Senior leaders and security professionals from over 30 healthcare organizations in New England, as well as representatives of the R.I. Department of Health, R.I. Office of the Health Insurance Commissioner, R.I. Commerce Corporation, Newport County Chamber of Commerce, and law enforcement agencies convened at the Pell Center at Salve Regina University on May 10, 2017 to participate in a cybersecurity tabletop exercise focused on specific challenges and potential responses to growing cyber threats in the healthcare industry.
In a ripped from the headlines twist that preceded the recent “WannaCry” attack, the exercise started with a ransomware attack and continued with a series of cyber intrusion scenarios, such as disruption of services, email spoofing, phishing attacks directed at patients, DDoS attacks, and data exfiltration created to identify weaknesses common in the healthcare industry. The scenario involved real-world cascading effects, including consequences for the provision of healthcare, outcry from patients, and media fallout for the organizations that fall victim to such attacks. The exercise was designed to show how different cyber threat vectors can infiltrate even the most sophisticated computer systems and networks, and also to explore possible remedies, mitigation techniques, and incident responses. Participants worked together on a range of timely and important cyber-related issues, including: incident response and prioritization, data leakage considerations, digital forensics investigations, crisis management, legal and regulatory compliance, and cyber liability insurance. The overall objective was to provide healthcare organizations and state agencies with greater insight into the specific cybersecurity issues they face and to explore possible responses and mitigation strategies that could lead to industry-driven solutions.
This event, co-sponsored by SecureWorks, PreparedEx, and the Newport Country Chamber of Commerce, was part of the Pell Center’s Rhode Island Corporate Cybersecurity Initiative (RICCI), an ongoing effort aimed at bringing together senior leaders from various sectors in Rhode Island who can affect change and make the state more secure and resilient to cyber threats. Congressman Jim Langevin joined this group of senior leaders for a keynote address on the future of the healthcare law and on best practices to strengthen the cybersecurity posture of healthcare organizations.
Stunningly, just two days after the Pell Center exercise, the world woke up to the news that “WannaCry,” a new, self-propagating ransomware allegedly stolen from the National Security Agency (NSA), was spreading across thousands of computers around the globe and affecting multiple different entities and industries. The malicious software infected more than 300,000 computers across nearly 150 countries and was dubbed the largest “ransomware” attack on record. Some of the world’s largest institutions and government agencies fell victim, including the Russian Interior Ministry, German transport giant Deutsche Bahn, French automaker Renault, US shipper FedEx, and the Spanish telecommunications firm Telefónica. Healthcare organizations were hit particularly hard given that their computers and network systems are often older, unpatched, and lack strong cybersecurity measures. The British National Health Service was one of the largest institutions affected, with ambulances and doctors’ offices impacted in 45 of its hospitals, cancellation of non-vital surgeries, and certain hospital operations shut down.
Governments, companies, and security experts from around the world raced to contain the fallout from this audacious global cyberattack amid fears that if they did not succeed or paid the ransom demanded, data would be lost forever. While a British cybersecurity researcher inadvertently found a way to stop the ransomware from spreading after less than 48 hours, the attack was a wake-up call for many organizations in the healthcare sector and set off fears that the effects of the continuing threat will be felt for months, if not years. The following week, a new flaw was found in widely used networking software leaving tens of thousands of other computers and additional medical devices potentially vulnerable to a similar attack, and many of those computers are feared to be too old to be patched or fixed. And while the WannaCry ransomware attack was certainly not the only internationally scaled cybersecurity threat in recent years, this attack’s consequential impacts served as a stark reminder of the significant vulnerabilities at the intersection of technology and medicine, and especially of the threats the use of legacy equipment, lack of cybersecurity professionals in hospitals, and hyper-connectivity of medical devices and hospital networks pose to patient safety.
With an eye towards mitigating similar cyberattacks and increasing preparedness and resilience to cyber risks, the Pell Center will continue its cybersecurity and healthcare event series this fall with additional seminars, panel discussions, and workshops. In light of the WannaCry attack and the Pell Center’s recent cybersecurity exercise, we also provided a series of tips and recommendations to participating organizations, including to ensure that all software and anti-virus programs are up-to-date; patch operating systems as soon as updates are available; create backups of all important files; align security controls with the risk and impact to the organization; prioritize responses and resources; educate all employees about malicious content and how to identify and avoid it; limit employee access to resources that aren’t necessary for daily workflow; and join forces with trusted third parties, internal staff, law enforcement, and security organizations. Experts from PrepareEx also stressed the importance of conducting more cross-functional crisis management exercises that include the senior leadership team from within organizations, and maintaining well-exercised and regularly updated crisis management and incident response plans.
For more on RICCI and our upcoming events, click here.