5 Steps to Reducing Exposure to Ransomware Risks to Healthcare Organizations

Last week, the FBI and the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Health and Human Services announced they had credible evidence of a cyber threat to US hospitals. The Russia-based attack utilizes the Trickbot botnet to deliver highly infectious Ryuk ransomware. It has already impacted at least five US hospitals, resulting in their networks being taken offline.

Healthcare organizations typically rely on hundreds of third parties to deliver critical supporting services. Third-party vulnerabilities can severely jeopardize patient care, so it’s essential for hospitals to have a process for identifying, analyzing and mitigating such risks.

In this post, I’ll share five steps that healthcare organizations can take to identify and close third-party security gaps. I’ll also discuss the importance of infusing risk analysis with cybersecurity intelligence to proactively spot ransomware risks.

5 Steps to Healthier Third-Party Relationships

Here are five things your healthcare organization can do to identify, manage and reduce third-party exposure to ransomware and other threats:

1. Build a complete, accurate and up-to-date inventory of third-party vendors. Simply knowing who your vendors are is a crucial first step in identifying weak links in the supply chain.
2. Have a system for categorizing vendor services. Different types of vendors bring different types of risk. Once you categorize a vendor, you can better understand their inherent risk based on industry, location, and other factors.
3. Calculate the potential cost of service disruptions. Estimating potential breach costs, and correlating them with the category risk data from step 2, enables you to efficiently triage, prioritize and plan vendor assessment and monitoring activities.
4. Automate periodic vendor risk assessments. By migrating questionnaire-based controls assessments from “emails and spreadsheets” to a SaaS-based platform, you can centralize response and evidence management for greater efficiency and scale.
5. Ensure risk visibility between assessments. Most vendor assessments provide static, “point in time” risk analysis. It’s therefore critical to identify vendor exposures as they arise.

Continuous Cyber Intelligence Fills the Gaps

Let’s expand on step 5. It’s essential to regularly assess vendor internal security controls, but these assessments typically only happen annually – and a lot can change in a year. Continuously monitoring your vendors for cyber exposures can help you to stay ahead potential attacks year-round.

There are two ways to access continuous cyber intelligence: the hard, manual way and the easy, automated way. You can look to a multitude of sources for vendor intelligence:

• Public sources like Data Breach Today or the National Vulnerability Database that summarize newly disclosed vulnerabilities in commercial and open source software.
• Hacker forums and other related onion and paste sites. This is where criminals sell exploits and stolen data, discuss attack targets, and share intelligence. By monitoring these sites, you can reveal vendor breaches and exposed credentials, or get early warning of potential attacks.
• Private sources such as threat feeds, which provide continuous updates on new vulnerabilities and exploits (e.g., ThreatConnect and Exploit-db).
• Regulatory monitoring sources like industry and government regulators.
• Industry partnerships such as Information Sharing and Analysis Centers (ISACs) for healthcare.
• Vendor communities such as libraries of completed assessments that enumerate and score risk for commonly used vendors.

The challenge doesn’t lie in finding cyber intelligence, it’s in ingesting, analyzing and prioritizing it so it’s understandable and actionable. That’s how you get from risk identification to risk mitigation.