Kristopher Kusche says providers focus too
much on meeting regulations and not
enough on ensuring if their security
systems are efficient
much on meeting regulations and not
enough on ensuring if their security
systems are efficient
At HIMSS, lessons from the front lines of the WannaCry cyber attack
March 06, 2018
by John R. Fischer, Senior Reporter
Four minutes after an initial alert from NYSIC-CAU, Albany Medical Center received another from its anti-malware security vendors, prompting it to initiate a series of protective actions; from IDS/IPS network address and file blocking, to network traffic pattern block rules, to the patching of servers and medical devices.
The date was Friday, May 12, 2017, the first of four days that saw more than 300,000 computers worldwide infected by the WannaCry Ransomware attack. In recounting the experience, Kristopher Kusche, vice president and chief information security officer at AMC, told a group of onlookers at HIMSS 2018, at the Sands Expo and Convention Center in Las Vegas, that health care providers should expect more trouble on the horizon.
“Because of our position and because of the way we have elaborated our infrastructure not to keep up with sectors like banking, we have become targets, accidental targets,” he said during his presentation, Getting Ready for the Next International Cyber-attack. “There’s not one federal agency that will say that health care was in the attack vector on these things. We weren’t in the plan. These things wouldn’t have targeted us, which kind of makes it a little more difficult because these things were random. Now, we have to protect against everything because we’re not the target, we’re not the target of this stuff. But where somebody finds a hole, they take advantage of it. That’s what happened at AMC.”
Health care accounted for 28 percent of all breaches in 2017; more than any sector, with 374 reported in total, and an impact on more than 5.1 million patient records.
Though AMC addressed its attack in a matter of hours, Kusche says the lack of education of staff, as well as inadequate PHP policies, open network ports, lack of encryptions, and inadequate solutions for internal defense have made providers and health systems vulnerable to the same fate.
To prevent the occurrence of this, he advises that organizations create their own cybersecurity framework (CSF), broken down into a series of necessities from workforce security to threat monitoring and assessment.
An effective CSF he says should be simple enough for staff to understand and execute, having backing from leaders, such as CIOs and boards; and should be compared to maturing models, such as the NIST cyber framework, for improvement. “It tells us where we are at in implementing and maintaining our security programs.”
The most basic step in a CSF is risk assessment, carried out by keeping an inventory of any issues that pose a risk with the end result being the creation of a risk registry that lists any issues an organization formally recognizes and plans to address by a certain point.
Such an innovation enables enterprises to organize their security priorities, and protects them from legal repercussions, such as dealings with the Office for Civil Rights.
Providers should also utilize a variety of solutions to combat security threats, such as an IDS/IPS for detecting and alerting users to malware downloads, and application whitelisting for monitoring applications and preventing malware from being run.
The most important item though, if they can afford one, is a security information and event management (SIEM) software solution, which can analyze millions of security alerts in real time.
Kusche notes that while money and skill level can hinder the ability of a provider to protect itself, the main issue is the focus of many on meeting necessary requirements rather than ensuring their system is at its best for standing up to cyber attacks.
“What you do for compliance doesn’t mean that you’re an effective program. It just means you’re meeting the regulations. You’re checking boxes,” he said. “The challenge for us as professionals in health IT is how do we go from checking boxes to making sure that our programs are doing things that we want them to do. Where do we meet the intent? How do we get to the point where we stop looking at the boxes that need to be checked, or make that the first thing we do, and put them aside and then say, “How effective am I? How effective is our program?”
In addition, he advocates for greater documentation of systems and networks, more collaboration between providers and vendors on medical device vulnerabilities, such as patching issues, and greater reliance on information sharing organizations, such as state police, the FBI, and computer emergency readiness teams, as guides on cybersecurity matters.
The date was Friday, May 12, 2017, the first of four days that saw more than 300,000 computers worldwide infected by the WannaCry Ransomware attack. In recounting the experience, Kristopher Kusche, vice president and chief information security officer at AMC, told a group of onlookers at HIMSS 2018, at the Sands Expo and Convention Center in Las Vegas, that health care providers should expect more trouble on the horizon.
“Because of our position and because of the way we have elaborated our infrastructure not to keep up with sectors like banking, we have become targets, accidental targets,” he said during his presentation, Getting Ready for the Next International Cyber-attack. “There’s not one federal agency that will say that health care was in the attack vector on these things. We weren’t in the plan. These things wouldn’t have targeted us, which kind of makes it a little more difficult because these things were random. Now, we have to protect against everything because we’re not the target, we’re not the target of this stuff. But where somebody finds a hole, they take advantage of it. That’s what happened at AMC.”
Health care accounted for 28 percent of all breaches in 2017; more than any sector, with 374 reported in total, and an impact on more than 5.1 million patient records.
Though AMC addressed its attack in a matter of hours, Kusche says the lack of education of staff, as well as inadequate PHP policies, open network ports, lack of encryptions, and inadequate solutions for internal defense have made providers and health systems vulnerable to the same fate.
To prevent the occurrence of this, he advises that organizations create their own cybersecurity framework (CSF), broken down into a series of necessities from workforce security to threat monitoring and assessment.
An effective CSF he says should be simple enough for staff to understand and execute, having backing from leaders, such as CIOs and boards; and should be compared to maturing models, such as the NIST cyber framework, for improvement. “It tells us where we are at in implementing and maintaining our security programs.”
The most basic step in a CSF is risk assessment, carried out by keeping an inventory of any issues that pose a risk with the end result being the creation of a risk registry that lists any issues an organization formally recognizes and plans to address by a certain point.
Such an innovation enables enterprises to organize their security priorities, and protects them from legal repercussions, such as dealings with the Office for Civil Rights.
Providers should also utilize a variety of solutions to combat security threats, such as an IDS/IPS for detecting and alerting users to malware downloads, and application whitelisting for monitoring applications and preventing malware from being run.
The most important item though, if they can afford one, is a security information and event management (SIEM) software solution, which can analyze millions of security alerts in real time.
Kusche notes that while money and skill level can hinder the ability of a provider to protect itself, the main issue is the focus of many on meeting necessary requirements rather than ensuring their system is at its best for standing up to cyber attacks.
“What you do for compliance doesn’t mean that you’re an effective program. It just means you’re meeting the regulations. You’re checking boxes,” he said. “The challenge for us as professionals in health IT is how do we go from checking boxes to making sure that our programs are doing things that we want them to do. Where do we meet the intent? How do we get to the point where we stop looking at the boxes that need to be checked, or make that the first thing we do, and put them aside and then say, “How effective am I? How effective is our program?”
In addition, he advocates for greater documentation of systems and networks, more collaboration between providers and vendors on medical device vulnerabilities, such as patching issues, and greater reliance on information sharing organizations, such as state police, the FBI, and computer emergency readiness teams, as guides on cybersecurity matters.