Ransomware is a hot topic these days. And the bad guys are often innovating faster than we are by easily evading traditional security controls. In this episode, industry expert Ben Stock from Ordr, Inc. will tell us how both large and small healthcare organizations can prepare for and defend against ransomware attacks.
Mike: Hello, I'm Mike Valladao. Welcome to episode seven of the Navigating The Cloud Journey Podcast Series. Years ago, when I was running IT in the healthcare industry, there was a running joke that went like this. "With all their technical prowess, why doesn't Cisco, IBM, or Juniper make pacemakers?" The answer? Because 99.9% uptime just isn't good enough.
If the pandemic has taught us anything, it's that healthcare is a critical component of our lives. We fully expect hospitals, medical equipment, and services to be there when we need them. In today's segment, we focus on ransomware. Too many people think ransomware is just about file locking. But that is just the tip of this disruptive iceberg.
My guest today is Benjamin Stock, who's currently Director of Healthcare Product Management at Ordr Incorporated. Ordr is a Silicon Valley startup focused on securing the connected world. Welcome to our program Ben.
Ben: Thanks Mike. Thank you for having me.
Mike: Thank you. Let's start off with the basics. How do you define ransomware and what does it mean to us all?
Ben: I would define ransomware as malware that that gets installed onto a device, usually computer based, that does something to restrict access. Typically, it would encrypt the data to a point that it can no longer be usable by the end user and makes the device inaccessible.
Mike: Now, we're hearing a lot about it now, but it's been around for a while, hasn't it?
Ben: It has, and the concept has been around for a while. It's just the tools that are being used to implement ransomware have gotten increased in complexity and ease of use so that you see a lot more people taking advantage of what's out there.
Mike: Ben. We've brought you onto the show because of your expertise and experience specifically in healthcare. But most of what we're going to be talking about today still applies to other industries and sectors as well. Is that correct?
Ben: Correct. Yeah. You know, devices that are classified as medical devices are in a special category, but they also coincide with manufacturing devices that are designed for a specific task and that's all they do. That's really what a medical device is. It's designed to do one thing, do one thing well and repeatedly. It could carry it over to multiple different verticals, be it manufacturing or utilities for that matter.
Mike: Yes, utilities also use remote devices and IoT. A few years ago, I was assisting a public hydro company in Canada. One Monday morning, an external source logs in and starts opening and closing water valves. The company was shocked. Everyone just assumed access. It always been locked down, nobody in the right mind today makes that assumption.
Regarding your background Ben, weren't you at one point a certified biomed equipment technician, I believe you also worked in medical imaging? Did I get that right?
Ben: That is correct. After 9-11, I lost a position that I had with a company that that I planned on working for a long time. These positions came up and I didn't know what a biomed was or what they did, but I talked to them, and it was a great opportunity. I didn't have a healthcare provider background. I couldn't do any direct patient care. But I could still provide a service to the healthcare industry that was needed. And I found my calling and I worked for the same organization before joining Ordr, for 18 years being in almost every position in the healthcare maintenance side for medical equipment.
Mike: Benjamin, in a hospital, how many devices are there? How do you calculate that?
Ben: If you're looking at all connected devices, we're seeing an average of 14 to 15 devices per bed. Hospitals are generally sized by the beds, the amount of patients they can take care of. If we're looking at strictly medical devices, we'd be looking at about seven devices per
Mike: What is it about healthcare that makes it so easy for ransomware to be involved?
Ben: Ransomware is a generally a crime of opportunity. It is a group of people typically making multiple attempts to exploit different verticals and healthcare is one of the ones commonly exploited for a couple reasons.
There's a lot of entry points into healthcare. There's a lot of people receiving information. They can receive a malicious link and click on it. There's a lot of people you have to educate on what they can and can't click on. And in healthcare, with the environment they're in and the stress, it just compounds those things. And ransomware by itself is one thing, but they have to have an entry point.
And then with healthcare, once you get in, you're dealing with a lot of systems that are difficult to protect, are older, and are typically on a flat network where everything talks to everything. This gives them a lot of opportunity to take advantage of those systems.
Mike: Let me stop you there for a second. This podcast is normally about the cloud. So how does ransomware fit into that?
Ben: Ransomware fits into the cloud in that it can be affected. And a lot of medical manufacturers are utilizing cloud resources now for storing patient health information for storing backups, and for allowing organizations to communicate that aren't centrally located. So, health systems that have multiple hospitals, but they are not within a geographical area, need to access the same data. And the cloud is very good at that.
Mike: So, what you're saying is it all has to work together that my data can be stored in the cloud, but if I can't get a device to work, I can't see the imagery. I can't see what's going on. I can't look at my X-ray.
Ben: Correct. Having this data stored in the cloud does give you a little extra layer of protection. But if the equipment you use to access that cloud data is down, it doesn't matter that the data is still there and safe, you still can't get to it.
Mike: Let me ask you a question here. A friend of mine works for a small hospital. Does she need to worry about ransomware?
Ben: Everyone needs to worry about ransomware whether you're an individual or a small health system or a large health system. Because like I said before, it's a crime of opportunity. They're going to care that they have an opportunity to make some money off of you. And they will go as far as after getting access to a location doing research and coming up with a formula that they think they can extract from that organization before they even implement any ransomware.
Mike: You've mentioned the word "they" multiple times, who is "they, who's doing this? We hear about Colonial Pipeline and things of that nature that are nation state actors, but who's trying to go after hospitals?
Ben: Usually "they" would refer to organizations that specialize in this form of extortion. And when I say organization, it is just that, it is a business in some countries. And there are groups of people sitting in a room, and once they get that point of entry, they all go to work and try to figure out the best way they can to extort every single dollar they can out of those organizations.
And with healthcare as a whole, as a target for those other things we mentioned before. They're typically an easy target. In history they have paid ransoms before so if they're not seeing a return on their time and money they'll start ignoring those types of things. But unfortunately, depending on how you look at it, some people have paid the ransom and that's a decision that you can't second guess, but it has to be made on an individual organization basis.
Mike: These people are all about disruption. The more that they can disrupt, the better the chances they will get paid, and that's what they're really looking for. So, like it or not, we've got to deal with this.
Mike: You were talking about how within a hospital, things are more distributed. How are those devices connected? When you were working in that field, how did you make changes? How do we protect all this from ransomware?
Ben: So there, there's a couple different things there, and typically the ransomware is the final outcome. There's lots of things that we can do before we get to that point. And with healthcare specifically, we've seen a lot of these attacks take place on a Friday evening, and that's not by chance, it's planned. And they've been in that network for a considerable amount of time before they've actively made themselves known by instituting the ransomware. They're going to get into those systems and they're going to move what we would call east to west traffic or laterally. So they're going to get into one system and they're going to seek out other systems that they can exploit.
Mike: How did they do that? How were they looking to move from one place to another?
Ben: Well, I mean, that's where the, these exploits are coming in. So typically, the exploit they used to get into the system is human error, it's social engineering. It's those emails you get that they tell you not to click on, and someone clicks on something and that installs a piece of software that allows them to then get into the system and it starts calling home. And it reaches back out and it says, "Hey, I'm here, I'm here." And then they go back, and they can get into that system. And they start sending out similar pieces of information to other systems trying to get any other system to receive that information. And then once that happens, they just keep moving and finding vulnerable systems until they find ones that they feel are the most critical to exploit to cause that panic, like you mentioned before, of we have to have this system back up where we can't operate making it more likely that they're going to go down the route of paying to get the solution resolved.
Mike: And what about healthcare is really different from other industries within that particular piece? What makes it separate and something that they can point to?
Ben: I think it's that sense of urgency in healthcare. If you have to divert ambulances because you can't provide care or you have a particular patient that needs a piece of equipment that is not working because of an event like this. It hits you more, in your feelings and you feel that, hey, we should be doing something to stop this and them giving you that out of saying, hey, just give us some money and we'll fix this, gives you that urgency to make those types of payments. And it really truly is impacting a life-or-death situation which can happen in utilities and so forth as well. But it really hits home within the healthcare environment.
Mike: You make a good point about life or death because Springfield Memorial hospital in Alabama last year, an infant was lost simply because people could not see the right monitors. And it's ugly, but this is the direction of things that are taking place. How do we make it better?
Ben: Well, so that's a difficult question. There are always going to be people that are looking to exploit situations for profit. So, what we can do is we can get better at detecting the actions that they take. So, like I said before, the ransomware is the outcome. There's a lot that goes on before that. Being able to monitor the network and monitor when east to west traffic, lateral movement, is occurring when it hasn't occurred before, is critical to finding these kinds of intrusions quickly and being able to stop them and finding those devices that have been infected and stop them from communicating maliciously with other devices. And when it's a device that's providing patient care that's hard to do, you can't say, hey, this life saving piece of equipment has to be taken offline because it's sending out remote desktop requests to other devices. So, you have to be able to address the situation, but not impact the work the device has to be done. It's very similar to manufacturing where you can't shut down a whole plant just because one device is acting kind of weird.
Mike: So, what do you look for? What kind of visibility is required?
Ben: So, the kind of visibility required is visibility into your entire network. Not just what's going in and out of your network. Because that movement inside the network is just as critical as the movement of data going out of the network and coming in. So, you look for things that are out of the ordinary, and to do this, you have to know what is ordinary.
So, you profile the devices to say this device communicates to these three other devices using these protocols on these ports. And if it does that over a period of time, you can say this is how that device should work. And you can set up flags that say if that device deviates from these documented communication patterns, we need to know.
And you can go further and say if it communicates through a protocol that is known to be used by ransomware groups, that we want to even set up a higher alert. So, you can kind of triage your events and know when an immediate action is needed, and when you just need to investigate what's going on.
Mike: Ben. Give me an example of what kind of protocols you might not expect to see. What's bad? What should we look for?
Ben: Mike, great question. We talked about legacy medical devices. So unfortunately, some of these devices use insecure protocols as a part of their systems and a part of their programming because they were developed when these were secure protocols. Different levels of SMB, V1, V2, are insecure. There's even some of the early LDAP protocols that would be considered insecure. A lot of your remote desktop requests can be insecure. Almost anything that's not encrypted could be a problem as far as protocols go especially when you're dealing in the medical environment.
Mike: Ben, give me some examples of how you can track the data. Once you've seen it, how do you track this? How do you know what's right and wrong?
Ben: So that, that goes back to the profile discussion. So, we build profiles around the devices to identify what the device is. So, by looking at the protocols that it's communicating over and decoding them, we can determine that a particular device that's speaking DICOM protocol, which is your typical medical imaging protocol. We can tell you what the manufacturer is. That it's a CT. We can tell you it's typical amount of images it's doing over a period of time. And what that allows us to do is identify those devices so that we know what devices are medical devices and what devices are just typical workstations that could be secured using traditional methods and not necessarily have to go in depth into how you're securing them and use local applications to protect them.
Mike: You mentioned earlier that many times the medical devices are isolated. Talk a little bit about that. How do you protect it?
Ben: Yeah, isolating devices is a great way to protect them. Typically, in the health system you'll see where they're using a a dedicated medical virtual LAN or VLAN. And it is a way to segment them, but it's not really keeping them from talking to other devices. So, what we've started to see in healthcare is network access controller, NAC, where you're actually setting that these particular devices are limited in communication to other devices, but not just the communication to other devices, the exact protocols and ports that they can communicate with those devices on. So that limits your footprint if someone were to get to another device. If you have the appropriate protocols set up, they wouldn't be able to just reach out to those other devices, they would have to be using a approved port or protocol or a another device that's been approved for that communication. So, it really lessens that footprint and exposure.
Mike: Ben, let's talk best practices. What can you do to identify these compromises early, early on?
Ben: We look at this in a couple of ways; is to see, to know, and secure. So, you have to know what you have out there, and you have to understand what you're protecting. So that's the first part of the battle, knowing what's there. And then, once you know, what's out there, you need to know what it's doing. So, you need to have an understanding of how these devices communicate, what they're doing on a daily basis, and being able to monitor that. And then once you know, all that information, you need to know how to secure it and you need to have the proper tools to secure it. This will give you that first line of defense so you can see when there is an intrusion occurring and when people are trying to take advantage of these systems that may be a little less secure than more modern systems that are out there.
Mike: And bringing it back to the cloud. Once again, you'd said that the cloud does have some benefits. Let's touch upon those.
Ben: Sure. In healthcare, and you're going to see this, I think more, the cloud has advantages in that it decentralizes what you're doing. It also allows you to do that without any additional hardware expenses. A lot of the expenses within the healthcare organization are for maintaining equipment that you don't even see in the hospitals that are in data centers. And by utilizing cloud resources, we can offload that infrastructure from the healthcare system and still have access to all the data and the systems that are needed.
Mike: I appreciate the fact earlier you said this isn't all doom and gloom. We do have options here. There are things that can be done. And if we do our jobs, right, we can keep things up, we can keep them running and keep people happy and safe.
Ben: Absolutely. And I think safe is the key one there. With our reliance on technology and healthcare, the impact of these events is going to be more impactful because you won't be able to get to the information you need, and we need to do everything we can to do that. Keep them safe.
Mike: And of course, in the cloud, we call these security zones, but the same concepts are applying across the board. So now let's say that we have gotten into a situation where we do suspect that particular device has been infected. What do we do? Where do you go?
Ben: It truly depends on what that device is. And that's where that knowledge of profiling comes from. We're going to treat a device that's a general workstation completely different than something that could be providing patient care. So if it's a workstation, we're just going to isolate that. There's traditional tools that we can use to separate that from the network and shut down the ports and not worry that we're going to impact patient care too drastically. But if it's a piece of medical equipment, it may be providing care. And if we've profiled that device what we can do is we can implement a NAC policy or a firewall policy that only limits the communication that we're seeing that's malicious and allows the communication that we've seen in the past to continue. So, you can in fact, isolate the device, stop the attack and have no impact on the patient or the end-user of the device.
Mike: Now your company does have programs to do this. Does it do it automatically?
Ben: It can. And it gets a little tricky when you're talking about medical devices. So the customer has the ability to determine if they want to take that type of action with a medical device. Or if it's a workstation, then they could set up that automated response. But we don't do the work ourselves. We trigger the solutions depending on what available solutions the end-users have. So, if they're a Cisco shop, they would generally have Cisco ISE as their NAC solution. But we interact with that, enrich the data that Cisco ISE has and then provide the information to create the policy to provide that protection.
Mike: What kind of options does an organization have if they are compromised? What do you do?
Ben: If an organization is compromised, the first thing they need to do is identify those devices that are compromised and start getting them isolated and removed from the network as quick as possible. Like I mentioned before the ransomware's the end event. There's usually some time in between when you're compromised and when they fully exploit all the available options. So, identifying that lateral movement we talked about and isolating those devices or getting them completely off the network is the first thing you need to do if you see anything suspicious like that.
Mike: And what about the end event? What if we do see we've got the warning messages saying that you were locked up. What options does the hospital have?
Ben: Unfortunately, you have two options at that point in time. One is to pay the ransom, and the other is to go at the solution and basically bring those systems back up with a backup. These are all individual decisions that each organization is going to have to make based on all the available information they have.
Unfortunately, the actors that are doing this are getting a lot better. And if you don't find them early, they're going to find your backup servers and so forth. And they're going to start encrypting there before they encrypt the end device. So a lot of times your backup plan is gone and you don't even know It until it's too late.
Mike: It makes it very difficult. I'm gonna throw out a couple of numbers here. Since we have a people watching our podcast around the world. In the UK, one of the recent surveys that came out from information security magazine said that 38% of people in the UK did choose to pay the ransoms and 44% refused. So again, that's just one sector. But we're also seeing with other numbers here that in 2021, the average cost per ransomware was $570,000. That's a lot. Now, granted, these are all corporations, or hospitals or, utility companies, but that's just the average $570,000. Huge changes here over the last few years.
Ben: Definitely. Yeah. The numbers that I have, ransomware cost healthcare organizations in 2020 over $20 billion. And that's double the amount it cost from 2019. So this is, I hate to use the word pandemic in the state we're in, but it is a pandemic or an epidemic. It's not going away and it's just going to continue to grow. All we can do is get better at identifying it and protecting systems from it.
Mike: Another piece of the puzzle here is sometimes people think, well, we'll just use insurance to cover it. Well, the fact is yes, there is ransomware insurance, you can get that. However, first of all, it's very expensive and similar to medical malpractice insurance, they also make sure that you're doing your due diligence before they pay out. So, this isn't just a blanket policy that says, if something happens, you're in good shape. Because they're going to come back, they're going to audit you, they're going to make sure that you've done all the things that you should be doing, including what you said, separating the different devices, checking to make sure that things have been upgraded. All these things are going to be done before they pay out. So, the onus is really on the companies. And as a result, it means it's also on those of us that are working with these companies to keep them secure.
Ben: Insurance is a tricky business no matter whether it's ransomware insurance, cyber insurance, or anything along those lines. And they are qualified. So, they outline standards you have to follow. Like you said, they're going to validate that. So, if you are going to go down that route, it's not a solution, it is a backup plan. You still have to make sure all these precautions are in place or you're going to be left with what you think is an insurance policy that really isn't worth the paper it's written on because you haven't met standards required by that insurance vendor. They're not going to just have good hearts and be like, you tried and we're going to go ahead and pay this. They want you to meet those criteria and they're there for a reason.
Mike: We've talked about the different types of devices that are out there, but on the bigger picture, what is IoT? And give me some different flavors of that.
Ben: Yeah, IoT or Internet of Things. It's a pretty wide variety of things. It could be from the the point-of-sale credit card readers, the HVAC controllers that you find everywhere. You know, the infamous Target hack that was started by a HVAC controller, which would qualify as an IoT device.
And a lot of devices that are medical are classified as IoMT devices or Internet of Medical Things. And even though they're PC based; they are kind of restricted based on how they're approved by the FDA. The devices are approved in a state, and they cannot be changed from that state without going in and asking for reapproval. It's called FDA 510(k) clearance and it's a big portion of why medical devices cost so much because they have to go through a rigorous process to be validated that they're safe. Well, that validation takes time. So you can develop your system with a currently active operating system. And you're two years down the road into that operating systems' life expectancy before your products' even going to FDA clearance. So, you're producing medical devices, they're coming to market with operating systems that are five years into their life cycle of a seven-year operating system life cycle.
Mike: And if I can throw in here, many of those are embedded systems. Some are based on Linux or Unix. There could be all kinds of different things out there. Thus, it makes it almost impossible for the users to keep track of everything by themselves. They really do need some help.
Ben: They do. And the manufacturers are improving. This isn't a doom and gloom story. The government has passed some regulations that require the manufacturers to really put security as part of their products. And that is helping. So, we're seeing storage of PHI, patient health information on these devices be encrypted at rest.
Ben: So, the tactic of these ransomware actors is to not only go in and lock the device up, but it's also to extract data and hold that and extort for that. So, a PHI record is worth more than a credit card, I don't have the exact numbers in front of me, because the information in that record can't be changed. You can get a new credit card by making a phone call, but you can't change medical diagnoses or your medical ID numbers or possibly your social security number. So those records are worth more money. And they're taking advantage of that.
Mike: So, if people want to get in contact with you Ben, what's the best way?
Ben: I'm pretty easy to find on LinkedIn. You can look me up, just a Benjamin Stock and it'll list me at Ordr, and I'm more than open to any kind of conversations.
Mike: Thank you very much. You have a great day.
Ben: Thank you, Mike.