It’s time for my annual physical again. I really don’t want to go. I am afraid of what the doctor might say. But I know I must go to the visit, if only to fine tune my health and to make sure I am resilient for another year.
Isn’t this also the case with hospitals and their need to undergo an annual IT network cybersecurity health checkup? Apparently they should consider scheduling their health check very soon, before catching a ransomware strain. This “plague” only appears to be getting worse, with daily articles talking about the epidemic, “Ransomware: Extortionist hackers borrow customer-service tactics.” The tenor of these articles is getting a lot scarier (at least to me) as the option of paying the ransom rather than just re-booting your network with your daily back up tapes seems to be the preferred solution for many. The other implication from the article is that the hospitals who paid the ransom apparently never went for their annual IT health checkup, where their IT network doctor (likely, their cybersecurity consultant) surely would have noticed the lack of a business continuity plan, or at the very least, the lack of a viable backup storage solution.
There are a number of theoretical problems with the “paying the ransom” solution. First is the very public implication that these hospitals were simply unprepared to handle their own patient records in a safe and secure manner. This is probably not the image a hospital or healthcare organization wants to project when it is simultaneously trying to attract more business from patients. But the problems go far deeper. Paying the ransom doesn’t always assure that you will get your records back, or that the cyber attacker will clean up your network completely. Paying the ransomware doesn’t preclude the attacker from double-dipping, i.e. coming back months later with a different (and perhaps far worse ransomware strain) and saying, “I’m back.” Finally, in the upside down world of asymmetrical cyber warfare, paying a ransom is actually funding the attackers and allowing them to further feed on other organizations to fill their coffers. Is that really the preferred approach to the ransomware epidemic?
The concept of IT network storage and backup solutions is as old at the Internet itself. And in the “year of the ransomware attack,” every article that I have read mentions somewhere that the cure to ransomware attacks is backup tapes. One recent article aimed at the healthcare sector specifically notes, “Ransomware is getting more brazen, and ransomware works when organizations do not backup their data and thus have no choice but to pay in order to get it back.” Healthcare organizations must make sure they are routinely backing up their data. There are many cases where organizations simply have not backed up their data.
Being prepared for a ransomware attack is most of the problem. And it is hard to imagine today that any hospital would say, “Oh we don’t need to prepare for a ransomware attack because we are not a target.” Just like the prospects of me evading my annual physical is slim and none, the prospect of entities today avoiding the cybersecurity pandemic is also slim and none. It is no longer if—it is when you get attacked. We are all targets. Daily.
So rather than evading the obvious, it is high time for hospitals to follow their own advice—go get a IT network healthcare checkup with a backup tape “referral” to your cybersecurity consultant. You will be glad you went.