By Erik Decker, CISO & CPO, University of Chicago Medicine
When most people hear the term “Information Security,” they immediately think of “the protection of our data.” Our regulatory regimes back such observations, with the requirements of protecting health information (HIPAA/HITECH), personally identifiable information (PII, credit card data, banking data, etc.), and other sensitive data. Within healthcare, we have been training and educating our workforces since at least 2005 to handle these sensitive data with the utmost care when the HIPAA Security Rule became enforced.
Cybercriminals are now weaponizing their stolen access with tools to cause vast damage inside of organizations.
I posit that the Information Security profession has matured well beyond simple ‘data protection’ within healthcare. As threats to this space have gotten more sophisticated over time, the Information Security profession has matured Cybersecurity resiliency. Our mission and goals? Protect the health and safety of our patients and our organizations. We have moved way beyond simply protecting data; the role of the cyber professional today is to protect its organization against active malicious actors who intend to harm. As was unfortunately demonstrated in Dusseldorf, Germany this last year, lives are at stake.
History of Disruptive Cyber Attacks
According to the 2020 Verizon Data Breach Investigations Report, of the 977 breaches evaluated in their 2020 report, 55% of them were conducted by Organized Crime. By October 2020, at least 59 publicly reported ransomware attacks impacted more than 510 facilities (Frank Bajak 2020). According to Cybersecurity firm Emisoft, more than 2,300 government, healthcare, and schools were impacted by ransomware in 2020 (Ryan Lovelace 2021). That is a staggering amount of damage. Data is one means to an end of these cybercriminals, but their real intention is financial.
Electronic extortion attacks (aka ransomware) are not new. The first documented ransomware attack occurred in 1989. The vector? A 5.25-inch floppy drive. This incredibly unsophisticated attack hid and changed the names of files and folders on the computer from the operator, with a note replaced to the operator to pay $189 to a P.O. Box in Panama to recover their data. Over the decades, we saw more examples of this type of malware. Users are unwittingly downloading and installing malicious software that encrypted, changed, renamed, or otherwise destroyed data on local computers. As we moved into the 2010s, we started seeing this malware begin encrypting files on mapped drives and other file servers these computers were connected to. The first versions of ransomware were generally opportunistic attacks that required a user to instantiate the software. The damage would be restricted to the access that the computer itself had on the organizational networks.
This all changed with the rise in organized crime, the dark web, and the establishment of new ‘Cybercrime-as-a-Service’ economies (HHS HC3 2020). In today’s era, we face not just a single threat but also an entire underground marketplace where buyers can rate the sellers of stolen data, promise a Return on Fraudulent Investment, and establish a malicious supply chain for the buying and selling access to corporate organizations.
Cybercriminals are now weaponizing their stolen access with tools to cause vast damage inside of organizations. The adversary we face is no longer that opportunistic malware being downloaded onto a computer (don’t get me wrong, that still happens), but rather a wide-scale hacking effort that thoroughly penetrates your organizational networks and uses these ransomware tools as the last step in shutting down systems so they might extort your organization. Worse, since organizations have gotten better at backing up their critical files, the extorters are now destroying those backups and exfiltrating your data as part of their attack. In short, they are threatening to release the data publicly that they have stolen even if they were unsuccessful at shutting down your organizational systems.
I know this all feels quite daunting, especially for those Healthcare organizations that are very limited in their resources to protect themselves. Fortunately, there are solutions to these problems. In 2017, Health and Human Services convened a meeting of over 70 industry leaders charged with one singular purpose: How can we align and improve the cybersecurity posture across the industry to assist the small providers up to the large health systems. This meeting was the beginnings of the 405(d) Task Group, a public-private partnership sponsored by the U.S. Department of Health and Human Services that has grown to over 250 participants across industry and government, with its authority granted under the Cybersecurity Act of 2015.
I am the industry leader of this Task Group, working in partnership with a government co-lead within HHS. Collectively, this Task Group produced its first 250-page cyber practices compendium at the end of December 2018. This publication, the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP, pronounced ‘hiccup’) outlines five cyber threats that every healthcare provider faces and ten practices (and upwards of 89 sub-practices) that can mitigate them (Decker and Chua 2018). Think of this publication as your recipe book for fighting cybercrime. The volume is broken into multiple components, a main document for the masses, technical volume 1 which offers solutions for small practices. And technical volume 2 offer solutions for medium and large-sized practices.
Just recently, on January 5th, congressional bill HR 7898 was signed into law (now referred to as Public Law 116-321). This law amends HITECH to offer regulatory relief for organizations who have adopted “recognized cybersecurity practices” and subject to a cyber breach. This law specifically recognizes the 405(d) Task Group’s work products as a recognized cybersecurity practice. HICP will not only protect your patients’ lively hoods and data, but it will also protect your organization as well.
Our Task Group continues to produce more content, including an update to HICP and new materials forthcoming related to enterprise risk management. Keep an eye out for these updates.