Ransomware, Threat Intelligence

Working with hospitals to reassess risk in the ransomware age

Mandiant CEO Kevin Mandia speaks before the Senate in February. Earlier this month Mandiant identified the ransomware group FIN12 as specifically focused on the health care sector. Today’s columnist, David “Moose” Wolpoff offers some strategies for mitigating ransomware attacks at hospitals. (Photo by Demetrius Freeman-Pool/Getty Images)

It’s an unfortunate truth that ransomware attacks have become not only more common, but also more disruptive and dangerous, especially at hospitals, where a misplayed ransomware attack could result in a fatality.

The mere fact that mortality has now been established as a potential consequence of ransomware makes it inexcusable for it to happen. Business leaders and executives at hospitals can no longer claim ignorance to the human and financial cost of inaction. When tasked with protecting democratic institutions or the health and safety of a community, there’s a higher cost to failure than just money to consider in the risk calculation. 

To some extent, this moment in the ransomware age has simply laid bare the uglier risk tradeoffs that some organizations have to make. For example, hospitals house on-premises generators to provide backup power for life support systems in the event of a power failure. The very act of preparing for this possibility involves risk calculus that could affect life and death down the road. If the hospital chooses to store enough fuel to keep the generator running for 24 hours, they do so based on data that suggests there’s a very small probability an outage would last longer than that. Perhaps they could even choose to play it safe and store 48 hours’ worth just in case, reducing the risk of running out of fuel to zero. And that means that there’s a range of outcomes in which the hospital runs out of time on the generator and loses all patients requiring life support. 

We should think of cybersecurity in the same way. Organizations should do the risk calculus about what to spend based on the probability of what’s most likely to occur. By doing so, a security team can reconsider what it would designate as a critical system – what’s most important to protect to save a human life. 

One of the great tactical advantages on the cyber gridiron is knowing which parts of a company’s system are critical to the business and human life. Security teams need to know what’s connected to what, and know every process it takes to keep the company operational. Develop a contingency plan for when anything goes down. As someone who makes a living breaking into systems to make them stronger—attack to protect—I can confidently say that most organizations don’t have a good grasp on the inner workings of their networks, and certainly don’t have a failsafe plan in place. 

Organizations need to find the paths that exist between their perimeter (the attack surface) and their sensitive assets on the inside and snuff them out. If a security team can identify a path that can get an attacker to a critical function, bottleneck the attacker there and bury them in failsafes and alerts. Segment the systems so that easily accessed areas do not interact with high-priority areas. For example, at a hospital, if the patient intake system gets hit with ransomware, it should not make it to the life-saving equipment. So when an attacker does take advantage of that path, the security team will know long before they are able to exfiltrate data. There’s no magic formula to finding company assets and securing them. There are an infinite number of ways to do so, and the right one depends entirely on the context of an organization. 

In a hospital, when the security team identifies assets that are difficult to replace and can potentially take down the entire organization or could lead to a death – that’s a critical element. Here’s where the security team needs to employ safeguards and contingencies. Segment these assets away by creating a DMZ and smother any path to those assets with tons of monitoring. Companies will need to consider paying the ransom in the event of an attack to not risk critical downtime, or they should have a contingency plan in place. This might mean that when the computer check-in system goes offline, staff are trained to do hourly rotations and recount how many available beds there are.

When life and death connects with computer networks, we must reconsider the definition of critical. We’ve always known respirators are critical, and that people will die if they fall victim to a cyberattack. Therefore, isolate and further protect respirators. However, we now must ask ourselves what other elements are critical in the ransomware era? For those who run hospitals, deaths happen every day, but we shouldn’t lose lives needlessly. There’s really no excuse to losing a life over a ransomware attack.

Defenders need to successfully speak the language of business and know how to frame problems in ways the C-suite will receive. And, more than anything, these events demonstrate that we must hold the executives who run these organizations accountable—not only their cyber defenders. 

The responsibility goes beyond the cyber defenders at these hospitals, up the chain to the executives who run them. For too long, executives have not prioritized security or discounted their security teams requests for more safeguards. They need to drive the institutional change needed to mitigate the consequences if they do get hit with ransomware. Otherwise, if they are caught unprepared to recover, be prepared to pay the ransom, because it’s clear today that the stakes are incredibly high.

David “Moose” Wolpoff, co-founder and CTO, Randori

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.