Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem in Healthcare

CUSTOMMEDIA
Sponsored by
Ransomware and
Emerging Cyber Threats:
Why It’s More Than Just
An IT Problem in Healthcare

2Ransomware and Emerging Cyber Threats: Why It’s More Than Just An IT Problem in Healthcare
2
CUSTOMMEDIA
Table of Contents
03 Ransomware Attacks Will Become Common in 2016; Threats are Under
Combatted and Highly Profitable
07 Are CIOs and CISOs Behind the Curve on Data Security? Results of a New
Survey Say Yes
15 Overcoming the Data Security Threat Tsunami
21 About Symantec & ITS
22 Additional Resources

3
CUSTOMMEDIA
3
CUSTOMMEDIA
Ransomware Attacks Will Become Common
in 2016; Threats are Under Combatted and
Highly Profitable
Heather Landi
While the ransomware breach at Hollywood Presbyterian Medical Center in Los Angeles may seem like an
unfortunate, yet isolated, incident, a new report from the Institute for Critical Infrastructure Technology (ICIT)
warns that ransomware threats will likely escalate this year.
According to the ICIT report, 2016 will be the year ransomware will “wreak havoc on America’s critical
infrastructure community.” “To pay or not to pay,” will be the question fueling heated debate in boardrooms
across the country, according to the report authors: James Scott, ICIT senior fellow and Drew Spaniel, ICIT
visiting scholar from Carnegie Mellon University.
ICIT is a non-profit think tank that advises decision makers on technology and cybersecurity trends
in infrastructure sectors including government, defense and healthcare. The report gives an analysis of the
ransomware threat as well as the attacker and targets and provides mitigation strategies.
“Ransomware is less about technological sophistication and more about exploitation of the human element.
Simply, it is a digital spin on a centuries old criminal tactic,” the authors stated.
The report authors also tapped into cybersecurity research contributed by security firms, such as Kaspersky,
Covenant Security Solutions, Securonix, Forcepoint, GRA Quantum and Trend Micro, for insights into
ransomware attacks. These security firms predict a dominant resurgence of ransomware attacks this year,
according to the report, and already healthcare organizations have been targeted, such as the incident at
Hollywood Presbyterian Medical Center.
According to the ICIT
report, 2016 will be the year
ransomware will “wreak
havoc on America’s critical
infrastructure community.”

4
CUSTOMMEDIA
4
CUSTOMMEDIA
“The healthcare sector was not a traditional target for ransomware attacks. One theory is that attackers
did not target systems that jeopardized lives,” Scott and Spaniel wrote. However, they noted, recently, that
mentality has changed for at least the group operating the Locky ransomware as evidenced by the incident
at Hollywood Presbyterian Medical Center.
The report authors point out that cyber threat actors are using ransomware attacks because these attacks
are “under combatted and highly profitable.” And, unlike hackers who attempt to exfiltrate or manipulate
data, ransomware criminals only attempt to prevent access to data and during an active ransomware attack,
business operations grind to a halt until the system is restored or replaced.
And, with the prevalence of mobile devices and the growth of the Internet of Things (IoT), the “potential
threat landscape available to ransomware threat actors is too tantalizing a target to ignore.” Consequently,
“Information security specialists and the technical controls that they implement must become adaptable,
responsive, and resilient to combat emerging threats,” Scott and Spaniel wrote.
How profitable is ransomware? According to research provided by security firms, creating a phishing page
and setting up a mass spam email costs about $150. “A trendy crypto ransomware sells for about $2000 on
dark net forums. Locker ransomware probably costs less. This means that an attacker only needs to ransom
eight everyday users (at the average $300) to generate a profit,” the authors wrote.
“Symantec estimated that in 2009, 2.9 percent of the victims paid the ransom. In 2014, CTU researchers
estimated that about 1.1 percent of the Cryptowall ransomware victims paid the ransom (at an average
of $500). Despite this seemingly low response rate, the FBI reported that from the 992 related complaints,
Cryptowall reportedly netted over $18 million from victims between 2014-2015.”
The report specifically details the types of ransomware, such as locker ransomware and crypto ransomware,
with the Locky ransomware being an active example and the type that infected medical systems belonging
to Hollywood Presbyterian Medical Center. In that incident, while healthcare data remained unaffected,

5
CUSTOMMEDIA
5
CUSTOMMEDIA
computers essential to laboratory work, CT scans, emergency room systems and pharmacy operations
were infected.
“After ten days, the administration paid attackers 40 Bitcoins ($17,000) to release the systems. Later that week,
five computers belonging to the Los Angeles County health department were infected with a ransomware
variant. The health department refuses to pay the ransom and will restore its systems from backups. Similarly,
two hospitals in Germany were infected with ransomware at roughly the same time as Hollywood Presbyterian
Medical Center. Both are restoring their systems from backup systems,” Scott and Spaniel wrote.
Scott and Spaniel also highlight that ransomware follows the same distribution and infection vectors,
or delivery channels, as traditional malware such as traffic distribution services, malvertisement, phishing
emails, downloaders, social engineering and ransomware as a service (RaaS).
The authors also detail mitigation strategies noting that “preventing infection is preferred over remediation efforts.”
“The first step to mitigating a ransomware threat is to implement a comprehensive cybersecurity strategy,”
the authors stated. “Software and hardware solutions are necessary, but they are not the only necessity. First
and foremost, information security training and awareness must improve. Afterward, organizations can rely
on the layered defenses that they have invested in to secure their network.
The report recommends that organizations have a dedicated information security team to ensure all systems
were updated and patched and that critical systems were backed up. Organizations also should have
layered defenses to protect networks. And, personnel training and awareness are critical as information
security experts often cite that “humans are the weakest link.”
“Employees should be trained to recognize a malicious link or attachment. There is no justifiable reason that
most organizations cannot reduce their personnel’s malicious link click rate below 15 percent,” the authors
stated. “Teach employees to not click on any links in any emails. It takes barely any more time to type a link
into Google as it does to click the link. Personnel should only open attachments from personnel that they
trust and only if they are expecting the file.”
First and foremost,
information security training
and awareness must improve.
Afterward, organizations
can rely on the layered
defenses that they have
invested in to secure
their network.
Employees should be
trained to recognize a
malicious link or attachment.
There is no justifiable reason
that most organizations
cannot reduce their
personnel’s malicious link
click rate below 15 percent.

6
CUSTOMMEDIA
6
CUSTOMMEDIA
Healthcare leaders also should focus on administrative policies and procedures to strengthen cyber defense
and consider cyber insurance policies that cover ransomware attacks.
When a compromise does occur, the ICIT report recommends that organizations disengage from communi-
cating with the attack until the situation is thoroughly assessed and a course of action decided.
“The proper response will depend on the risk appetite of the organization, the potential impact of the hos-
tage data, the impact on business continuity, whether a redundant system is available, and the sectorial
regulatory requirements,” Scott and Spaniel wrote.
The report authors concluded that the enlistment of an information security team is the first step in a com-
panywide security strategy. And, the information security team should, at minimum, “conduct an immediate
companywide vulnerability analysis, develop a crisis management strategy that takes into consideration all
know threats and also conduct continuous device and application patching, auditing of third party vendors
and agreements as well as organizational penetration testing and security centric technological upgrades.”
“Together, these actions can profoundly minimize a company’s attack surface,” the authors stated.

7
CUSTOMMEDIA
Are CIOs and CISOs Behind the Curve on Data
Security? Results of a New Survey Say Yes
Mark Hagland
David Finn, the health IT officer at Symantec, discusses the results of a new
survey of CIOs on data security, and its implications for the next few years
With all the recent headlines and developments around data security breaches, hacking incidents, and even
ransomware attempts, hitting U.S. patient care organizations, one might think that CIOs, their fellow c-suite
executives, and hospital and medical group boards of directors might be farther along on their data cyber-
security journey. In fact, a new survey-based study has found, there is real reason for concern. Leaders from
HIMSS Analytics, a division of the Chicago-based Healthcare Information & Management Systems Society,
and from the Mountain View, Calif.-based Symantec, released the results of a new study, entitled
“Healthcare IT Security and Risk Management Study.” David Finn, the health IT officer at Symantec, released
and described some of the results on Wednesday, March 2, 2016 on the exhibit floor of the Sands Expo
in Las Vegas, during HIMSS16.
The survey was conducted online in December 2015, and received 115 online respondents. Then interviewers
pursued 10 phone interviews with CIOs and other healthcare IT leaders, in order to obtain more richness
of detail from the online survey results.
With regard to the respondents, 38.3 percent represent hospitals and health systems with 501 or more beds;
26.2 percent represent hospitals and health systems with 251-500 beds; 36.5 percent represents hospitals
and health systems with 101-250 beds; and none represent hospitals and health systems with fewer than 100 beds.

8
CUSTOMMEDIA
Among the numbers important findings:
When asked what percentage of their total IT budget (operating and capital) is devoted to IT security,
51.6 percent said 0-3 percent; 28.6 percent said 4-6 percent; 9.9 percent said 7-10 percent; and 9.9
percent said more than 10 percent.
Asked how many employees from both inside and outside IT are allocated to IT security in their
organization, the results were as follows: fewer than 1 inside IT, 12.0 percent, fewer than 1 outside
IT, 55.9 percent; 1-5 inside IT, 60.2 percent, 1-5 outside IT, 32.5 percent; 6-10 inside IT, 10.2 percent,
6-10 outside IT, 2.9 percent; 11-20 inside IT, 8.3 percent, 11-20 outside IT, 20.0 percent; 21-30 inside
IT, 3.7 percent, 21-30 outside IT, 1.0 percent; more than 30 inside IT, 5.6 percent, more than 30 out-
side IT, 5.9 percent.
The adjusted total average number of IT employees devoted to IT security was 9.9 FTEs.
With regard to how often IT security was discussed at their organizations’ board meetings, 53.9
percent said it was discussed “upon request of the board or executive management”; 20.9 percent
said, “at most board meetings”; 10.4 percent said, “at every board meeting”; 7.8 percent said,
“never”; and 7.0 percent said, “other.”
Unfortunately, only 46.09 percent of respondents are currently addressing data security threats po-
tentially coming through their organizations’ medical devices, though 33.04 percent are “beginning”
to do so, and another 16.52 percent “plan to do so.” The percentages of respondents whose
organizations are already addressing IT security on mobile devices and on cloud-based applications
are higher, at 69.57 percent and 61.74 percent, respectively.

9
CUSTOMMEDIA
Finn, a former hospital CIO, spoke with HCI Editor-in-Chief Mark Hagland regarding the study. Below are
excerpts from that interview.
There are a lot of significant results to talk about from this survey and study. Were you surprised by
any of the results involved?
You know, that’s a great question. We get that asked a lot. And honestly, since I’ve been doing this for so
long, the only surprising thing is, here we are 13 years down the road from the privacy act, and 11 years
down the road from the security act, and the only thing surprising to me is that we still haven’t done very
much, substantively speaking.
We haven’t addressed some of the real issues like medical devices; and we still haven’t addressed issues
like cloud and mobile devices. And we still approach it from this kind of “check-the-box” perspective, as
though it’s a compliance issue, and compliance doesn’t protect you, you’ve still got to be secure.
The now-infamous ransomware situation unfolded at Hollywood-Presbyterian Medical Center after
the survey had been completed. What do you think of that situation in the context of the survey/study?
I went directly to HIMSS from a week on the road, and my weeks on the road are typically with customers.
And every customer that week before HIMSS had noted an uptick in ransomware attempts. And these are
not purely Symantec customers, they also have other products. And they all made it through those ransom-
ware attempts; one struggled, but they all made it through. And there was some bashing about Hollywood
Presbyterian paying the ransom. But the thing is, this is not a security problem. When Hollywood Presbyterian
paid the ransom, it wasn’t to get data back or turn systems on, it was because they couldn’t take care of
patients. This is not a security issue, it’s a patient care issue. And this will continue to happen. And it really
needs to become a concern of the c-suite—and CIOs need to communicate that to the c-suite.

10
CUSTOMMEDIA
What do CIOs need to do to get their fellow c-suite leaders engaged around data security right now?
The issue is, the IT people do see this as an IT issue, and there is an IT issue, of course, and if IT folks don’t
effectively run anti-virus and anti-malware programs and address patch issues, and maintain good firewalls,
and all that—well, all that is necessary, of course. But the problem is that IT people so often don’t explain the
problem well in terms of the business issues involved.
I’ll tell you a story from when I was a CIO. We went through a network upgrade at one point, and we needed
to upgrade a number of Pyxis (medication dispensing) cabinets in order to keep our network updated. So I
had my CTO address the issue with our information management governance committee. But he came back
to me and told me we hadn’t gotten the money we needed, which was $325,000. That may sound like a lot,
but my annual budget was $20 million, so it wasn’t a huge amount. My CTO had focused on the need to
upgrade systems, etc.; in other words, he had spoken in [technocratic] terms.
So I took him with me and we went and spent some time with a nurse manager. And what we ended up
with was good data on the real costs involved in loss of productivity from non-replacement of those cabinets.
We found out what the time lag would be if a cabinet couldn’t be unlocked in a timely way. Ultimately, the
costs around loss of productivity meant that the hospital would have to hire more nursing staff, and the
numbers added up. So I went back and said, this is the additional cost to the nursing budget. So needless
to say, we left the meeting without even having to ask for the money. So this is what CIOs need to do: they
need to be able to translate the costs [of non-investment in IT into specific costs] for the clinicians and executives.

11
CUSTOMMEDIA
Another survey result was that only 19.9 percent of respondents reported that more than 6 percent
of their organization’s total IT budget was being spent on data security. Do you think that that proportion
will change anytime soon?
We are starting to see an uptick in 2016 spending, and most other surveys are seeing that. But if you look at
that, over half of respondents were spending 3 percent or less. And what we find is that federal government
officials say that 16 percent of their IT spend goes to IT security. And in the financial services sector, we
see 12-16 percent on average. So at 3 percent, we’re never going to be secure. And we have much more
valuable data than some other industries. And so who are the bad guys going to go to? I think we see the
answer to that.
Another significant survey result was that on average, most organizations have fewer than five em-
ployees dedicated to data security.
Yes, there are two pieces to that. The first reaction I get from people [when they hear how few staff are
dedicated to data security nationwide] is that they conclude that we’re talking about small hospital organiza-
tions. But 60 percent of our respondents were from organizations with over 250 beds, and 38 percent were
over 500 beds. So these are not critical-access hospitals.
Will that change soon?
Well, we’re actually starting to see security people embedded in [a variety of] business units. That’s why we
asked about security people inside and outside of IT. I’m aware of a couple of hospitals requiring that the
business units in revenue cycle and other areas hire someone to do IT security within the unit rather than IT.
I was a little surprised that the numbers were so small outside IT, but I think it’s the beginning of a trend.
So yes, I was surprised that it was still five or fewer for the most part. And we don’t have a clear idea whether
they’re referring to parts of an FTE; and in fact, that may actually be true. You know, often, they have a
network guy who does half-time firewall and half-time network support.
We are starting to see an
uptick in 2016 spending,
and most other surveys
are seeing that. But if you
look at that, over half of
respondents were spending
3 percent or less.
I’m aware of a couple of
hospitals requiring that the
business units in revenue
cycle and other areas hire
someone to do IT security
within the unit rather than IT.

12
CUSTOMMEDIA
One survey result was that CIOs seemed to be more focused on broad strategy than on end-user
education. Would you agree that that is a problem?
It’s a big problem, and even though a high-ranking security strategy sounds good, what’s clear from an addi-
tional survey result is that the regular education of end-users is still a relatively low priority. And it’s quite dis-
turbing that cybersecurity for end-users was the lowest-rated of several priorities. The level of training was a
little higher, but it’s annual end-user training. And we know that the once-a-year, 40-minute, training doesn’t
do very much. But the reality is that every end-user needs to be a security person. And we found that in the
nuance in the in-depth interviews that most of the training is once-a-year stuff. A lot are doing phishing test-
ing of staff, and that’s a good thing, but they need to do more, and do it more regularly.
What did you think about the results around how often data security is discussed at board meetings?
That result looks good, until you realize it’s on request, and that only 10 percent are doing it at every board
meeting. And if we’re saying that cybersecurity strategy is key for the organization and that cybersecurity is
a function of the business, which it should be these days, I believe that every board should get a financial/
spending report and also a quality/adverse event report, at every board meeting. They’re not getting
cybersecurity reports at every board meeting, because it’s not actually as important as their CIO or CISO
tells us it is. And for the CEO or board to be ignoring it means that there’s a huge disconnect there.
Given all of these results, what should CIOs be doing right now?
The first thing is that whether the CIO or CISO or ideally, both of them together, are involved, they need to
go to the board and put in a plan for IT security governance, and the governance committee has to include
stakeholder leaders from across the entire organization. And it has to include additional tools, spending,
and head count. The other thing is that that governance group has to include medical device security now.
We found that over half of organizations were either just beginning to address, or were planning to address,

13
CUSTOMMEDIA
medical devices. We saw medical devices being used as points of entry for bad stuff. The bad guys have
figured out how to use medical devices to get access to data through the network using that device.
How would you characterize your level of optimism or pessimism around all this, on a scale from 0 to 10?
That is a tough question. I frankly am not optimistic, in the sense that I believe things are still going to get
worse before we change our focus and context. All is not lost; I’m not ready to jump off the top of a tall
building. We haven’t hit bottom yet. We should have, after Anthem and after HP, those were clarion calls, the
message was pretty clear; but I don’t think we’ve figured it out yet.
Is there anything else you’d like to add?
CIOs and CISOs didn’t even understand the threat environment, how dangerous it is, until recently. But I
think they realize that everything is out the window, and we need to refocus away from protecting devices,
but instead protect the data. People are stealing credentials to get in. What’s more, we still don’t fully
understand the data flows, how data flows into the organization, through it, and out of it. And the IT folks are
finally beginning to understand that compliance means that you’re compliant, but it doesn’t mean you’re
secure. And we’ve got to get some of these compliance and risk managers involved, and looking at the
actual risk. We need to change our perspective into one that’s not IT-based, but based on the business, and
on the engagement of top stakeholders in the organization.
And the IT folks are finally
beginning to understand
that compliance means
that you’re compliant, but
it doesn’t mean you’re
secure.

Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
TRACK, PURSUE, AND
NEUTRALIZE THREATS.
The longer threats remain undetected, the more damaging they become. Take control of your information and
fight threats on your terms. It’s time to start advancing security. Take the next step at symantec.com /healthcare

15
CUSTOMMEDIA
Overcoming the Data Security Threat Tsunami
Mark Hagland
CynergisTek’s Mac McMillan offers his perspectives on data’s biggest concerns
Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, is a very well-known figure
in healthcare IT, and a widely respected healthcare IT security expert. Recently, he spoke with HCI
Editor-in-Chief Mark Hagland regarding some of the most important—and pressing—developments in data
security right now in U.S. healthcare. Below are excerpts from that interview.
It was great to speak with you when we were both in Las Vegas participating in HIMSS16. Did you find
anything surprising at the 2016 HIMCC Conference? Did anything you see or hear at the conference
change your mind about anything? We spoke at HIMSS after the now-infamous Hollywood Presbyterian
Medical Center ransomware incident.
I don’t think there was anything that changed my mind. But one thing that struck me was that there certainly
was a higher sense of urgency around these advanced threats in healthcare. And a lot of people had either
been hit by an advanced threat—either ransomware or a virus—or they knew someone who had been. And
everybody wanted to know what to do to avoid it, because it was becoming a big issue. And that hasn’t
stopped. It was non-stop from just before HIMSS, through HIMSS, and after HIMSS.
Every week now—I don’t visit a hospital now that doesn’t say to me, we’ve had two or three ransomware
attacks or incidents. And in most cases, they also know of the experiences of folks in their local area. And
the number of incidents that actually get reported versus the number of incidents that are occurring, is tiny
—it’s like an iceberg phenomenon.

16
CUSTOMMEDIA
The good news is that most of these ransomware incidents are not turning out to be debilitating for hospitals,
but they’re certainly causing a loss of time and a lot of costs, and anxiety, and are causing a tremendous
amount of anxiety in our IT people. No one wants to be the hospital that goes down and is incapable
of delivering services.
The appropriate resources have to be devoted to this. I was talking to a COO yesterday, and that COO’s
hospital had just had two incidents. And there were several things we had recommended to them over a year
ago, and they hadn’t done them. And his CIO readily admitted that they needed to do something about it.
And do we really have hurt, do we really have to have the pain, before we do something?
What is at the core of the poor handling of these incidents by some leaders of some patient care or-
ganizations? Is it a lack of vision, strategy, tactics, resources?
At the end of the day, a hospital is a business. And there are things that they’re trying to do with their
resources that enhance the business and grow the revenue. And certainly, security does not do those things.
It enables those things, but it’s a cost center.
And people are being reactive, essentially, rather than proactive, about this threat?
Yes, and to me, that’s a very short-sighted way to manage. I get it that there needs to be a balance and that
you only have X dollars to spend, but I don’t think you should allow this to be put off and become a problem.
Now it’s affecting our ability to move forward. So at some point, you need a better barometer.
Is a successful ransomware attack inevitable, or can it be prevented?
The research we’ve seen indicates that if you’re doing the right things, the majority of ransomware attacks
can be avoided. But even the brand-new attacks can be avoided or controlled more effectively if you’re
doing the right things. If you’re doing all the right things, and it’s a variant of one of these known types
No one wants to be
the hospital that goes
down and is incapable
of delivering services.

17
CUSTOMMEDIA
of attacks, you can avoid it. If it’s a brand-new attack and we don’t have the signature for it, we can still be
more effective at identifying those things, because we now have advanced malware capabilities that look for
anonymous as well as known signatures. Most organizations not getting into trouble are doing those things.
So maybe the virus or malware gets past their initial defenses, and for a few minutes it’s in the environment
and is encrypting file-shares or systems, or locking up systems, or whatever, but with good defenses, it will
eventually be detected and stopped. For organizations doing the right things, a small percentage of attacks
get through, but they’re able to stop those and be successful. So yes, the majority of attacks can be avoided,
and the others we can identify them more quickly and respond accordingly.
What are the fundamentals for health system leaders to prepare for future, unknown, as of yet
unexperienced, situations? Because it seems that it is very important to consider all the new,
as-of-yet-unexperienced, threats that could emerge.
You’re absolutely correct. Once we figure out how to deal with this [ransomware] effectively, the threat will
move somewhere else. That’s the never-ending nature of criminal activity, right? You build a better bank, and
the criminals figure out some other way to rob you. So healthcare leaders need to understand that this is
something that is not going away. It should be elevated to a serious business process that gets leadership
attention. If you’re going to use electronic systems to support your business, and are going to rely on data,
then you need to understand that this is an ongoing situation that is not going away, and that will evolve over time.
A GAO [General Accounting Office] report just came out today. An evaluation of the problems encountered
around the healthcare.gov website, state by state, with regard to potential problem with criminality. The thing
is that this is sophisticated activity that you need to respond to in a sophisticated way. You would never hire
a general practitioner to do a heart transplant. And yet that’s how people view data security. And they need
to recognize that they’ll never be in a place where they’ll be perpetually secure. So they have to do continuous
testing and continuous monitoring of their environment.
If it’s a brand-new attack
and we don’t have the
signature for it, we can
still be more effective at
identifying those things,
because we now have
advanced malware
capabilities that look for
anonymous as well as
known signatures.

18
CUSTOMMEDIA
And this hospital I recently met with, they’re still trying to do this themselves. One guy—a good kid—has
been trying to manually monitor a dozen different information systems. And there’s no way he could do all
this. And what happened at this hospital is that one of their security systems was disabled. And they never
knew that, because he’s sitting there manually trying to look through all these events; and unless that event
is configured to be reported, he won’t see it. And that’s what happened. For months, that went undetected.
The solution would have been to have a monitoring service monitoring your systems 24/7—a security
operations center, or “SOC.” Because they’re monitoring your service, to make sure that those systems are
still communicating with each other. Because if a particular sensor stopped reporting, they would send an
alert saying, this sensor is no longer working. As it was, this particular sensor had stopped working in
February 2016. And they didn’t know that. And that’s what happens when we’re trying to monitor our own systems.
So you need to employ outside services, essentially?
You need a 24/7 SOC, as I said, really. Think of it this way: an average, medium-sized hospital probably is
producing literally tens of millions of logs or events a month. There’s nobody on this planet that has a good
enough calibrated eyeball to go through tens of millions of events and could figure out what’s going on.
The problem is too big; you can’t do it yourself. This notion that we can test ourselves, that we can monitor
our environment, has got to go away. We need those independent, objective experts to do this for us and
identify issues, as well as bring the greater awareness. My guys do hundreds of risk assessments a year
across the country and tests. Their depth of knowledge is so much broader than that of the guy who’s
working at a single hospital. And to take advantage of that experience—that’s what we need to do.
It’s a failure of management to fail to engage outside services, then, in your view?
Yes, it absolutely is. In the federal government, when I needed to test my systems, someone else had to do
it, I couldn’t do it; that was the rule in the Defense Department. In the banking space, they can’t do their own
We need those independent,
objective experts to do this
for us and identify issues,
as well as bring the greater
awareness.

19
CUSTOMMEDIA
assessments, by mandate, they have to have an independent part do assessments; same thing in the credit
card industry. In every other industry, they’re required to hire someone else. Healthcare is unique in that
people are trying to do this themselves.
What will be happening in the data security arena in healthcare in the future?
I think that the threat is going to continue to increase in the future in a big way. As we become more of a
knowledge-based society, more and more responsibility will fall onto technology and data. So this makes
sense. And the one thing that healthcare fears more than anything else is not having their data. And ransomware
attacks that very vulnerability, fear. So from an extortion perspective, it is the perfect vehicle for attacking
vulnerability. And even if it’s not successful, it creates a tremendous amount of disruption.
How are hospitals doing in terms of hiring CISOs [chief information security officers]?
I definitely think that hospitals are getting it, and that they’re trying to hire good people. It’s going to take a
while for a couple of reasons: number one, there aren’t enough people to go around with the right skills.
It’s hard to find the people. Second, there’s still a little bit of a challenge in understanding what they’re going
to have to pay those resources. I was talking earlier this week to a large health system looking to hire a
CISO, and they were talking to a recruiting firm, and they were absolutely shocked at the salary requirements
involved. They thought they were going to hire a $150,000-200,000 resource, but according to the recruiters
from what I heard, for the average business of that size and complexity, they typically are placing CISOs at
$400,000-600,000. So the gap there was huge.

20
CUSTOMMEDIA
I think it’s worth it to pay someone $500,000 a year to prevent even one $1 million ransomware attack
from succeeding, right?
Well, that’s what the recruiter said. And if people are coming out of other industries, that’s what they’re going
to expect to be paid. And look at the breaches with Anthem, Premera, and Community Health. We’re talking
about tens of millions of dollars—and you’re quibbling about $500,000? Now, $500,000 at a smaller hospital,
that’s not gonna fly. But I can tell you, security people are not cheap. And the reason the cost of security is
going up is that it’s tough to find qualified people, and when you do, you have to pay them well.
On a scale of 1-10 on the scale of optimism/pessimism [with 10 most optimistic], where are you right
now?
I’m probably somewhere between a 5 and a 7. I believe in this industry. And I believe that it will do the right
thing. The question is, how fast will it do it? And my concern is that we’re not moving fast enough to avoid
some of the pain that we don’t have to experience.
Is there anything else you’d like to add?
I think it really does come down to the fact that we just have to make security a priority. And for what it’s
worth, I don’t believe you can say it’s a priority in your organization until you resource it properly. Having plat-
itudes and making speeches, doesn’t mean something is a priority. When an organization puts resources to
something, that’s when it’s a priority. So show me the resources, and I’ll believe you.
And look at the breaches
with Anthem, Premera,
and Community Health.
We’re talking about tens
of millions of dollars—and
you’re quibbling about
$500,000?

Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem in Healthcare

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem in Healthcare

Similar to Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem in Healthcare (20)

Recently uploaded

Recently uploaded (20)

Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem in Healthcare