Follow on Google News News By Tag Industry News News By Place Country(s) Industry News
Follow on Google News | Lessons learned from the Hollywood Presbyterian Hospital Cyber-Ransom attackA major metropolitan hospital was recently hit with a devastating cyberattack that crippled its operations and put patients lives at risk. The response by hospital administrators took almost a week, but was also wrong on many levels.
By: Chatterbox PR Known as “ransomware,” The hospital's CEO, Allen Stefanek, has responded by saying that the attack appeared to be random and that no patient or employee information is at risk. According to one of country's leading cyberattack experts, Steve King, chief security officer for Netswitch Technology Management, Stefanek's response was inadequate at best and possibly dangerous. King said there are four things never to do in case of a breach of this magnitude. * “Never wait to acknowledge a breach,” says King “The longer you delay, the more it looks like you have something to hide and the less your customers will trust you. A week is crazy-long.” * “Never insult the public's intelligence by saying that ‘no patient or employee information is at risk’ when it is obvious that if the attackers were clever enough to lock down the hospital's systems, they are certainly capable of stealing the medical records as well.” * “Never suggest that you were attacked ‘randomly’ * “Never pay the ransom,” says King. “Take the hit. Pay whatever you have to in order to re-create it all and button it up so it won't happen again. Then, walk back everything you have said and come clean.” Mary Siero, an experienced CIO in Healthcare and a prior recipient of the Chief Information Security Officer (CISO) of the Year Award, concurs that companies need to be better prepared for ransomware, which is increasing at an alarming rate. “Organizations should not assume that the breach is minor without an in-depth assessment and should also not assume that sensitive data has not been breached until they have their assessment,” But Siero also acknowledges that the complexities of networks and organizational systems and the technology consumerization movement has made it difficult to protect from attack on all fronts. “Security is not a perfect science, it is dependent upon people processes and technology,” Kim Green, Chief Information Security Officer (CISO) for Zephyr Health Technology, agrees that preventative measures are the best defense against an attack, but that healthcare has always lagged behind other industries in implementing and assuring secure computing environments. She says the reasons for this are well documented, i.e., inadequate security funding, ineffective security training, unpatched healthcare legacy systems, ability to provide secure systems that do not impact the continuum of care, and system integrations with suppliers and partners who have not undergone proper security assessments. “First, all businesses should have a sound anti-ransomware policy in effect,” she says. “An anti-ransomware policy is a highly confidential document and differs from incident response and data breach communication policies. Green says the policy should define: 1) How the business plans to communicate with the attacker. 2) Who the business plans to contact and communicate with during and after the attack, such as the FBI or a security consultancy firm specializing in ransomware cleanup. 3) Whether or not the business plans to pay. If so, how much? 4) Whether or not a data silo and/or offline backups must be maintained. 5) What type of cyber insurance coverage should be maintained. Both Siero and Green agree that the attack on Hollywood Presbyterian is a wake-up call to the healthcare industry, and that nobody is immune. “Hopefully they can learn that 1), it can happen to them, 2), an incident response plan is vital and 3) the value of a comprehensive cyber security program is worth every dollar,” says Siero. Green says implementation of an anti-ransomware policy and defenses are vital, but also providing employees with hands-on, real-world security scenario training in tactics like phishing, baiting and tailgating, are also imperative. “If you are in the healthcare space and are fortunate enough to have avoided a breach thus far, take a lesson from this event and start investing in your own cyber-defenses right now,” says King “I am sure you are on someone's list somewhere.” Contact: Marci Bracco Cain Chatterbox PR Salinas, CA 93901 (831) 747-7455 http://www.netswitch.net/ End
Account Email Address Disclaimer Report Abuse
|
|