to be true of any medical practice, regardless of how big it is. And it’s not just the medical practices, they’re hitting assisted living homes and things like that, too, which typically have even lower security profiles than even a small practice would.
Medical Economics: When a practice is hit with ransomware, how difficult is it to get everything back up and running? And how long does that process take?
Grootwassink: The best way to get back on your feet is proper preparation. If you’ve got everything backed up, and you use a backup system that allows multiple versions—there are some backup systems commercially available that will keep a record and keep backups of all the changes for a period of time or for an amount of space, depending on what that particular arrangement that you have with the backup provider. If you’ve got a good backup in place, and one that has multiple versions, because I’ve run into places where they have a backup system, and they’ve successfully backed up the encrypted file, and the original file is gone. If you have backup that keeps multiple versions. When the file is encrypted from ransomware, and that file is backed up, you have the previous ones available. And some of the other things I’ve seen with ransomware is when people have attached backup systems, they can be as simple as is those little drives you plug into your USB ports. The ransomware will go in and happily encrypt your backups, too. You have to be very careful about how you do backups. I always recommend offsite cloud-based backup systems, and there are a handful out there that are actually HIPAA compliant. So, if you have good backup in place, you can bring yourself back usually to a good spot and it’ll take a little bit of time. The bigger the practice, the bigger and the more systems involved certainly will take more time. But if backups are in place, it can be done. Now with that said, I’ve seen where not only are they encrypting your files, they’re actually exfiltrating all your files, too, and if you don’t pay the ransom, not only do you not get your files back, but they go out and they post them on various sites in the internet in public, which opens up another whole big can have problems for practices. To really combat things like that, you need to have monitoring of what’s going on in your network. When I go in and I set a practice up, one of the things that I install in the practice is something called a honeypot. What it does in the way that I use them, is I set this device up to look like a crippled PC or a crippled server that doesn’t have good security on it. That way, if anything ever hits it, or tries to get into it, I know that they are in there and that the entire network is compromised. We can shut things down and take care of it before everything goes to hell.
Getting back to your actual question, how long does it take? If you have good backups, a couple of days. But I can’t stress how important it is for good multi-version backup systems that are not attached to the network.
Medical Economics: Are breaches mostly caused by human error, like you mentioned, such as clicking on links in an email or whatever, or can hackers get in to the network using other methods, as well?
Grootwassink: I’ve heard different statistics, ranging anywhere from 50% to 90% of breaches, is somebody opening something or somebody going somewhere they shouldn’t. It’s not 100%. But I would say it’s the vast majority, which is why we need to make sure that that all the personnel in a practice, anybody who ever touches a keyboard, gets good training in cyber awareness.
Medical Economics: How are the cyber threats evolving? And do practices need to change their defense tactics to keep up?
Grootwassink: From a technical point of view, they change all the time; it’s a whack-a-mole. Let’s say you’ve got antivirus software on your PC. It’s going to pick stuff up, but maybe now something will change and it won’t pick up the next variant. There is a website out there and what they do is they have a copy of all the commercial antivirus systems out there that are in the world, and you can feed either files or hashes of files to these things. And they will tell you which antivirus systems found something and which didn’t. And it’s always about 75%. If I have a known piece of malware, and I throw it at it, 75% of the of them will detect it and 25% will not and it’s not the same ones all the time. From the point of view of a practice, it really doesn’t change all that much.
The good news is, the fundamentals always have to be there: threat Assessment, remediation, and putting policies in place to deal with the threats in training. If you keep up with the training, and keep up with your patching, and you do a new threat assessment periodically—it should be done at least once a year or whenever something new comes into the practice. That basic blocking and tackling is what the practices need to do. If you’re in my position, or if you’re in the position of being in the trenches fighting against some hacker in Eastern Europe, that’s different. But as far as the practices go, doing the basic blocking and tackling of monitoring, training, threat assessments and remediations, that doesn’t change. That’s the key and that’s they all need to do.