Top Cyber Lessons From Natural Disaster Plans in HealthcarePaige Peterson Sconzo of Redacted Inc. on Business Continuity Considerations
Healthcare organizations should consider how they plan for natural disasters such as hurricanes as they prepare for disruptive cybersecurity events such as ransomware attacks, says Paige Peterson Sconzo, director of healthcare services at security firm Redacted Inc.
"The best way to think about this is readiness planning, not disaster or cyber planning," she says. "All organizations have in-depth readiness planning regarding natural disasters like tornados or floods. And that same approach should be used for cyberattacks that can take a facility offline and impact patient care," she says in an interview with Information Security Media Group.
If an organization needs to take systems offline following a ransomware attack and must resort to paper and manual processes, there are many considerations to plan for, she says.
"Do you have enough reams of paper to print out orders? Who keeps the paper forms up to date for each specialty? What about the billing forms? Do you have runners to take your orders for prescriptions from the floor to the pharmacy? What about your mag doors and access through badges? All of this is affected if you go offline," she says.
"Think about your readiness planning as a natural disaster" and consider "how you are going to keep your organization running. It helps to think of this in a holistic manner," she says.
In the interview (see audio link below photo), Peterson Sconzo also discusses:
- Mistakes to avoid in cyber incident response;
- The most concerning recent cybersecurity trends in healthcare;
- Cybersecurity threats facing healthcare sector entities in the months ahead.
Peterson Sconzo has more than 15 years of direct patient care experience within the academic, private practice and government services sectors related to cybersecurity.
Marianne Kolbasuk McGee: I'm Marianne Kolbasuk McGee, executive editor at Information Security Media Group. Today, I'm speaking with Paige Peterson Sconzo, director of healthcare services at security firm Redacted. We'll be discussing steps that healthcare entities can take to better prepare for potential cyberattacks. So Paige, what cyberthreat and cyber risk trends in the healthcare sector are most concerning to you right now and why?
Paige Peterson Sconzo: First and foremost, we need to remember that cyber criminals are in this for one reason, monetary gain. During the height of the COVID-19 pandemic, hackers famously stated that they would not attack healthcare organizations. However, we've seen in recent months that the we don't attack healthcare concept is largely irrelevant with increased ransomware attacks. Ransomware being at top of mind for everybody. This is mainly because information contained within healthcare has some of the highest resale value on the darkweb, as that data can be used for a variety of attacks from social engineering to extortion, and that the emergence of the double extortion type of schemes requires a higher level of backup hygiene. And what's most important, and I would say most concerning to me, is that because HCOs and hospitals are required to have continual patient care, the increased threat to healthcare is a result of the recognition by those threat actors that these victims don't have a choice but to consider paying those ransoms.
McGee: Paige with that said, what are healthcare delivery organizations not doing that they should be doing right now in planning for these cyberattacks, especially potential disruptive ones as ransomware can be?
Sconzo: I would say what is important here is to identify and work with trusted cybersecurity partners to determine how to best leverage your existing infrastructure, so that you can ensure that you create a manageable plan to realize your security goals. A lot of people want to sell you a lot of products. But that may not help with anything. If you don't have the personnel on board, the expertise or the time because you're drawn to a lot of different areas to effectively leverage those tools that you have, you aren't going to find yourself in a more secure status. So I would say including an annual security risk assessment, continually monitoring your environment, and a recent review of your incident response plan to ensure your readiness for a possible downtime of up to 60 to 90 days are where you should focus your time.
McGee: Are there any lessons that healthcare delivery organizations can learn about cyberattack preparation from their preparation for potential natural disasters?
Sconzo: Yes, the best way to think about this is in terms of readiness planning, not disaster planning or cyber planning. All organizations have in-depth readiness planning regarding natural disasters like a tornado or a flood. And that same approach should be used for cyberattacks that can take the facility offline and impact patient care. For example, if you have to pull the plug after a ransomware attack, and you've lacked paper, something as simple as, do you have enough paper and storage? Reams of paper to be able to print off orders. And on that same thread, who keeps the paper forms up to date, and each specialty or at the nurse's station in case you have to roll that back? Not just your patient forms but your billing forms. Do you have runners to take your orders for prescriptions from the floor to your pharmacy? One thing people don't typically think about but they sure think about for if you have a snowstorm and electricity goes down, your cafeteria food orders to a cafeteria with diet restrictions, door access, your Mac doors everything is related now to badge access. But if you go offline, that impacts all of these things. If you were to think about your readiness planning as a natural disaster, and how are you going to keep your organization running and billing and touching your AR to deliver that if you roll that into what you're already doing for readiness, then all of a sudden it's not cybersecurity planning, its whole organizational health planning. And I think that helps people visualize and think about this in a more holistic manner.
McGee: Well, those are good points about having to resort back to paper or having enough of those sorts of supplies on hand. And especially as we were mentioning earlier, natural disasters. I guess we're in the midst of hurricane season, we're seeing a lot of pretty disastrous weather in some parts of the country. Are there certain mistakes that you see healthcare delivery organizations making, that not only put them at higher risk for disruptive cyberattacks, but also could put them in jeopardy if there is a natural disaster? Are there certain things that are kind of commonplace for preparation for either - whether it's a natural disaster versus a cyberattack - but things that entities might not be thinking about that they should be thinking about more so now?
Sconzo: That's a very good question. If we're going to talk about the cybersecurity aspect and things that people are doing wrong, and it's not wrong, because it's not wrong if you don't know any different. But right now, there's an over dependence on cyber insurance, relying on that insurance, with a facility with a natural disaster or even with a cyber disaster, this idea of a zero trust network access. At no time, should your charged nurse have access to your data center, just like your IT technician should never have access to your controlled substances cart in the pharmacy. It all goes back to building that resilience into your system. Going back to the cyber insurance, it does not provide immediate benefit. It means, it covers costs after the fact. And so what we're seeing is with facilities, when we speak to them, a lot of times they'll say, well, we're okay, we have cyber insurance. Well, as we know, the first few hours after a breach is detected are critical and crucial. And the time spent filling out paperwork and sending that off to the cyber insurance and by the time they deploy somebody, the damage is already done. So if that's the case, going back to the zero trust network access, and trying to limit that blast radius, if you will, is something else that they can do.
McGee: You make a good point with the cyber insurance as well. Because not only don't you want organizations to sort of rely on we have insurance and not take the steps needed to prevent an incident that would need you to have to put in a claim for your cyber insurance. But it's also getting harder for many organizations to even get cyber insurance policies. The insurers are looking for a long list of security controls that are in place that might have not been as scrutinized as before. Any advice to organizations when it comes to cyber insurance and the healthcare sector, specifically, any mistakes that you see organizations making in terms of thinking that something's going to be covered by cyber insurance, but maybe it's not or preparation in terms of getting coverage for this sort of policy.
Sconzo: I would say making sure that you put yourself in the best position possible. Making sure that when you are having your risk assessments, you are getting a true vulnerability risk assessment, not something off the shelf that just does an external network scan. Look to see where you are actually having vulnerability. And then with whoever you do that, partner with them or make sure that they do give you a list of mitigations how to best help yourself. Having an incident response plan that you have actually looked at and practiced. Having an incident response retainer where if you need to, you can have boots on the ground to help you reduce that and securing your posture as best as you can. So that in case something does happen, or you are going to go get your cyber policy, you can show that you have put thought into this, that to the best of your ability, you have prepared yourself to reduce your overall risk as far as they're concerned.
McGee: Any predictions for what we'll see in terms of cyber trends, threats and risks that healthcare sector entities should be paying closer attention to?
Sconzo: Obviously, ransomware is going to be at top of mind. This isn't somebody who's coming at you from someone's basement. These are state-sponsored groups. And that the idea that healthcare is safe - as I had mentioned before, after the COVID-19 pandemic where hackers promised that they would not attack healthcare organizations - that idea of safety is definitely gone. So leveraging the partnerships that you have and looking at making sure that you have a holistic view of your network, from your get incident response planning, and your continual monitoring of your environment, whether that is with an outside MSS group or your internal SOC. Those are going to be very important moving forward because I just see this pick up between now and the end of the year.
McGee: Well, thank you very much, Paige. I've been speaking to Paige Peterson Sconzo. I'm Marianne Kolbasuk McGee of Information Security Media Group. Thanks for listening.