by: Dustin Owens
Hush little baby, don’t say a word
And never mind that noise you heard
It’s just the beast under your bed
In your closet, in your head.
Who doesn’t have Enter Sandman somewhere on their play list? I hear the lyrics and think “Man….why does this song make me think of what’s going on with healthcare and ransomware right now?” Well, it’s not too hard to make the connection to lurking bad guys and scary things when one sees the stats (https://bit.ly/3Oach0U) and hears the impact that ransomware continues to have on the industry.
The question I want to ask though is “Why is this still such a rapidly growing problem”? I understand that hospitals, doctor’s offices, etc… typically run low margin businesses and traditionally don’t feel that they have enough to spend on properly securing their environments. But surely they see that ransomware actors behave like viruses; they don’t discriminate based on margins or what people do for a living. They are looking for soft targets they can turn into cash.
So stop being a soft target and be laser focused!
Here are a few thoughts on where to focus, especially those who are smaller or less able in the healthcare industry:
Compliance Doesn’t Equal Security
If it did, most of the things that you’re supposed to do for HIPAA could probably stop a majority of the attacks from hitting you. This is especially true if they are applied appropriately and widely enough.
Managed Endpoint Detection and Response
Purchase a managed endpoint detection and response (MDR) solution and let the experts monitor your environment. We don’t sell MDR, but do believe this can be very effective in helping detect bad guys and stopping them.
Basic System Hardening and Data Encryption
Get someone to help with basic system hardening and data encryption. Ensure someone is assigned the responsibility for keeping them hardened and patched.
Use multi-factor authentication (MFA) but understand MFA comes in different shapes/sizes that can roughly equate to effectiveness of protection. Get a solution that meets the level of effectiveness needed, not just the cheapest or easiest to implement.
Security Awareness Training
Develop or obtain some form of regular security awareness training that covers ransomware and phishing prevention. Some vendors even offer this for free to smaller organizations.
Vulnerability and Penetration
Incorporate regular vulnerability scans and at least annual penetration tests.
Ask for Help
If your organization doesn’t feel comfortable doing these things yourself, consider hiring at least a partial resource to help.
Choose Your Help Wisely
Don’t get bamboozled by a consulting organization telling you that you need a four week assessment to get started. It really doesn’t require that much analysis. You’re either doing these things or you’re not…you don’t need to pay someone to tell you that you’re not.