“I hope all medical institutions large and small are running drills around how to operate in an offline capacity…”
Justin Fier, director for cyber intelligence and analytics at Darktrace, is recognised as one of the industry’s leading cyber intelligence experts, working with the AI cyber security firm’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning. He spoke to us about why, in the midst of a global pandemic, we are witnessing a spike in attacks on the healthcare sector; the unique dangers such attacks pose; and why IT and security leaders must take inspiration from the ambition and imagination shown by their medical peers when it comes to developing best practise strategies to protect their facilities.
Ransomware is rife. To what extent is healthcare a prime target and why?
Cyber criminals know that organisations in the healthcare industry are more likely than others to pay a ransom. While the primary purpose of ransomware is to make money, the risk of collateral damage is high, since cyber-attacks stop systems from working. With the risk of networks staying down for hours or even days, hospitals simply cannot afford the time it would take to recover if they did not pay a ransom.
And that’s because such down time presents dangers far beyond the financial?
It can literally be life or death, as we saw this year in Germany, where a woman tragically became the first person to die as a result of a ransomware attack on a hospital. If an attack is successful, the collateral damage can be significant. For example, if hospital data is encrypted from a ransomware attack and the EMR (electronic medical record) system goes dark, doctors, nurses and technicians do not have the vital information they need to treat patients. We saw this earlier this year at a hospital in Colorado. Medical professionals must then resort to charting by hand, meaning they literally have to use a pen and paper and don’t have access to medical records.
It’s not just the bottom line and revenue loss that hospitals need to worry about – prioritising patient health is the first and foremost concern and even the smallest amount of downtime for medical equipment or networks can endanger patients. With patient care at risk, it is not surprising that nearly a quarter of ransomware attacks against hospitals result in some form of payment to keep operations running.
How significant is the threat of cyber attacks looking for more than fast financial returns?
It could be geopolitically driven – not as farfetched as you might think. Also, everything about healthcare data is attractive to bad actors. The obvious attraction is the sheer embarrassment some of the data could pose to an individual. Patient data is an easy tool to blackmail a person with. It could also be used for a nation state intel gathering operation; highly targeted intel gathering to identify specific people or, on a macro level, the data could even be used to tell how well a population is doing regarding different health concerns.
How seriously do you take the growing number of ransomware crews saying they’ll no longer target healthcare?
I think it is safe to say that we should never trust cyber criminals at their word. It’s true that in the beginning of the pandemic, many well-known crews agreed to spare the healthcare sector. Unfortunately, this has not come close to the reality – instead, we have seen a spike in attacks. Among many warnings and advisories issued globally was the joint CISA, FBI and Department of Health and Human Services advisory just recently published for the public. The advisory says they have “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers”.
Attackers are inherently opportunistic and prey on uncertainty and change. Simply put, they will hit when you’re down. They’re targeting hospitals at a time when they are stretched most thinly, distracted by a deadly pandemic, and desperately using every effort they can to contain the virus.
What steps can the sector take to protect itself at a time when it is stretched so thin?
There is no way to ever entirely remove the chance of threats getting onto any given network, which is why increasing network visibility so that you can spot threats once they are inside is so essential.
Using best in class defences such as AI to catch threats on the inside, before they endanger data or operations, is critical since that is how you can increase cyber resilience. Threats that are not caught by traditional rule-based security controls, such as novel malware, can be detected using AI. Also, threats today like ransomware can move at computer-speed, and therefore outpace a human’s ability to respond. AI, in contrast, is able to identify abnormal behaviour associated with a ransomware attack and can interrupt the malicious activity precisely, without disrupting normal business practices.
So use of AI can remove a lot of the risk inherent with manual intervention?
At Darktrace, we have been protecting hospitals from ransomware, and other criminal campaigns, for the past six years, applying AI to monitor not just IT network themselves, but also the medical devices hooked up to those networks. Although there is no way to guarantee that an employee won’t click a phishing link, or that a novel attack won’t sneak onto your network, there is a way to guarantee nearly complete visibility of every single device on your network, spot threats, and respond to potential attacks without compromising your entire network or disrupting day-today business operations.
What steps must CISO’s in the healthcare space be taking?
Cyber resilience has never been more important. There is mounting pressure for organisations to make themselves more resilient by adopting new forms of technology that can provide the proper visibility they lack. The brightest and best technology and innovations are used to treat patients in the medical field – from advances in cancer treatments to robotic surgeries – yet outdated legacy tools are still relied upon in cybersecurity. IT leaders in the healthcare sector needs to look at the advances made in medicine and aspire to similar progress in how they approach cybersecurity. The time is now to implement AI. If they don’t find new ways to protect their digital systems, hospitals cannot promise patients best in class treatment since ransomware has now proven it can have real-world consequences.
And for those facilities that do experience attack, any best practice tips for how they should respond?
Prevention and mitigation are key. It’s critical that hospitals ensure they have full visibility of all IoT devices connecting to their network and focus on securing their email ecosystems to prevent successful phishing attempts. Artificial intelligence-based solutions are ideal because they can monitor the entire network and email ecosystem and proactively shut down threats before they are able to unleash ransomware or other malware throughout the organization.
I hope all medical institutions large and small are running drills around how to operate in an offline capacity and IT teams are figuring out new creative ways to not only prevent future attacks, but to bring the network back online as quickly as possible. Hospitals need to focus on recovery planning, including having a plan for transparent and honest communication with patients and maintain proper back-ups should an incident occur.