Recently, HCI Editor-in-Chief Mark Hagland spoke with Ron Schlecht, founder and CEO of BTB Security, a consulting firm with offices in Chicago and Austin, Texas. The Philadelphia-based Schlecht founded the company in 2006. The consulting firm, with 22 consultants, focuses primarily on providing information security assessment services, breach response, and managed security monitoring. BTB works in multiple industries, with about 15 percent of its work in the financial services sector, about 10 percent in healthcare, 5 percent in resorts and entertainment, and the rest of its work scattered across a range of other industries. Below are excerpts from Hagland’s interview with Schlecht, who was able to share his perspectives based on his and his company’s work in multiple industries.
How would you describe the cybersecurity landscape right now in healthcare?
I would say that it is challenging at best, only because so many new technologies have been introduced into the industry, both in management and clinical care.
In particular, how would you characterize the ransomware phenomenon right now—as a crisis?
Yes, one could use that term to describe it, since it’s somewhat new. I’ve gotten used to dealing with malware or any number of types of viruses. But when it comes to ransomware, nobody knows what to do right now; for one thing, there’s so much misinformation about whether to pay the ransom or not. And that’s probably the most distressing thing right now, with disagreement on whether to pay ransom or not. In general, we tell people not to pay ransom. Obviously, every case will be different, but the general response is not to pay it. There are a lot of uncertainties involved in that kind of situation?
One could compare paying ransom in a ransomware situation to paying a kidnapper to give your loved one back, correct?
Exactly. They might give you the decryption key. But who’s to say that they won’t choose to maintain persistent access, and won’t come back and re-encrypt those files? There’s no guarantee that you’ll get your files back and in the right condition.
Would you agree that healthcare is behind other industries in terms of cybersecurity preparation and defense?
Yes, I would say that it’s behind other industries, but with the addendum that the end-users are some of the main points of vulnerability in healthcare, and that sets healthcare apart from many other industries.
In our two-part series on the ransomware crisis, people said a few basic things. They repeatedly stressed end-user training, plus more rigorous, role-based access, and backing up your EHRs every day. And behavioral monitoring. What are your thoughts in that regard?
Yes, those are what I’ll call some of the canned responses to ransomware threats. In addition to those responses, there are technical means, including behavioral monitoring, to guard against ransomware attacks. There’s threat intelligence that is available. There are a lot of free and commercial options for applying threat intelligence to address risk, in terms of obtaining indicators of compromise. A virus will look and act a certain way, and therefore, can often be identified because of certain characteristics. So a lot of times, a signature-based intelligence can essentially be applied to monitoring services or solutions. So for people who are doing monitoring already, signature- and behavioral-based intelligence can be integrated into your programs.
What percentage of hospital organizations are leveraging signature- and behavioral-based intelligence tools and strategies now, do you think? A small percentage?
Yes, it’s a very small percentage. And in that context, it’s a maturity issue. Most hospital organizations, in terms of spending the money, are still just checking boxes. They’re not in the business of providing the best security out there, but clinical care in most cases, or research.
How strong has the healthcare industry’s response to this crisis been, relative to the threat involved, on a scale of 1 to 10?
It’s been a 3 to 4, I would say. They know about the threat, but they’re underspending right now relative to it. There are mitigating controls in place that people think are enough. But you don’t really realize the cost of this until a breach or shutdown occurs. It’s almost like buying insurance, really.
So, given the threat and the need for electronic health record and other clinical information systems to remain up and available at all times, it seems that CIOs need to convince their fellow c-suite executives, and boards, to agree to spend the money to fund decent security to make sure that systems remain functioning 24/7, correct?
Yes. There are three points to the triangle of security: confidentiality, integrity, and availability. And it seems that it’s that last point of the triangle, availability, that everybody worries most about. But the reality is that when you have a breach like that [such as in the MedStar Health ransomware situation]—that kills the availability. So in terms of the risk/reward decisions on what should be in place or what things to spend on, that’s a place where good risk managers can quantify the actual potential for loss if their organizations were to be hit by something like this [a ransomware attack]. So it’s a matter of maturity, in terms of understanding something like this. And once you’ve documented that, that’s a sign that the organization is ready to listen and to protect both confidentiality and availability.
Would you agree that organizations should be backing up their EHRs daily?
I think that backups should already be part of what people should be doing routinely anyway. Per daily—the potential downside to that is that it’s not just about backing up data, but backing up good data. We’ve had clients who were doing very aggressive backups, but in doing so, they were backing up encrypted data as well.
That leads to the question of how often should backups be tested, correct?
You need to plan for regular backups, and then you need to develop an understanding what the intervals of those should be there, to make sure you have enough points in time spaced out enough so you haven’t completely overwritten data. That will vary. Unfortunately, it’s rather a technical topic. People do daily backups, weekly backups, end-of-month backups, quarterly backups, and then rotate them. Some organizations back up everything nightly but also keep five copies of that, so you have an entire week’s worth. And then you may have a weekly backup that won’t be overwritten for a month, or a monthly backup that won’t be overwritten for a quarter.
So if I have a ransomware attack, I’ll look at my backup. I’ll check my daily backup to see whether it has actual data or encrypted data. You can keep going backwards, to the weekly one or the next most recent weekly one. You should always do testing to make sure you can restore—either on a quarterly or monthly basis. But you should also always be doing enough backups. If you’re looking to restore something, it all depends on when you first catch something. If we can narrow down that the ransomware was initiated on Monday, we want to look at the weekly backups from the weekend, and so on.
Given all these challenges, are we understaffed and underfunded industry-wide, in terms of the staffing of strong IT security teams in hospitals?
Yes, I agree, hospitals’ IT security teams are very understaffed. And most often, they’re not given the level of visibility or the amount of power or access they need: that’s what’s hurting the CISO role now. Many are hiring or naming CISOs to check a box, but not really in support of security.
To summarize, what are the biggest few areas where hospitals are falling down, in your view?
The biggest threat, as it relates to any type of ransomware, remains the sheer number of devices that are allowed in a healthcare organization, and how they connect.
What can medical groups do? Even the largest physician groups are very disadvantaged in terms of resources, compared to hospitals and integrated health systems, so medical group leaders will really need to think carefully about their options.
What I believe is that the leaders of medical groups should seek out the leaders of fellow medical groups. They could start to work together, even if they’re not in the same clinical areas; they can create economies of scale and use some of the same technology partners. And a lot of businesses in other industries outsource a lot of these. The technology piece is outsourced, which allows those organizations to come to organizations like ours, to do things that need to be done.
Would you agree that most hospitals and health systems need to hire external security operations centers (SOCs)?
Yes, all of these organizations need to be doing third-party independent assessments.
What do you think is going to happen around ransomware and malware in the next couple of years?
It’s going to continue to increase. It’s something that’s very profitable for criminals, and people are unfortunately paying it, not only in healthcare, but also, unfortunately, across a lot of different industries.
Is there anything you’d like to add, in the context of everything we’ve been discussing?
This is an area is one in which the threats are just going to continue to increase. And for us, if it brings security a little bit into the limelight and helps people focus on the issues, that’s a good thing, but of course, the threats overall are a very bad thing.