Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem in Healthcare

CUSTOM MEDIA

Sponsored by

Ransomware and Emerging Cyber Threats: Why It’s More Than Just An IT Problem in Healthcare

2Ransomware and Emerging Cyber Threats: Why It’s More Than Just An IT Problem in Healthcare

2

CUSTOM MEDIA

Table of Contents

03 Ransomware Attacks Will Become Common in 2016; Threats are Under Combatted and Highly Profitable

07 Are CIOs and CISOs Behind the Curve on Data Security? Results of a New Survey Say Yes

15 Overcoming the Data Security Threat Tsunami

21 About Symantec & ITS

22 Additional Resources


3

CUSTOM MEDIA


3

CUSTOM MEDIA

Ransomware Attacks Will Become Common in 2016; Threats are Under Combatted and Highly ProfitableHeather Landi

While the ransomware breach at Hollywood Presbyterian Medical Center in Los Angeles may seem like an

unfortunate, yet isolated, incident, a new report from the Institute for Critical Infrastructure Technology (ICIT)

warns that ransomware threats will likely escalate this year.

According to the ICIT report, 2016 will be the year ransomware will “wreak havoc on America’s critical

infrastructure community.” “To pay or not to pay,” will be the question fueling heated debate in boardrooms

across the country, according to the report authors: James Scott, ICIT senior fellow and Drew Spaniel, ICIT

visiting scholar from Carnegie Mellon University.

ICIT is a non-profit think tank that advises decision makers on technology and cybersecurity trends

in infrastructure sectors including government, defense and healthcare. The report gives an analysis of the

ransomware threat as well as the attacker and targets and provides mitigation strategies.

“Ransomware is less about technological sophistication and more about exploitation of the human element.

Simply, it is a digital spin on a centuries old criminal tactic,” the authors stated.

The report authors also tapped into cybersecurity research contributed by security firms, such as Kaspersky,

Covenant Security Solutions, Securonix, Forcepoint, GRA Quantum and Trend Micro, for insights into

ransomware attacks. These security firms predict a dominant resurgence of ransomware attacks this year,

according to the report, and already healthcare organizations have been targeted, such as the incident at

Hollywood Presbyterian Medical Center.

According to the ICIT report, 2016 will be the year ransomware will “wreak havoc on America’s critical infrastructure community.”


4

CUSTOM MEDIA


4

CUSTOM MEDIA

“The healthcare sector was not a traditional target for ransomware attacks. One theory is that attackers

did not target systems that jeopardized lives,” Scott and Spaniel wrote. However, they noted, recently, that

mentality has changed for at least the group operating the Locky ransomware as evidenced by the incident

at Hollywood Presbyterian Medical Center.

The report authors point out that cyber threat actors are using ransomware attacks because these attacks

are “under combatted and highly profitable.” And, unlike hackers who attempt to exfiltrate or manipulate

data, ransomware criminals only attempt to prevent access to data and during an active ransomware attack,

business operations grind to a halt until the system is restored or replaced.

And, with the prevalence of mobile devices and the growth of the Internet of Things (IoT), the “potential

threat landscape available to ransomware threat actors is too tantalizing a target to ignore.” Consequently,

“Information security specialists and the technical controls that they implement must become adaptable,

responsive, and resilient to combat emerging threats,” Scott and Spaniel wrote.

How profitable is ransomware? According to research provided by security firms, creating a phishing page

and setting up a mass spam email costs about $150. “A trendy crypto ransomware sells for about $2000 on

dark net forums. Locker ransomware probably costs less. This means that an attacker only needs to ransom

eight everyday users (at the average $300) to generate a profit,” the authors wrote.

“Symantec estimated that in 2009, 2.9 percent of the victims paid the ransom. In 2014, CTU researchers

estimated that about 1.1 percent of the Cryptowall ransomware victims paid the ransom (at an average

of $500). Despite this seemingly low response rate, the FBI reported that from the 992 related complaints,

Cryptowall reportedly netted over $18 million from victims between 2014-2015.”

The report specifically details the types of ransomware, such as locker ransomware and crypto ransomware,

with the Locky ransomware being an active example and the type that infected medical systems belonging

to Hollywood Presbyterian Medical Center. In that incident, while healthcare data remained unaffected,


5

CUSTOM MEDIA


5

CUSTOM MEDIA

computers essential to laboratory work, CT scans, emergency room systems and pharmacy operations

were infected.

“After ten days, the administration paid attackers 40 Bitcoins ($17,000) to release the systems. Later that week,

five computers belonging to the Los Angeles County health department were infected with a ransomware

variant. The health department refuses to pay the ransom and will restore its systems from backups. Similarly,

two hospitals in Germany were infected with ransomware at roughly the same time as Hollywood Presbyterian

Medical Center. Both are restoring their systems from backup systems,” Scott and Spaniel wrote.

Scott and Spaniel also highlight that ransomware follows the same distribution and infection vectors,

or delivery channels, as traditional malware such as traffic distribution services, malvertisement, phishing

emails, downloaders, social engineering and ransomware as a service (RaaS).

The authors also detail mitigation strategies noting that “preventing infection is preferred over remediation efforts.”

“The first step to mitigating a ransomware threat is to implement a comprehensive cybersecurity strategy,”

the authors stated. “Software and hardware solutions are necessary, but they are not the only necessity. First

and foremost, information security training and awareness must improve. Afterward, organizations can rely

on the layered defenses that they have invested in to secure their network.

The report recommends that organizations have a dedicated information security team to ensure all systems

were updated and patched and that critical systems were backed up. Organizations also should have

layered defenses to protect networks. And, personnel training and awareness are critical as information

security experts often cite that “humans are the weakest link.”

“Employees should be trained to recognize a malicious link or attachment. There is no justifiable reason that

most organizations cannot reduce their personnel’s malicious link click rate below 15 percent,” the authors

stated. “Teach employees to not click on any links in any emails. It takes barely any more time to type a link

into Google as it does to click the link. Personnel should only open attachments from personnel that they

trust and only if they are expecting the file.”

First and foremost, information security training and awareness must improve. Afterward, organizations can rely on the layered defenses that they have invested in to secure their network.

Employees should be trained to recognize a malicious link or attachment. There is no justifiable reason that most organizations cannot reduce their personnel’s malicious link click rate below 15 percent.


6

CUSTOM MEDIA


6

CUSTOM MEDIA

Healthcare leaders also should focus on administrative policies and procedures to strengthen cyber defense

and consider cyber insurance policies that cover ransomware attacks.

When a compromise does occur, the ICIT report recommends that organizations disengage from communi-

cating with the attack until the situation is thoroughly assessed and a course of action decided.

“The proper response will depend on the risk appetite of the organization, the potential impact of the hos-

tage data, the impact on business continuity, whether a redundant system is available, and the sectorial

regulatory requirements,” Scott and Spaniel wrote.

The report authors concluded that the enlistment of an information security team is the first step in a com-

panywide security strategy. And, the information security team should, at minimum, “conduct an immediate

companywide vulnerability analysis, develop a crisis management strategy that takes into consideration all

know threats and also conduct continuous device and application patching, auditing of third party vendors

and agreements as well as organizational penetration testing and security centric technological upgrades.”

“Together, these actions can profoundly minimize a company’s attack surface,” the authors stated.


7

CUSTOM MEDIA

Are CIOs and CISOs Behind the Curve on Data Security? Results of a New Survey Say YesMark Hagland

David Finn, the health IT officer at Symantec, discusses the results of a new survey of CIOs on data security, and its implications for the next few years

With all the recent headlines and developments around data security breaches, hacking incidents, and even

ransomware attempts, hitting U.S. patient care organizations, one might think that CIOs, their fellow c-suite

executives, and hospital and medical group boards of directors might be farther along on their data cyber-

security journey. In fact, a new survey-based study has found, there is real reason for concern. Leaders from

HIMSS Analytics, a division of the Chicago-based Healthcare Information & Management Systems Society,

and from the Mountain View, Calif.-based Symantec, released the results of a new study, entitled

“Healthcare IT Security and Risk Management Study.” David Finn, the health IT officer at Symantec, released

and described some of the results on Wednesday, March 2, 2016 on the exhibit floor of the Sands Expo

in Las Vegas, during HIMSS16.

The survey was conducted online in December 2015, and received 115 online respondents. Then interviewers

pursued 10 phone interviews with CIOs and other healthcare IT leaders, in order to obtain more richness

of detail from the online survey results.

With regard to the respondents, 38.3 percent represent hospitals and health systems with 501 or more beds;

26.2 percent represent hospitals and health systems with 251-500 beds; 36.5 percent represents hospitals

and health systems with 101-250 beds; and none represent hospitals and health systems with fewer than 100 beds.


8

CUSTOM MEDIA

Among the numbers important findings:

When asked what percentage of their total IT budget (operating and capital) is devoted to IT security,

51.6 percent said 0-3 percent; 28.6 percent said 4-6 percent; 9.9 percent said 7-10 percent; and 9.9

percent said more than 10 percent.

Asked how many employees from both inside and outside IT are allocated to IT security in their

organization, the results were as follows: fewer than 1 inside IT, 12.0 percent, fewer than 1 outside

IT, 55.9 percent; 1-5 inside IT, 60.2 percent, 1-5 outside IT, 32.5 percent; 6-10 inside IT, 10.2 percent,

6-10 outside IT, 2.9 percent; 11-20 inside IT, 8.3 percent, 11-20 outside IT, 20.0 percent; 21-30 inside

IT, 3.7 percent, 21-30 outside IT, 1.0 percent; more than 30 inside IT, 5.6 percent, more than 30 out-

side IT, 5.9 percent.

The adjusted total average number of IT employees devoted to IT security was 9.9 FTEs.

With regard to how often IT security was discussed at their organizations’ board meetings, 53.9

percent said it was discussed “upon request of the board or executive management”; 20.9 percent

said, “at most board meetings”; 10.4 percent said, “at every board meeting”; 7.8 percent said,

“never”; and 7.0 percent said, “other.”

Unfortunately, only 46.09 percent of respondents are currently addressing data security threats po-

tentially coming through their organizations’ medical devices, though 33.04 percent are “beginning”

to do so, and another 16.52 percent “plan to do so.” The percentages of respondents whose

organizations are already addressing IT security on mobile devices and on cloud-based applications

are higher, at 69.57 percent and 61.74 percent, respectively.


9

CUSTOM MEDIA

Finn, a former hospital CIO, spoke with HCI Editor-in-Chief Mark Hagland regarding the study. Below are

excerpts from that interview.

There are a lot of significant results to talk about from this survey and study. Were you surprised by

any of the results involved?

You know, that’s a great question. We get that asked a lot. And honestly, since I’ve been doing this for so

long, the only surprising thing is, here we are 13 years down the road from the privacy act, and 11 years

down the road from the security act, and the only thing surprising to me is that we still haven’t done very

much, substantively speaking.

We haven’t addressed some of the real issues like medical devices; and we still haven’t addressed issues

like cloud and mobile devices. And we still approach it from this kind of “check-the-box” perspective, as

though it’s a compliance issue, and compliance doesn’t protect you, you’ve still got to be secure.

The now-infamous ransomware situation unfolded at Hollywood-Presbyterian Medical Center after

the survey had been completed. What do you think of that situation in the context of the survey/study?

I went directly to HIMSS from a week on the road, and my weeks on the road are typically with customers.

And every customer that week before HIMSS had noted an uptick in ransomware attempts. And these are

not purely Symantec customers, they also have other products. And they all made it through those ransom-

ware attempts; one struggled, but they all made it through. And there was some bashing about Hollywood

Presbyterian paying the ransom. But the thing is, this is not a security problem. When Hollywood Presbyterian

paid the ransom, it wasn’t to get data back or turn systems on, it was because they couldn’t take care of

patients. This is not a security issue, it’s a patient care issue. And this will continue to happen. And it really

needs to become a concern of the c-suite—and CIOs need to communicate that to the c-suite.


10

CUSTOM MEDIA

What do CIOs need to do to get their fellow c-suite leaders engaged around data security right now?

The issue is, the IT people do see this as an IT issue, and there is an IT issue, of course, and if IT folks don’t

effectively run anti-virus and anti-malware programs and address patch issues, and maintain good firewalls,

and all that—well, all that is necessary, of course. But the problem is that IT people so often don’t explain the

problem well in terms of the business issues involved.

I’ll tell you a story from when I was a CIO. We went through a network upgrade at one point, and we needed

to upgrade a number of Pyxis (medication dispensing) cabinets in order to keep our network updated. So I

had my CTO address the issue with our information management governance committee. But he came back

to me and told me we hadn’t gotten the money we needed, which was $325,000. That may sound like a lot,

but my annual budget was $20 million, so it wasn’t a huge amount. My CTO had focused on the need to

upgrade systems, etc.; in other words, he had spoken in [technocratic] terms.

So I took him with me and we went and spent some time with a nurse manager. And what we ended up

with was good data on the real costs involved in loss of productivity from non-replacement of those cabinets.

We found out what the time lag would be if a cabinet couldn’t be unlocked in a timely way. Ultimately, the

costs around loss of productivity meant that the hospital would have to hire more nursing staff, and the

numbers added up. So I went back and said, this is the additional cost to the nursing budget. So needless

to say, we left the meeting without even having to ask for the money. So this is what CIOs need to do: they

need to be able to translate the costs [of non-investment in IT into specific costs] for the clinicians and executives.


11

CUSTOM MEDIA

Another survey result was that only 19.9 percent of respondents reported that more than 6 percent

of their organization’s total IT budget was being spent on data security. Do you think that that proportion

will change anytime soon?

We are starting to see an uptick in 2016 spending, and most other surveys are seeing that. But if you look at

that, over half of respondents were spending 3 percent or less. And what we find is that federal government

officials say that 16 percent of their IT spend goes to IT security. And in the financial services sector, we

see 12-16 percent on average. So at 3 percent, we’re never going to be secure. And we have much more

valuable data than some other industries. And so who are the bad guys going to go to? I think we see the

answer to that.

Another significant survey result was that on average, most organizations have fewer than five em-

ployees dedicated to data security.

Yes, there are two pieces to that. The first reaction I get from people [when they hear how few staff are

dedicated to data security nationwide] is that they conclude that we’re talking about small hospital organiza-

tions. But 60 percent of our respondents were from organizations with over 250 beds, and 38 percent were

over 500 beds. So these are not critical-access hospitals.

Will that change soon?

Well, we’re actually starting to see security people embedded in [a variety of] business units. That’s why we

asked about security people inside and outside of IT. I’m aware of a couple of hospitals requiring that the

business units in revenue cycle and other areas hire someone to do IT security within the unit rather than IT.

I was a little surprised that the numbers were so small outside IT, but I think it’s the beginning of a trend.

So yes, I was surprised that it was still five or fewer for the most part. And we don’t have a clear idea whether

they’re referring to parts of an FTE; and in fact, that may actually be true. You know, often, they have a

network guy who does half-time firewall and half-time network support.

We are starting to see an uptick in 2016 spending, and most other surveys are seeing that. But if you look at that, over half of respondents were spending 3 percent or less.

I’m aware of a couple of hospitals requiring that the business units in revenue cycle and other areas hire someone to do IT security within the unit rather than IT.


12

CUSTOM MEDIA

One survey result was that CIOs seemed to be more focused on broad strategy than on end-user

education. Would you agree that that is a problem?

It’s a big problem, and even though a high-ranking security strategy sounds good, what’s clear from an addi-

tional survey result is that the regular education of end-users is still a relatively low priority. And it’s quite dis-

turbing that cybersecurity for end-users was the lowest-rated of several priorities. The level of training was a

little higher, but it’s annual end-user training. And we know that the once-a-year, 40-minute, training doesn’t

do very much. But the reality is that every end-user needs to be a security person. And we found that in the

nuance in the in-depth interviews that most of the training is once-a-year stuff. A lot are doing phishing test-

ing of staff, and that’s a good thing, but they need to do more, and do it more regularly.

What did you think about the results around how often data security is discussed at board meetings?

That result looks good, until you realize it’s on request, and that only 10 percent are doing it at every board

meeting. And if we’re saying that cybersecurity strategy is key for the organization and that cybersecurity is

a function of the business, which it should be these days, I believe that every board should get a financial/

spending report and also a quality/adverse event report, at every board meeting. They’re not getting

cybersecurity reports at every board meeting, because it’s not actually as important as their CIO or CISO

tells us it is. And for the CEO or board to be ignoring it means that there’s a huge disconnect there.

Given all of these results, what should CIOs be doing right now?

The first thing is that whether the CIO or CISO or ideally, both of them together, are involved, they need to

go to the board and put in a plan for IT security governance, and the governance committee has to include

stakeholder leaders from across the entire organization. And it has to include additional tools, spending,

and head count. The other thing is that that governance group has to include medical device security now.

We found that over half of organizations were either just beginning to address, or were planning to address,


13

CUSTOM MEDIA

medical devices. We saw medical devices being used as points of entry for bad stuff. The bad guys have

figured out how to use medical devices to get access to data through the network using that device.

How would you characterize your level of optimism or pessimism around all this, on a scale from 0 to 10?

That is a tough question. I frankly am not optimistic, in the sense that I believe things are still going to get

worse before we change our focus and context. All is not lost; I’m not ready to jump off the top of a tall

building. We haven’t hit bottom yet. We should have, after Anthem and after HP, those were clarion calls, the

message was pretty clear; but I don’t think we’ve figured it out yet.

Is there anything else you’d like to add?

CIOs and CISOs didn’t even understand the threat environment, how dangerous it is, until recently. But I

think they realize that everything is out the window, and we need to refocus away from protecting devices,

but instead protect the data. People are stealing credentials to get in. What’s more, we still don’t fully

understand the data flows, how data flows into the organization, through it, and out of it. And the IT folks are

finally beginning to understand that compliance means that you’re compliant, but it doesn’t mean you’re

secure. And we’ve got to get some of these compliance and risk managers involved, and looking at the

actual risk. We need to change our perspective into one that’s not IT-based, but based on the business, and

on the engagement of top stakeholders in the organization.

And the IT folks are finally beginning to understand that compliance means that you’re compliant, but it doesn’t mean you’re secure.

Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

TRACK, PURSUE, ANDNEUTRALIZE THREATS.

The longer threats remain undetected, the more damaging they become. Take control of your information and

fight threats on your terms. It’s time to start advancing security. Take the next step at symantec.com /healthcare


15

CUSTOM MEDIA

Overcoming the Data Security Threat TsunamiMark Hagland

CynergisTek’s Mac McMillan offers his perspectives on data’s biggest concerns

Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, is a very well-known figure

in healthcare IT, and a widely respected healthcare IT security expert. Recently, he spoke with HCI

Editor-in-Chief Mark Hagland regarding some of the most important—and pressing—developments in data

security right now in U.S. healthcare. Below are excerpts from that interview.

It was great to speak with you when we were both in Las Vegas participating in HIMSS16. Did you find

anything surprising at the 2016 HIMCC Conference? Did anything you see or hear at the conference

change your mind about anything? We spoke at HIMSS after the now-infamous Hollywood Presbyterian

Medical Center ransomware incident.

I don’t think there was anything that changed my mind. But one thing that struck me was that there certainly

was a higher sense of urgency around these advanced threats in healthcare. And a lot of people had either

been hit by an advanced threat—either ransomware or a virus—or they knew someone who had been. And

everybody wanted to know what to do to avoid it, because it was becoming a big issue. And that hasn’t

stopped. It was non-stop from just before HIMSS, through HIMSS, and after HIMSS.

Every week now—I don’t visit a hospital now that doesn’t say to me, we’ve had two or three ransomware

attacks or incidents. And in most cases, they also know of the experiences of folks in their local area. And

the number of incidents that actually get reported versus the number of incidents that are occurring, is tiny

—it’s like an iceberg phenomenon.


16

CUSTOM MEDIA

The good news is that most of these ransomware incidents are not turning out to be debilitating for hospitals,

but they’re certainly causing a loss of time and a lot of costs, and anxiety, and are causing a tremendous

amount of anxiety in our IT people. No one wants to be the hospital that goes down and is incapable

of delivering services.

The appropriate resources have to be devoted to this. I was talking to a COO yesterday, and that COO’s

hospital had just had two incidents. And there were several things we had recommended to them over a year

ago, and they hadn’t done them. And his CIO readily admitted that they needed to do something about it.

And do we really have hurt, do we really have to have the pain, before we do something?

What is at the core of the poor handling of these incidents by some leaders of some patient care or-

ganizations? Is it a lack of vision, strategy, tactics, resources?

At the end of the day, a hospital is a business. And there are things that they’re trying to do with their

resources that enhance the business and grow the revenue. And certainly, security does not do those things.

It enables those things, but it’s a cost center.

And people are being reactive, essentially, rather than proactive, about this threat?

Yes, and to me, that’s a very short-sighted way to manage. I get it that there needs to be a balance and that

you only have X dollars to spend, but I don’t think you should allow this to be put off and become a problem.

Now it’s affecting our ability to move forward. So at some point, you need a better barometer.

Is a successful ransomware attack inevitable, or can it be prevented?

The research we’ve seen indicates that if you’re doing the right things, the majority of ransomware attacks

can be avoided. But even the brand-new attacks can be avoided or controlled more effectively if you’re

doing the right things. If you’re doing all the right things, and it’s a variant of one of these known types

No one wants to be the hospital that goes down and is incapable of delivering services.


17

CUSTOM MEDIA

of attacks, you can avoid it. If it’s a brand-new attack and we don’t have the signature for it, we can still be

more effective at identifying those things, because we now have advanced malware capabilities that look for

anonymous as well as known signatures. Most organizations not getting into trouble are doing those things.

So maybe the virus or malware gets past their initial defenses, and for a few minutes it’s in the environment

and is encrypting file-shares or systems, or locking up systems, or whatever, but with good defenses, it will

eventually be detected and stopped. For organizations doing the right things, a small percentage of attacks

get through, but they’re able to stop those and be successful. So yes, the majority of attacks can be avoided,

and the others we can identify them more quickly and respond accordingly.

What are the fundamentals for health system leaders to prepare for future, unknown, as of yet

unexperienced, situations? Because it seems that it is very important to consider all the new,

as-of-yet-unexperienced, threats that could emerge.

You’re absolutely correct. Once we figure out how to deal with this [ransomware] effectively, the threat will

move somewhere else. That’s the never-ending nature of criminal activity, right? You build a better bank, and

the criminals figure out some other way to rob you. So healthcare leaders need to understand that this is

something that is not going away. It should be elevated to a serious business process that gets leadership

attention. If you’re going to use electronic systems to support your business, and are going to rely on data,

then you need to understand that this is an ongoing situation that is not going away, and that will evolve over time.

A GAO [General Accounting Office] report just came out today. An evaluation of the problems encountered

around the healthcare.gov website, state by state, with regard to potential problem with criminality. The thing

is that this is sophisticated activity that you need to respond to in a sophisticated way. You would never hire

a general practitioner to do a heart transplant. And yet that’s how people view data security. And they need

to recognize that they’ll never be in a place where they’ll be perpetually secure. So they have to do continuous

testing and continuous monitoring of their environment.

If it’s a brand-new attack and we don’t have the signature for it, we can still be more effective at identifying those things, because we now have advanced malware capabilities that look for anonymous as well as known signatures.


18

CUSTOM MEDIA

And this hospital I recently met with, they’re still trying to do this themselves. One guy—a good kid—has

been trying to manually monitor a dozen different information systems. And there’s no way he could do all

this. And what happened at this hospital is that one of their security systems was disabled. And they never

knew that, because he’s sitting there manually trying to look through all these events; and unless that event

is configured to be reported, he won’t see it. And that’s what happened. For months, that went undetected.

The solution would have been to have a monitoring service monitoring your systems 24/7—a security

operations center, or “SOC.” Because they’re monitoring your service, to make sure that those systems are

still communicating with each other. Because if a particular sensor stopped reporting, they would send an

alert saying, this sensor is no longer working. As it was, this particular sensor had stopped working in

February 2016. And they didn’t know that. And that’s what happens when we’re trying to monitor our own systems.

So you need to employ outside services, essentially?

You need a 24/7 SOC, as I said, really. Think of it this way: an average, medium-sized hospital probably is

producing literally tens of millions of logs or events a month. There’s nobody on this planet that has a good

enough calibrated eyeball to go through tens of millions of events and could figure out what’s going on.

The problem is too big; you can’t do it yourself. This notion that we can test ourselves, that we can monitor

our environment, has got to go away. We need those independent, objective experts to do this for us and

identify issues, as well as bring the greater awareness. My guys do hundreds of risk assessments a year

across the country and tests. Their depth of knowledge is so much broader than that of the guy who’s

working at a single hospital. And to take advantage of that experience—that’s what we need to do.

It’s a failure of management to fail to engage outside services, then, in your view?

Yes, it absolutely is. In the federal government, when I needed to test my systems, someone else had to do

it, I couldn’t do it; that was the rule in the Defense Department. In the banking space, they can’t do their own

We need those independent, objective experts to do this for us and identify issues, as well as bring the greater awareness.


19

CUSTOM MEDIA

assessments, by mandate, they have to have an independent part do assessments; same thing in the credit

card industry. In every other industry, they’re required to hire someone else. Healthcare is unique in that

people are trying to do this themselves.

What will be happening in the data security arena in healthcare in the future?

I think that the threat is going to continue to increase in the future in a big way. As we become more of a

knowledge-based society, more and more responsibility will fall onto technology and data. So this makes

sense. And the one thing that healthcare fears more than anything else is not having their data. And ransomware

attacks that very vulnerability, fear. So from an extortion perspective, it is the perfect vehicle for attacking

vulnerability. And even if it’s not successful, it creates a tremendous amount of disruption.

How are hospitals doing in terms of hiring CISOs [chief information security officers]?

I definitely think that hospitals are getting it, and that they’re trying to hire good people. It’s going to take a

while for a couple of reasons: number one, there aren’t enough people to go around with the right skills.

It’s hard to find the people. Second, there’s still a little bit of a challenge in understanding what they’re going

to have to pay those resources. I was talking earlier this week to a large health system looking to hire a

CISO, and they were talking to a recruiting firm, and they were absolutely shocked at the salary requirements

involved. They thought they were going to hire a $150,000-200,000 resource, but according to the recruiters

from what I heard, for the average business of that size and complexity, they typically are placing CISOs at

$400,000-600,000. So the gap there was huge.


20

CUSTOM MEDIA

I think it’s worth it to pay someone $500,000 a year to prevent even one $1 million ransomware attack

from succeeding, right?

Well, that’s what the recruiter said. And if people are coming out of other industries, that’s what they’re going

to expect to be paid. And look at the breaches with Anthem, Premera, and Community Health. We’re talking

about tens of millions of dollars—and you’re quibbling about $500,000? Now, $500,000 at a smaller hospital,

that’s not gonna fly. But I can tell you, security people are not cheap. And the reason the cost of security is

going up is that it’s tough to find qualified people, and when you do, you have to pay them well.

On a scale of 1-10 on the scale of optimism/pessimism [with 10 most optimistic], where are you right

now?

I’m probably somewhere between a 5 and a 7. I believe in this industry. And I believe that it will do the right

thing. The question is, how fast will it do it? And my concern is that we’re not moving fast enough to avoid

some of the pain that we don’t have to experience.

Is there anything else you’d like to add?

I think it really does come down to the fact that we just have to make security a priority. And for what it’s

worth, I don’t believe you can say it’s a priority in your organization until you resource it properly. Having plat-

itudes and making speeches, doesn’t mean something is a priority. When an organization puts resources to

something, that’s when it’s a priority. So show me the resources, and I’ll believe you.

And look at the breaches with Anthem, Premera, and Community Health. We’re talking about tens of millions of dollars—and you’re quibbling about $500,000?