As ransomware attacks continue to plague the healthcare industry, information sharing has become a valuable tool in the fight against cybercrime and physical threats to the nation’s critical infrastructure. We spoke with Errol Weiss, Chief Security Officer of the Health-ISAC. Here, we discuss the history of ISACs, tools available to support member companies and emerging threats.
What is an ISAC?
Weiss: In the mid-1990s. the U.S. federal government did a study and found that about 85% of our critical infrastructure assets were owned and operated by the private sector. They wanted to do something to encourage the private sector to take security more seriously to protect our critical infrastructure from what was starting at the time to become pretty obvious, which was that the Internet was not a safe place to do business. So, they created this notion of the ISAC, which stands for Information Sharing and Analysis Center. The first one started in October 1999 and that was the Financial Services (FS)-ISAC. Today, each of the 16 critical infrastructures that were named in that government study have at least one ISAC.
They’re all run differently, but at the core it is about sharing incident information, protecting the individual networks, and helping organizations be resilient from cyber and physical security threats. It’s like a virtual Neighborhood Watch program. if your neighbor’s home gets broken into, they can describe what happened. For example, they came in through a sliding glass door. They share that information, and now everyone can put a better lock on the door and look out for that kind of behavior.
In addition to information sharing, what type of services are available to Health-ISAC members?
Weiss: Our CEO and I both came from the financial services sector. I was at Bank of America and Citibank for 13 years, and I was a very active FS-ISAC member during that time. When we came to the Health-ISAC, we implemented many of the things that FS-ISAC was doing and incorporated other ideas as well.
Beyond the information sharing, we have a Threat Operation Center that is headquartered in Orlando, Florida. We also have employees in Europe, and we’re planning to expand next year into the Asia Pacific region. We produce original threat intelligence and put out daily cyber and physical security threat headlines. We also share ad hoc new threats and vulnerabilities, so we have advisories going out to our membership from our threat operation team every day. We also do original strategic threat reporting covering geopolitical issues that could have cybersecurity or other operational ramifications.
How are cyber threats evolving or changing in terms of the healthcare industry?
Weiss: It’s never a good story to tell because it feels like it gets worse every day, week, month and year. The cyber criminals and certainly nation-state motivated actors are getting better and more creative with time. If you had asked me this question two years ago, I would have said that cyber criminals are making a ton of money. They’ve got a lot to invest in their future capabilities—this is a billion dollar business—so they have plenty of money to spend on new capabilities. Two years later, that is still true, but with generative AI they’ve got free access to some pretty creative tools and technologies, and we are seeing cyber criminals leverage those as well.
With generative AI they’ve got free access to some pretty creative tools and technologies, and we are seeing cyber criminals leverage those as well.
There was an attack in Hong Kong a couple months ago where the criminals supposedly got away with a $25 million dollar transfer by using deep fake technology to make a CFO think that he was speaking to the CEO through a video conference call, but it wasn’t him. The technology is there, and it’s getting cheaper and cheaper, which means the criminals have more access to those capabilities to continue to evolve and be more creative about the attacks that they are running.
We primarily hear about ransomware in healthcare, are most cyberattacks attacks financially motivated?
Weiss: Yes, I think so. The takeaway on the ransomware is that it is the No. 1 security issue for healthcare today, but it is also an issue across all the critical infrastructures now. In 2023, the Health-ISAC was tracking all of the ransomware events where victims were being named. We had 3,743 events last year that were tracked, only 304 of them were in the healthcare sector.
When ransomware hits a hospital system, it becomes a very human level tragedy very quickly. Hospitals can’t deliver care and they’re diverting ambulances to other hospitals because they can’t accept new patients. Procedures are canceled. People are told to stay home and wait it out, so there is a real human impact that we can all relate to. As a result, when these attacks do happen in this setting, they become very big stories. The numbers are telling me that it’s happening in every other sector as well. We just don’t tend to hear about it as much because it’s not creating headline news.
To answer the question, ransomware is all about money. They don’t care who they’re attacking. They are opportunistic. They launch attack and often don’t know who they’re attacking until they start getting victims. Then they look at the telemetry to figure out who they have access to. Once they figure out who they have access to, the next step is to figure out how big of a ransom they think they can get from that particular victim.
They have split this ecosystem up into experts all along the way … The level of sophistication is just incredible.
Going back to the sophistication of these threat actors, every single one of these steps in this ransomware event is typically handled by a different talent. They have split this ecosystem up into experts all along the way, from the ones who create the ransomware to the ones who distribute it to the ones who figure out who they have access to and the ones who then do the research to figure out how much money those victims have and what they’re likely to pay in ransom. The level of sophistication is just incredible.
A lot of our readers are developers of software as a medical device and the medical devices themselves are becoming more and more connected. Are there areas where you think developers and healthcare organizations can work better together?
Weiss: We have special interest working groups, where people of like disciplines or challenges can get together and share ideas and work together. One of those groups is the medical device security working group, which has members from the medical device manufacturing community and also the healthcare delivery organizations. They work together to address issues such as, there’s a vulnerability in this software library that impacts hundreds of different manufacturers and now thousands of different products, how do we the hospital update those devices?
The manufacturers may share information about what you need to do to secure their products and the hospitals say that’s not practical and here is why. So they are working practically with some of the real life challenges that happen when these devices are deployed in the field.
The reality is, you can’t just shut some of these devices off because there are life-saving features. On top of that, hospitals buy these devices and they tend to hang on to them way beyond the life expectancy of the device itself. So, big questions for industry are, is the device still being supported, and are security patches coming out? These are all of the things that hospitals have to deal with, and of course the manufacturers need to deal with that as well because they realize that customers are holding on to these devices much longer than they ever intended to.
The new NIST Cybersecurity Framework includes a governance section in recognition of the need for senior leadership to get more involved in cybersecurity. Where has leadership been lacking and what can they do better?
Weiss: Going back 30 years, when electronic health records became a thing and hospitals moved to digitization, the HIPAA Privacy Rule also came out. So the real focus for healthcare organizations was privacy and compliance, not necessarily security. I’ve seen statistics saying that more than 60% of the resources in cyber we’re dedicated to privacy compliance and not necessarily security, and there is a difference.
I’ve seen statistics saying that more than 60% of the resources in cyber we’re dedicated to privacy compliance and not necessarily security, and there is a difference.
This lack of investment in the right level of resources from a cybersecurity standpoint is one of the reasons why we keep reading about these healthcare organizations becoming victims of ransomware and malware in the last five to eight years. I think it is getting better. People have seen and read about these ransomware events, and it’s very obvious now that this is a serious concern. So we are seeing more resources, more technology and more people to run that technology being applied.
It will be slow because like any business, we are competing for resources. For the hospitals, they are looking at, do we buy the next lifesaving device or the latest cyber security technology? if I was a patient, I know what I would vote for.
With ransomware, as with any terrorist negotiation, people are always told, “Don’t pay.” Yet we are hearing about negotiations and payments coming out, so what is the advice today? Is “don’t pay” a reasonable answer?
Weiss: When I was working in the financial sector, ransomware was just starting to become a thing, and I remember us all saying, “If anyone starts paying these ransoms it’s only going to encourage the threat actors to do more.” I felt strongly, don’t pay the ransom. We should be outlawing that and telling people not to pay. Now that I’m working in the healthcare sector, it can be a life-or-death impact for patients needing healthcare, because without those systems up and running, the delays and inability to get care could have real patient impact. So, it’s not as easy of a decision anymore. It ultimately comes down to, can we restore our systems from backup? Do we rebuild? What does the time frame look like and, ultimately, what is the cost? That certainly is why we’re seeing so many ransomware payments.
The other thing that has been happening of late is we are seeing cyber criminals go after the patients themselves. They will threaten to release patient records unless that particular patient pays a ransom as well, so it can make for a real horror story for the individuals and certainly a PR nightmare for the organization that’s been attacked when suddenly thousands of their patients are being held up for extortion.
There is a case in Finland going on right now, where a hacker released 30,000 psychotherapy patient files a few years ago, and it was really catastrophic.
Is there anything healthcare organizations can do better in terms of backing up their systems, so that if they do go down, they can get everything back up more quickly?
Weiss: We have to remind people what needs to be backed up. It’s not only the data but the systems themselves, including whatever operating system and software applications are running. The two other parts of that, which are the trickier parts are, are making sure that the backups are complete and that they have not been tampered with. If you are pulling that backups from some day in the past and trying to rebuild the system to replicate where the system was, people are finding out that there may be Hardware missing, or maybe the backups have been tampered with, in which case they are essentially useless. And the bad guys will get in and mess with the backups for a while and let that run for a few months before they launch their attack.