1st Talk Compliance features guest William J McBorrough, co-Founder and Chief Security Advisor at MCGlobalTech, a D.C.-based Information Security Consulting Firm on the topic of “Combatting Ransomware in Healthcare.” William joins our host, Catherine Short to examine how ransomware attacks have impacted thousands of organizations worldwide with the healthcare sector having been the most targeted. Join us in a discussion of the state of ransomware in the healthcare sector and best practices to prepare your organization from the inevitable attacks.
Catherine Short: 0:00
Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel.
On today’s episode, we’re speaking with William J McBorrough, Co-founder and Chief Security Adviser at MCGlobalTech, a Washington DC based information security consulting firm on the topic of combating ransomware in healthcare. We will examine how ransomware attacks have impacted thousands of organizations worldwide, with the healthcare sector having been the most targeted. Join us in a discussion of the state of ransomware in the healthcare sector in 2021, and best practices to prepare your organization from the inevitable attacks.
Before we begin, I would like to mention at First Healthcare Compliance we strive to serve as a trusted resource for compliance professionals and every month we celebrate their hard work and dedication with our compliance Super Ninja recognition. For this episode, we’re spotlighting Super Ninja Dina Green, Billing Manager at Community Link Consulting of Washington State. Congratulations, Dina, our team is honored to have the privilege of working with you.
So hello, William, thank you so much for joining me today on 1st Talk Compliance.
William J McBorrough: 1:52
It’s my pleasure, happy to be here.
Catherine Short: 1:55
Wonderful. Well, let’s get right into it. Can you explain to me what exactly is ransomware?
William J McBorrough: 2:03
Sure. We are all familiar with the concept of ransom, typically, within the context of a kidnapping where you hold someone until a ransom is paid, and then you release them. That is the exact same concept of how that works with ransomware attacks. Ransomware attacks are a software based attack in which an attacker restricts access or encrypts an organization’s computers, servers, files, and demand a payment. We’ve seen incredible growth and complexity of ransomware over the past few years, although ransomware has been around for about 20 years. At its core a ransomware is an attack that restricts access to an organization’s data and systems. Any incidents within an organization that impact access to data and systems is one that should be of concern. Ransomware will be one of several of those incidents.
Catherine Short: 3:06
Okay, great. Can you tell me who is at risk for ransomware attacks? Are we speaking of only very large systems or are smaller systems are they at risk?
William J McBorrough: 3:22
I think it’s really a matter of scale. Basically, any computer or any computing device that is connected to the internet is at risk of a ransomware attack. From a college student at home doing distance learning to a large healthcare organizations with hundreds of hospitals. Typically, what you find is that for single individuals or very small organizations, they’re really victims of opportunity. A lot of these attacks are automated, they’re scanning the internet and if they identify one, they attempt to perpetrate this attack. There has been increased sophistication in these attacks over the past few years, that are targeting large organizations, including healthcare organizations that are really sophisticated attacks that are planned by the cyber gangs. So everyone is at risk.
Catherine Short: 4:21
Why would a cyber criminal go after a smaller entity when they could go for a bigger fish?
William J McBorrough: 4:28
That is a great question because I get this a lot. Hey, we’re a small company, no one knows us. Why would anyone attack us? Typically what you find, on the smaller end, you’re not being targeted at all. A lot of these attacks are sort of automated, you happen to be vulnerable. You happen to be connected to the internet. So yes, you are going to get caught up in this wide net. Typically they’re going to ask you for a not insurmountable amount of pay because again, the whole goal of a ransomware is to get the rest. The large entities with the ability to pay millions of dollars in ransom, are the ones being targeted by using more sophisticated attack that takes months of research, focus and attention and the level of effort is greater. Everyone is potentially impacted, because attackers have the ability to automate these attacks and they’re able to scan the wider internet and just find you if you’re vulnerable, and encrypt your systems. So again, it’s sort of an equal opportunity attack.
Catherine Short: 5:38
okay, can you tell me what the signs are of a ransomware attack? Are they super obvious?
William J McBorrough: 5:46
I mean, the primary sign is super obvious. If your system is compromised, it will get locked up. You will get a screen in your browser or on your computer desktop that is saying, we have encrypted your system, pay ransom of this amount, by this means, by this date, or else. But another ways that you can find the indicators of a ransomware attack is that when your files are actually encrypted, there’s an additional extension added to the file name, file.exe, file.dll file.docx, file.pdf, typically, there will be an additional extension added to it and when you open up the file, all you will see is gibberish, right? Why? Because the data in the file has been encrypted, and that’s a primary indicator that you are the victim of a ransomware attack.
Catherine Short: 6:46
Okay, so how should users respond to a ransomware attack? And when I’m asking about users, how should users at perhaps a entity as opposed to perhaps an individual respond?
William J McBorrough: 7:02
That’s a great question, Catherine because with the entities, you should have processes and procedures that your users and employees are trained to follow. I think that what a lot of organizations lack is the fact that their employees aren’t really trained on what to do. Typically it’s running a three step process that organizations to train their employees. First, if you suspect your system has been compromised by any type of malware, including ransomware rule one is disconnect that system from the network. So unplug the cable that connects it to the internet jack, disable the Wi Fi. If you’re on some type of mobile device, reset the device in airplane mode, disable the Wi Fi or disable the Bluetooth. The goal here is to prevent the spread. Typically ransomware within an organization wants to compromise one system, move to the next compromise that system, and so on, and so forth. Step number two is disconnect any external devices. If you have USB sticks, if you have phones or cameras attached to it, if you have external hard drives of some kind, you want to disconnect that, again, these are things you do to limit the spread of the compromise. And notify your IT organization, notify your security organization, notify your management. Users and employees should be trained and given easy access to how do you notify IT when you suspect a compromise of any kind? That will essentially be the step one, two and three.
Catherine Short: 8:51
Okay, good. And what if you are perhaps an employee at home and maybe something happens to your individual computer? What should you do then?
William J McBorrough: 9:01
The first two steps still apply and get help. I mean, there are a lot of resources that have been made available by the US [INAUDIBLE] by the FBI, what us as citizens should do if we were the victim of a ransomware attack. There’s resources that can be made available to help us at no cost, decrypt our system. You should have access to some means or some individual to help you manage your computer system, and that could mean even if you have a MacBook, take it to the Apple store. After you have disconnected, take it over to the Apple store and say hey, I suspect that my computer has been compromised. Can you help me? Seek help. The last thing you want to do is to leave your computer connected to the network where you are able to infect other computers that are on the same network.
Catherine Short: 10:01
okay, great advice. What should organizations do to protect against ransomware attacks happening in the first place?
William J McBorrough: 10:11
So some basic best practices here. First, the primary vector, or ransomware attack is through phishing emails. And when you have to have a security awareness training program that provides consistent reinforcement of a good security behavior. Once a year, check the box training does not work, has never worked. Two, in a way that ransomware spreads within an organization and ultimately compromises system are due to underlying vulnerabilities because your systems are not properly updated and patched. Keep all of your systems updated, and patched. There are services available to help you monitor that. That’s part of what we do at our managing security services. Three, again, you need to protect access to your data in your systems. If your data and systems are impacted, you need the ability to recover from that impact. You have to implement data backups. Maintain, potentially online but most definitely offline backups of all of your critical files and system and test your ability to recover from them. Next, you must install security software on all of your computers in service, not just antivirus, make sure that the firewalls are updated, make sure that you have in town malware and make sure that we have the capability to monitor that those security software are actually functioning. Next, email filtering, very important. Again, the number one vector within organizations for ransomware is email. So you must have the capability to filter all of your inbound and outbound email. The only thing better than having a user who is trained to see a phishing email and not click on it is to prevent that email from entering that users inbox. There are filtering tools, we can help organizations identify which ones work best for them. Next, implement two factor authentication to access the systems in your application. Passwords are dead. They have been there for a long time. A lot of applications today, a lot of cloud systems today have built in capability for multifactor authentication. Now typically the way how this works is you enter your username and your password and then you connect it either via a token or via a one time password sent to you mobile device or via a one time password sent to the email there are many different options available today for multifactor authentication. Lastly, within an organization, you want to implement segmentation. Segment your network. Separate your end users from your servers if you have servers on site, because you have to be able to limit the spread within the organization. Lastly, you got to have security policies and procedures to guide user behavior. What to do when. What not to do when. Policies and procedures that must be made available to your employees, they must be trained on those policies and you must have plans. Business continuity plans or disaster recovery plans, incident recovery plans, what should we do when the inevitable happens? Very important. And lastly, you have to test all of these controls. One of the things that we do on a regular basis for our clients is we test the security programs. Where are the weaknesses? You want to identify where you are vulnerable and address that vulnerability.
Catherine Short: 13:57
Great advice. So if you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is William J McBorrough, Co founder and Chief Security Adviser at MCGlobalTech, a Washington DC based information security consulting firm on the topic of combating ransomware in healthcare. Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also find us on all other social media.
So William, what are the most common avenues of ransomware attack?
William J McBorrough: 14:49
Well Catherine, as I’ve said before, I’ve mentioned multiple times emails, emails, phishing emails. Phishing emails are the primary vector for ransomware attack. They are the primary vector for most cyber attacks within organizations today. They account for more than a third to close to a half of the cyber incidences within businesses large and small. Phishing emails are used primarily to trick users into opening then downloading attachments of malicious content that then compromises the underlying systems. The second most common vector that has been established over the past few years is the fact that you now have a lot of organizations that are opening up their network to allow remote users to connect to systems within the network and not doing it securely. One of the most common ways that is done is the built in functionality within the Microsoft operating system, or remote desktop. Remote desktop gives you the ability to connect from one system to the desktop of another system across the internet. There are more secure means of achieving this within the organization, but what you find is that because of COVID-19, with the sort of vast migration of workers from the office to the home, a lot of organizations open up the network to allow workers to continue to work and that has led to a great increase in successful ransomware infections.
Catherine Short: 16:36
What are some possible impacts of a ransomware attack? If one happens, then what is the impact?
William J McBorrough: 16:45
Typical impacts are temporary, and sometimes permanent loss of sensitive information. A lot of times even after the ransom is paid, you don’t get full access to all your files. Two, disruption to business operations. We have had cases over the past year in which healthcare organizations have lost access to their IT systems for weeks and trying to sort of recover the data and recover their systems. Another impact would be the financial losses due to all of that downtime and recovery efforts. And lastly, the potential harm to the organization’s reputation. You don’t want to be on the front page of CNN or some other news outlet to be the next victim of a ransomware. That hit to your reputation as an organization does have a long lasting impact,
Catherine Short: 17:47
How much could a ransomware attack cost?
William J McBorrough: 17:52
What we’ve found is that over the course of 2020 to 2021, the average ransomware payment is close to $50,000. However, what we’ve seen is that with more focus being placed on larger organizations, we’ve seen successful ransomware a payments of close to four, five, $6 million to an organization’s IT systems. We had a client once, a very small medical practice, where they were the victim of a ransomware attack. They contacted us because the attacker was demanding a payment of $6,000. Now, in the grand scheme of things $6,000 have an impact, but it’s not an insurmountable amount of money. But again, there’s a very wide range with an average of over $100,000
Catherine Short: 18:47
Do you recommend paying the ransom? Or what do you recommend?
William J McBorrough: 18:51
Referring back to sort of guidance, out of FBI, and out of the US Department of Health and Human Services, typically, this is a business decision that organizations should make. What I recommend is that an organization should do what is necessary to prepare for a ransomware attack. If you have implemented, some of the best practices that I mentioned before, you can find from many different sources, including, the SBA, the FBI, the Department of Homeland Security, if you’ve implemented those best practices, then you have the ability to recover, right? If an attacker encrypts your files and you have a functioning backup of those files, then you don’t have to pay. That’s the position you want to be in. But if you don’t have any other means to recover your information, paying up the ransom, is generally encouraged because that is the easiest way to get access to your files and regain access to your systems. But we add a caveat to that. One of the things that we’ve seen is that only 60 to 70% of organizations that pay the ransom, get full access to 100% of their files. So the best course of action here is to prepare to be able to withstand a ransomware attack, because even if you pay, there is no guarantee that you are going to recover all of your files. Be prepared.
Catherine Short: 20:32
Okay, actually, that was my next question. Does paying the ransom guarantee you get access to all of your data?
William J McBorrough: 20:40
In many cases, that is not the case. Sometimes you get access to your files, and sometimes the files that you do get access to are so corrupted that they’re, sort of not really usable for you. We’ve had instances where once the files were decrypted, because the organization paid, they were not fully decrypted, so they were not able to get access to all of their patient’s health information to be able to file insurance claims. Paying does not guarantee that you are going to get access to all your files. The only way to guarantee access is to have a working, functioning backup of those files, there are many different affordable means to be able to do that.
Catherine Short: 21:26
Is there insurance that covers ransomware attacks? Does that exist?
William J McBorrough: 21:32
Yes. There’s insurance that covers sort of the impact of ransomware attacks. The organization has to do a couple of things. They have to of quantify costs of the financial loss due to business operations, as well as due to a recovery efforts and there are insurance policies that covers that. Typically, what you find is that a lot of insurance providers won’t want you to be able to demonstrate that you have performed your due diligence in trying to protect the information, similar to insurance companies wanting you to have a safe driving record. There are a lot of different types of policy options that are available to cover both direct and indirect cost of security incidents, and those options are available and the market is still growing. There will be more options for that in the future. However, being as prepared as possible, helps limit that liability. Whereas a cyber liability insurance can help you recoup some of your losses, it is never going to be able to recoup 100% of the impact to the organization.
Catherine Short: 22:47
That makes perfect sense. Yeah, that you would need to demonstrate that you have done as much as possible on your side to be able to have insurance and then to also just be protecting yourself just in general. So thank you so much, William, I think we’re just about out of time but do you have any other advice that you wanted to leave with us today that perhaps we didn’t cover or touch on?
William J McBorrough: 23:10
Sure. One thing that I will leave you all with is I speak to a lot of organizations and typically there’s a sense of being overwhelmed by yet another cybersecurity thing to worry about. Ransomware, although it is top of mind for a lot of organizations today, have been around for over 20 years, and is growing in sophistication. But it’s just another cyber attack that impacts your data and your systems. So all of the best practices that we talked about are things that you should implement. It’s not religious sort of a ransomware mitigation exercise. Those are things that you should implement to protect the business, to protect your data, protect your systems, you can withstand a ransomware attack, it is possible and you can do that with limited impact to the organization. You just have to be prepared.
Catherine Short: 24:05
Okay, well, thank you so much again, for speaking with us today. This has been extremely enlightening. And also you’ve made cybersecurity very easy to understand and very much appreciate that. So thank you so much, William very much appreciate that. Thanks to our audience as well for tuning in today to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and then your voice to the conversation on Twitter @1sthcc or #1sttalkcompliance. You can also email me at email@example.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.