Offensive Mindset

Preventing cyberattacks requires a radical shift in perspective and strategy from leaders.

All surgery centers will experience a cyberattack at some point in the future, and chances are it won’t be a targeted attack.

Most ransomware and email attacks stem from hackers scanning the internet globally and exploiting the vulnerable, haphazard security measures they uncover in the process. In my eight years of cybersecurity work, I’ve seen it all. It’s rare that victims of cyberattacks come to me because they were directly targeted.

The AI impact

Understand this: Hackers or threat actors cast as wide a net as possible in the hopes of catching the big fish, but they are more than happy to reel in the smaller ones they discover using the spray-and-prey approach most cybercriminals employ. If you are operating under the belief that your center is too small to attract the attention of cybercriminals, think again. What’s worse, the spray-and-prey process has become infinitely more expedient and effective thanks to the emergence of artificial intelligence (AI) tools. Vulnerability scans that once took hackers hours or even weeks to perform can now be done in as little as 15 minutes. These scans flag misconfigurations rapidly. Hackers don’t know what’s behind the firewall. It could be a bank. It could be a shop. It could be an ASC. What they do know, however, is that they’ve uncovered a target-rich opportunity.

This is the new reality that leaders of smaller healthcare organizations need to understand about modern cyberattacks: Everyone is at risk.

It happens all the time: A misconfigured firewall or vulnerable VPN is flagged by a hacker’s vulnerability-scanning software, steps are taken to exploit that weakness and, just like that, a hacker has gained access to a treasure trove of sensitive, confidential data — and now possesses all the leverage in the world to bring down the organization that owns it.

As more ASCs shift to cloud-based electronic health record systems (EHRs), they do so with the belief that patient data is safe and well protected. While the cloud-based platform is well-secured and difficult to successfully attack, the real vulnerability is your center and how it accesses that platform.

Threat actors often use surgery centers’ own computers to break into cloud-based EHRs and steal their patient data. Typically, they use screen-sharing apps on the computers in the ASC to access a browser and navigate to the EHR in the cloud. Hackers can then simply go right to the website for the EHR. Because many employees save their usernames and passwords to their browsers, the criminal is automatically logged in.

An ASC’s worst nightmare

Last year, an ASC called me and said, “We think we have a ransomware attack.” They knew they had a problem, but were still hopeful about the end result when they reached out to me. They had external IT and some internal IT resources as well. Within 15 minutes of our initial call with the ASC’s CEO and IT representatives, they said, “We checked the firewall, and we know the hackers didn’t steal any data.” The CEO had also already checked with the EHR vendor and was told they didn’t see any improper access to their system.

On day one, however, we discovered that all the computers were fully encrypted with ransomware and simply wouldn’t function as a result — they were “hard down.” Hackers had installed screen-sharing apps on all their devices and had full access to the environment. They were watching everything that was going on at the facility.

On the third day, we got on the phone with the cloud-based EHR vendor, which shared what it thought was reassuring news: “We looked at all the logs and IP addresses, and it all comes back to the facility.” That’s when we asked for the audit logs — with dates and times — and began sorting by time.

15,000 pages of patient data

Something in those logs jumped out right away, so I asked the ASC’s CEO, “Do you guys have employees who work at 2 a.m. on Saturday morning?” and we immediately heard the CEO say, “Oh [bleep].” Once we dug in and found out what went on at two o’clock in the morning, we discovered that a hacker had essentially exported 15,000 pages of confidential patient records.

This is the new reality that leaders of smaller healthcare organizations need to understand about modern cyberattacks: Everyone is at risk.

It was a perfect example of why you can’t simply look at the firewall and assume hackers didn’t take your data. Stealing a 15,000-page PDF is the equivalent of watching a 10-minute YouTube video. You’re simply not going to be able to tell the difference when you look at bandwidth usage alone or view the logs without the eyes of a cybersecurity expert.

In the end, the damage done to the ASC’s computers required a complete rebuild of its network. Between the time spent collecting forensics data, negotiating with the hackers, and rebuilding and bringing the network back online, the entire process took 15 days and required an approximately $2.5 million ransomware payment to suppress the release of confidential patient records.

In that time, the facility went through all the stages of victimization, from “I can’t believe this happened to us,” to “It’s probably not as bad as it seems,” to “We’re not paying these guys no matter what happens,” to “They have all of our data and our network is still down,” to “Are we even going to survive this thing financially?”

Finally, they came to the inevitable result that every facility dreads: “We have to pay the criminals.”

It’s a gut-wrenching experience for all involved. No one sleeps; everyone’s torn apart; leaders argue about next steps; multiple law firms with different agendas get involved; and the entire thing is a mess.

No one thinks they’ll wind up being the victim of a cyberattack, but unless leaders reframe their approach to cybersecurity, there’s a very strong possibility that’s exactly what will happen.

Four essential elements of cybersecurity

Train with purpose. To safeguard your facility from a cyberattack, always start with a comprehensive and documented cybersecurity awareness training program. Data shows around 60% of all cyberattacks are initiated by employees or providers accidentally. Staff click on that phishing or spear-phishing link and unwittingly give hackers access to their environment.

Plenty of specific training programs are available for healthcare workers to educate them on how to detect malicious emails and prevent becoming a victim. This type of training is a HIPAA requirement. But getting staff to buy into a culture of prevention, to understand the role everyone plays in proactively preventing attacks, is where many surgery centers fall short. Don’t simply assume your IT team has it covered. Cybersecurity is everyone’s responsibility. It’s about establishing a prevention culture as much as it is about installing security technology.

Follow up immediately. Training is only part of creating a companywide culture of cyberattack prevention. Follow-up is equally important. Follow up the training by testing staff on what they learned. Send realistic simulated phishing emails to staff and track whether they click those links or open attachments rather than flagging them as potential threats. I often ask organizations, “How are you doing with cybersecurity training?” and hear some version of “Great, we are absolutely trained.” But what does that mean? What percentage of your surgeons, nurses and business staff are trained? What percentage of staff are clicking on those simulated phishing emails? Those questions often elicit an unacceptable response of “I have no idea.”

Understand that the biggest cybersecurity risk to your organization is your own people unwittingly providing criminals with access to your network and your data. That’s why you need hard data or key performance indicators around your training and its effectiveness.

Cybersecurity should also be a central part of onboarding all new employees. An employee should never be placed at a desk if they haven’t been trained on recognizing cyberthreats.

Let’s say you have 100 employees, and 99 are all squared away and properly trained. Then along comes Stacy, who’s brand new, unfamiliar with your policies and procedures, and doesn’t have the training the other 99 did. She sits down at a computer, opens her email and makes a critical mistake. That’s all it takes. Remember, hackers look at LinkedIn. They look for new employees and instantly target them.

Practice real-time vulnerability scanning. Real-time scanning means that at least once every single day, your entire external perimeter is scanned for vulnerabilities. An external perimeter is simply a firewall, a modem or any type of device that’s directly connected to the internet. Any devices that have software need to be protected, and you need to take a proactive, offensive approach to that protection. The software may have a vulnerability. A device might have been misconfigured by IT. And just like that, you’re unknowingly exposing your organization to a hacker.

Worse, you have no visibility into that risk. Like the ASC that ended up making a $2.5M ransomware payment, leaders often take a passive approach to cybersecurity and incorrectly assume their firewall is working properly, and that it’s enough to keep the bad actors out. They assume everything is configured properly. All of your computers, laptops, desktops and servers need to be tested on the inside of the network, and real-time vulnerability scanning should be done every four hours. This is a completely non-disruptive process that occurs on these devices automatically, so users won’t even know it’s happening.

Make MDR a priority. MDR is an acronym for managed detection response. It basically means that high-end antivirus software is watched by security engineers 24/7. Think of it as an alarm system. If you have a state-of-the-art system in place but your central station only answers calls from 9 a.m. to 5 p.m., what happens when someone breaks into your house at 5:03 p.m.? Or 5 a.m.?

Many ASCs do have some type of endpoint detection response (EDR), and usually it’s antivirus software. But that’s not enough. While this software can alert you to an issue, it still needs a human to fight back. This requires some investment from surgery centers; it’s cybersecurity that needs to be outsourced. Here’s why: Hackers almost always strike after normal business hours because they know IT teams typically aren’t available to counter their attack. As important as vulnerability scanning is — and trust me, it’s absolutely essential — it’s even more important for your center to act on what the process reveals. These scans will alert you to threats. They’ll say, “You have 1,000 urgent vulnerabilities that hackers can exploit.” That’s great, but who is fixing those problems in a timely manner? You need a process in place to do this, and often that’s where a cybersecurity partner comes into play.

Where we’re headed

ANATOMY OF AN ATTACK Gary Salman explains exactly how organizations fall victim to the ever-present danger of a cyberattack.

As with all technology, even MDR is evolving. A relatively new and underused technology is autonomous remediation. Essentially, autonomous remediation finds the defects in your network and automatically fixes them. For instance, let’s say Adobe Acrobat has a very serious vulnerability where an attack can be executed if you open certain types of PDFs. Visibility scanning will alert you to that vulnerability, but it will still require intervention by your IT department or a cybersecurity firm. Vulnerability scanning plus remediation will not only alert you that it’s detected a vulnerability in your Adobe Acrobat but will also install the latest patch from Adobe — and eliminate that vulnerability.

That’s where we’re headed. We’re evolving to the concept of a self-healing network to combat the threat of data breaches in a world where hackers are leveraging AI to attack at a speed and efficiency that was unfathomable just a decade ago.

Surgery centers and, frankly, all organizations that handle sensitive data need to reframe how they approach cybersecurity. It’s about admitting that you have problems and that you don’t necessarily have the resources to fix them — or that your IT department only has the resources to fix them every month or two. Autonomous remediation is one way to bridge the gap by harnessing the power of technology to put surgery centers on the offensive.

The technology does have its limits, however. Autonomous remediation currently will only address about 70% of the problems on your network. The remaining 30% of vulnerabilities still require a human to make the fix. But if you can reduce 70% of your problems just by having a piece of software on your network, that’s a huge win. Combine the assurances of cutting-edge technology and proven cybersecurity partners with a workforce that is trained, educated and committed to cybercrime prevention and you’ll find yourself as safe and protected as you can be in a world where everyone is a target for a cyberattack. OSM