As the threat of ransomware and cyberattacks continues to grow, private companies like Microsoft and branches of the U.S. government like the Department of Health and Human Services (HHS) are rushing to ensure that hospital systems and healthcare organizations are duly protected against these increasing threats.
Healthcare Purchasing News had the opportunity to speak with Chad Wilson, CEO of LS Cyber. Wilson is a renowned leader in healthcare cybersecurity, known for his expertise in protecting patient data and securing information systems. He is a thought leader in the field, contributing valuable insights on evolving challenges and innovative solutions.
Could you tell our readers a bit about your background?
I’ve been practicing cybersecurity in healthcare for almost two decades now and cybersecurity in general for over three decades. I started a cybersecurity company quietly, called LS Cyber, and our goal is to bring a service and product to healthcare that helps integrate security within the environment as opposed to something that’s bolted on.
What would ransomware’s impact on a materials manager be?
Normal workflows for ordering, inventory control, shipping, and receiving are all reliant on computers. Ransomware disrupts the availability and confidentiality of the computer, and the information used by the organization. Normal workflows cease to be available. While ransomware removes resource availability, the bad actors controlling it also seek to access and steal all the information on the computer or neighboring computers.
Additionally, significant financial impacts can occur when the bad actor successfully disrupts operations. This can take several forms, such as denial of financial transactions, re-routing of financial transactions, or denial of logistics essential for operations. Plus, without computers available, communication internally and externally becomes challenging. Information may not be readily available, further compounding the ability of the organization to communicate effectively and in a timely fashion.
What about the impact on the supplier side?
If the supplier is attacked with ransomware, it will impact their operations with potential downstream impacts to their customers. All of the impacts I mentioned for the materials manager apply to a supplier organization – they may have difficulty getting paid, and they may have difficulty shipping materials because their systems are down.
Further, while they have to go through the same things a healthcare organization would go through in this situation, there is one notable exception – the supplier shouldn’t be thinking they’re in a vacuum all by themselves. They should be notifying their customers immediately, and they should know what their contractual obligations are. Say, I’m a supplier to healthcare, then I should be held accountable for all the same HIPAA regulations and responsibilities, even though I’m not a covered entity – I’m supplying to a covered entity. Those requirements should be contractually required by that covered entity for the supplier. The entity needs to know if their data is safe, or what data may have been compromised.
Also, a major hurdle is communication – who should be contacted, and how can they be contacted if typical email can’t be used? Contact information has to be in a format that is accessible when your computer is not available, and writing things on paper has its own old-school HIPAA requirements. When all the contact information is electronic, the time to back up that information is now, when it’s not an issue.
What are some best practices for supply chain departments to follow regarding ransomware?
First, be vigilant and aware. Train staff to slow down and to be mindful of the moment, as well as the methods that bad actors will use to trick you. Second, managing risk is important. Understand the risks of conducting or not conducting business with a potential partner. Understand how those risks and liabilities impact your organization and require partners to manage their risk levels to the standards to which you are required.
Also, planning and preparedness are very important. One should expect that a ransomware attack can happen and ensure plans are in place, tested, and regularly updated and reviewed for when the event may arise. Some things to do in order to plan and prepare include:
- Back up information regularly. While this may not be immediately available in a ransomware event or information may also be compromised, it is prudent operationally to provide some level of continuity in an operational outage. Also, ensure that information that may be needed immediately in an event is available in a format that doesn’t require a computer that may be impacted.
- Have a plan. Know how to respond and have plans in place to do so in an accessible format when ransomware makes computers unavailable.
- Work with cybersecurity and other leaders. Ransomware impacts everyone in the organization. At a minimum, it will require increased vigilance to ensure the impact is localized and not widespread.
- Implement strong identity and security measures. Bad actors will often leverage employee-level credentials to gain access to systems and information. In addition, they may impersonate the people or companies that you do business with. Always know who you are communicating and doing business with and have multimodal communication and verification in place for all transactions; ease of use is a double-edged sword. The processes for the procurement lifecycle should also be designed and vetted with cybersecurity and other business leaders.
How does one vet and choose vendors and suppliers who are good on ransomware?
I’ve found in my experience that suppliers and procurement folks aren’t specialized cybersecurity folks. Asking basic questions first, such as, “Do you have a cybersecurity program? What standards does your program adhere to?” can help build a rapport. That might tell me about them – are they willing to work with us and adhere to the same standards and level that we have, or do their standards exceed ours? Are they held to a different measuring stick than we are, and can we reconcile those differences? Or maybe a company mostly works in a field like construction and we’re trying to pull them into healthcare. They may not be as regulated in their field as is required in healthcare.
Additionally, you should also make sure that the security requirements for your organization are contractually passed to your suppliers and vendors. The third parties that do things like provide face masks – if they’re using a computer, then your data that you use for your PPE [personal protective equipment] that you order needs to stay secure. Even though it’s a lower form of data than something like patient information, you still have security requirements around all that banking information and everything else.
As for the size of organizations, even small companies just starting out need to go through the same level of due diligence as a large company even if they only have one, two, three suppliers. It takes time – it takes the reading of contracts and understanding what contract language means. It’s not a one and done, but an ongoing repetitive cycle, and that means it’s a cost to the business that a lot of businesses don’t plan for. The best way to tackle it is like eating an apple one bite at a time. Start with your key major providers. Those may be so big that it takes nine months to go through this process. Then, move onto your smaller providers. You can’t sit on it because the problem is too big, and you don’t know how to tackle it.
Are purchasing departments susceptible to ransomware attacks?
Emphatically, yes. They’re often targeted just because of their job. Bad actors can use every resource available to find company X on the internet and all of the email addresses and roles associated with that company have been published. Before they even try to go directly, there are a lot of open-source intelligence tools available that can help you craft very convincing emails to that individual making up scenarios. Then, with the advent of artificial intelligence (AI), it makes it even more expedient to go ask those questions.
How has AI impacted how people deal with the threat of ransomware?
AI is a new way to exfiltrate data that wasn’t previously there at the consumer level. Bad actors can utilize things like prompt engineering to write emails to convince people to do things. AI can also pull together all of the information available about someone to really profile an individual using both open-source intelligence tools like social media accounts and information, as well as individual data that may have been stolen across healthcare, like patient records.
So, products have been infused with AI for a long time in cybersecurity; it’s the only way that we can mash millions of data points together to find the one needle in the haystack. If the bad guys now have that tool, all they need to do is look at that haystack and say, “How do we get a needle in there?” And AI comes up with some pretty convincing ways to do that.
Matt MacKenzie | Associate Editor
Matt is Associate Editor for Healthcare Purchasing News.