The Scope team reviews the year in healthcare security. And it was a doozy.
In this episode of In Scope, the healthcare security podcast, Mike Murray hosts another internal Scope Security conversation with colleagues Jeremy Richards and John Daniele. Jeremy is the Chief Architect at Scope, and he is responsible for data ingestion and anomaly detection. John is the VP of Threat Intelligence, and he has spent more than twenty years in the cybersecurity field, focusing on cyber threat intelligence, digital forensics, and threat hunting. In today’s conversation, Mike, Jeremy, and John think through the crazy year 2020 has been, explaining what they’ve seen over the year as they’ve continued to build up Scope and interact with various health systems.
To start off the conversation, Mike, John, and Jeremy explain what they thought 2020 would look like for the healthcare security space, and what central themes have, in fact, characterized the field. While there was reason to expect focus on the transition from traditional to cloud-based EMRs, the COVID-19 pandemic has forced cyberattacks and ransomware to the fore as principal concerns. Moreover, the pandemic has produced great strides in digital transformation and a new urgency and fountain of activity with regard to phishing; intellectual property theft, especially, has been a heightened threat.
From the cyber perspective, the pandemic has brought with it several significant impacts. One of the most noteworthy of these is the redistribution of where computing and access come from; there has been a major shift to the edge – to devices that are not trustworthy. Security practitioners are trying to find the safest way to navigate the rapid computing and access changes, and have had varying levels of success in doing so. Companies that were focused on this issue prior to the onset of the pandemic tend to be those faring best now.
The pandemic has also stress-tested business continuity and incident response plans, and has demonstrated concerns surrounding how redundant our systems are, especially with cyber attacks. Hospitals are not always as redundant in certain areas as they ideally would be, and when the factors of COVID-19 and a cyber attack come together, the lack of redundancy causes a cascade of effects within the hospital network. Thus, hospitals are faced with the dual challenge of a lack of adequate resources and an increased strain on what resources they have.
On the monetary side of things, the pandemic has left a lasting mark on the cyber landscape. Because of the nature of the healthcare business and the inability to fit missed procedures of 2020 into 2021, some revenue is lost forever. This loss will, in turn, constrain security spending. The top concern for hospitals is, of course, clinical experience; security will be the second or third priority, and so will likely suffer as hospital budgets are reimagined and consolidation measures are developed to get the most out of existing hospital technology.
Switching gears, Mike, Jeremy, and John consider the kum ba yah moment earlier in 2020 when some ransomware attackers said that they wouldn’t attack hospitals during a pandemic. This moment of an apparent (and counterintuitive) moral stance did not last long at all. After all, there is always someone willing to step into space left vacant by other attackers. And given the cognitive dissonance of criminal gangs who have honed methods to attack hospitals stepping back seems to indicate that the pause in crime was a matter of PR management.
Another interesting angle of ransomware in 2020 (and in general) concerns the involvement of nation-states in the attacks. Some attacks, especially in long-term care homes, have seemed only to cause chaos during a time of crisis, rather than representing monetary gain for the attackers. Part of the reality of the world we live in is the fact that there are some elements just wanting to cause damage.
Recently, the US government actually made paying ransomware gangs a crime, and this step will impact how attacks on the healthcare space are managed. The payment restriction renders middle-person ransomware companies obsolete, but is also a little bit like punishing the victim. It will likely be an unpopular policy because of the way in which it will put hospitals between a rock and a hard place. The government’s own response, while improving, is not enough to stem the impact of cyber attacks. And hospitals, already facing plenty of pressures, may have to decide whether to follow the policy or pay ransom in order to keep patients alive. While a better system is needed to make sure listed entities like terrorist organizations don’t get paid ransom, this system needs to encompass all of society, and coming after hospitals for paying ransom will likely not prove a viable tactic.
As the conversation moves toward a close, Mike, Jeremy, and John share cybersecurity highlights of 2020. Of course, attacks are not positive events, but the UHS and Ryuk attacks were remarkable for the speed with which the threat actors iterated payloads. The Ripple20 vulnerabilities and BIOS attack were also uniquely interesting, as was Mike’s discovery that a years-old VAC bypass was still effective. The group leaves listeners with one final 2020 highlight to explore: the Project Zero paper produced by Ian Beer, which explored a vulnerability in iPhone models 13 and 14.
0:19 – Mike introduces the episode and his guests/colleagues, John and Jeremy.
2:05 – The conversation starts with expectations for and the reality of 2020.
4:17 – What was the biggest impact of the pandemic from a cyber perspective?
7:03 – Mike turns to the monetary side of things.
9:17 – The kum ba yah moment earlier in 2020 was short-lived.
12:18 – Talk of evidence of attack effects turns to talk of new government ransom policy.
17:18 – What was a favorite cybersecurity moment of the year?
20:19 – Last week, an interesting paper about iPhone vulnerabilities was published.
21:53 – The conversation wraps up, and the next will address what is to come in 2021!
Learn more about Jeremy Richards and connect with him on LinkedIn and Twitter
Learn more about John Daniele and connect with him on LinkedIn and Twitter
Learn more about Mike Murray and follow him on LinkedIn and Twitter
Learn more about Scope Security
Connect with Scope Security on LinkedIn and Twitter
Learn more about the In Scope podcast and sign up to never miss an episode!
You can also listen to episodes on your favorite podcast streaming platform.
If you have ideas for the show, send an email to [email protected]