This article first appeared in the Washington Business Journal where journalist Tina Reed outlines "6 things businesses can do right now to protect their data". Ostendio Founder and CEO, Grant Elliott, talks to Ms.Reed on why no one should be surprised by the recent surge of cybercrime in healthcare.
One of the interesting observations from the virus that crippled MedStar Health Inc.'s online operations this week? Experts weren't surprised.
“Anyone who is surprised this is happening isn’t paying attention,” said Grant Elliott, founder and CEO of Arlington-based health IT and risk management firm Ostendio Inc. This isn't just about one health system. "It's the industry right now that's culpable."
In particular, experts said the MedStar incident has highlighted industry-wide troubles with the regulation of health care cybersecurity. While other industries like the financial sector have been highly regulated, health care hasn't seen the same industry-level standards and has a lot of financial pressures that prevent it from prioritizing cybersecurity.
It's not just health care that's at risk. On Tuesday, some of the nation's most prestigious law firms were breached, the Wall Street Journal reported. And hackers are using ransomware to exploit the data held by all kinds of businesses.
"Last year alone there was a reported loss of more than $24 million," an FBI official said in a statement Wednesday. "Companies can prevent and mitigate malware infection by utilizing appropriate backup and malware detection and prevention systems, and training employees to be skeptical of emails, attachments and websites they don’t recognize." The FBI does not condone payment of ransom since the action can encourage continued criminal activity.
What should your business do to make sure its IT is protected? Here's what experts said:
1. Mitigate the opportunities: Does your company work with multiple vendors and have a number of different business locations that would give lots of people access to your data? Review all potential access points to make sure you have consistent security protocols and training across the board — or hire a company to do it for you, Elliott said.
In health care, in particular, more and more devices are designed to talk to each other. But if a device really doesn’t need to be connected to the network, don’t let it connect, said Michael Robinson, adjunct professor and program coordinator for Stevenson University’s cyber forensics program and former chief information officer for the Department of Defense’s Business Transformation Agency. That essentially removes the risk for those devices.
2. Actually make security a priority: Many organizations say they've made cybersecurity a priority — but have they really? Those in charge of keeping IT safe need to report directly to the uppermost levels of management, such as the company's board of directors. Too often, they simply report to a chief information officer and the most crucial information about risk doesn't make it to the top, Elliott said.
3. Disable macros: Lately, these attacks are coming through Word or Excel files attached to emails, Robinson said. Companies would do well to simply disable macros, which runs a script that expands automatically into a set of instructions to perform a particular task in the file. “Most people don’t need that feature,” Robinson said.
4. Make training interesting:“The number one means of getting into a network is taking advantage of the untrained user,” Robinson said. In other words, phishing attacks. While many institutions will claim they train their employees on defensive tactics against malware, often that training is online, hard to understand and boring, he said.
5. Back it up: The more information is backed up, the more options an organization has if it is struck with ransomware. “Don’t pay the ransom. Go back to the most current backup and rebuild from there,” Robinson said.
6. Invest in cyber insurance: More health executives have added this product to their insurance coverage — and more should seriously consider it, the American Hospital Association said in guidance to hospitals last fall. It isn't just a product available for the health care industry, but increasingly an option all sectors should consider, the Department of Homeland Security says.
Bottom line, experts said, is to have a plan before an attack hits.