In early February, the Californian healthcare sector was hit by a ransomware attack, with data from over 3m patients stolen by cybercriminals.

With so many evolving challenges, healthcare institutions find it difficult to navigate and prioritise risks.

Here, Jeffrey Wells, Partner at leading risk services company Sigma7, shares what healthcare organisations need to know.  

Hi Jeffrey, tell us about yourself.

“I am currently the Sigma7 lead for global cyber risk and intelligence and apply my expertise in assisting organisations in quantifying, designing, and operationalising cyber risk and resiliency strategies to protect enterprises worldwide. I am a founding partner of the NIST – National Cybersecurity Center of Excellence and the BENS Cyber & Tech Council. In addition, I was appointed “Cyber Czar” by two Maryland governors and successfully managed the implementation of commercial, federal, and military cybersecurity initiatives with NIST, NSA, U.S. Cyber Command, and other military and government entities.”

Tell us about your role at Sigma7.  

“I lead our effort to ensure that cyber and kinetic effects are considered holistically in our client's total risk exposure and to quantify and reduce risk throughout their strategic and tactical operations, locally and globally.”

What did your work as a founding partner of NIST involve? 

“I was actually a founding member of the NIST National Cybersecurity Center of Excellence (NCCoE). I worked with the State of Maryland, the US Secretary of Commerce, NIST, local government, Industry partners, and University FFRDCs to establish the centre to set Cybersecurity standards. Much of the work was a coordination that partners to identify the target areas for addressing standards that NIST published.”

Tell us about the recent ransomware attack in California.

“This is just one of many attacks over the past month. In this case, a still undisclosed threat actor gained access to the systems of four interconnected healthcare systems, impacted more than 3m individuals, and was able to access and encrypt sensitive personally identifiable information (PII) and personal health information (PHI) that included name, social security numbers, address, date of birth, diagnosis, and treatment, laboratory test results, prescription data, radiology reports, health plan member number, and phone number. All information can be used for identity theft, making it potentially valuable in DarkNet markets. The impacted organisations still need to share details regarding a ransom payment.”

Who are these cybercriminals? 

“It is still unknown who was behind this particular attack. That said, many actors targeting healthcare have most recently been tied to nation-states. It has been determined that North Korean sponsored threat actors have been actively targeting the healthcare sector with ransomware attacks, especially active during the past six months. 

“Additionally, the pro-Russian hacktivist groups have indicated in forums their interest in "Attacking the networks of medical institutions in the United States, United Kingdom and abroad". The threats are purported to be a response to new aid packages providing security assistance for Ukraine.”

How can healthcare institutions navigate ransomware attacks and prioritise their risks?

“As a start, every organisation must have a documented Incident Response Plan (IRP) that defines the roles and responsibilities of those who will be responding to an Incident. How to respond to Ransomware/Extortion should have its own section and be reviewed and discussed at the executive and board level at least twice a year. The response to ransomware is not binary! Identifying external breach counsel ( a law firm specialising in Incident Response) is key to surviving an incident. Additionally, a Business Continuity and Continuity of Care plan must be developed, tested, and maintained.” 

Regarding security, where do you hope the healthcare sector will be by 2024? 

“I hope that healthcare organisations can look beyond just IT security and consider the entirety of the organisation, including IT, OT, IIoT, IoT, and connected medical devices. Consider how to best segment networks and protect the most important technologies that enable them to provide continuity of care. 

“Additionally, the sector needs to gain a better understanding of their risk profiles, including value at risk, vendor and supply chain risk, and to fully develop and regularly test Incident Response, Business Continuity, and Continuity of Care programs.”