Hush little baby, don't say a word
And never mind that noise you heard
It's just the beast under your bed
In your closet, in your head.
Monday is a lift day at the gym and who doesn't have Enter Sandman somewhere on the lift day play list, amirite? I hear the lyrics this morning and I was like, man....why does this song make me think of what's going on with healthcare and ransomware right now. Well, not too hard to make the connection to lurking bad guys and scary things when one sees the stats (https://bit.ly/3Oach0U) and hears the impact that ransomware continues to have on the industry.
The question I want to ask though is why is this still such a rapidly growing problem? I get the fact that hospitals, doctor offices, etc typically run low margin businesses and traditionally didn't feel they had enough to spend on properly securing their environments. But they are surely seeing that that ransomware actors don't discriminate based on your margins or what you do for a living. They are looking for soft targets that they can turn into cash. So stop being a soft target and get laser focused on it.
So a few thoughts on where to focus for especially those smaller or less able in the healthcare industry. Don't get bamboozled by a consulting organization that you need some 4 week assessment to get started, it really doesn't require that much analysis. You're either doing these things or you're not...you don't need to pay someone to tell you that you're not.
1) Realize that compliance doesn't equal security. If it did, most of the things you're supposed to be doing for HIPAA could probably be stopping most of the attacks you're getting hit with if they were applied appropriately and widely enough.
2) Purchase a managed endpoint detection and response (MDR) solution and let the experts monitor your environment. I don't sell MDR but do believe this can be very effective in helping detect bad guys and stop them.
3) Get someone to help with basic system hardening and data encryption. Ensure someone is assigned responsibility for keeping them hardened and patched.
4) Use multi-factor authentication (MFA) but understand MFA comes in different shapes/sizes that can roughly equate to effectiveness of protection. Get a solution that meets the level of effectiveness needed, not just the cheapest or easiest to implement.
5) Develop or obtain some form of regular security awareness training that covers ransomware and phishing prevention. Some vendors even offer this for free to smaller organizations.
6) Incorporate regular vulnerability scans and at least annual penetration tests.
7) If your organization doesn't feel comfortable doing these things yourself, consider hiring at least a partial resource to help. Shameless plug as I can provide this for you and at much lower rates than many consulting organizations.
Reach out directly if you have any questions.
Comments