5 Steps to Reducing Exposure to Ransomware Risks to Healthcare Organizations

The recent Ryuk ransomware attack targeted hospitals at a time when they couldn’t afford distractions. Here’s how to insulate your organization against third-party ransomware attacks.
By:
Brenda Ferraro
,
Vice President of Third-Party Risk
November 05, 2020
Share:
Blog healthcare ransomware 1120

Last week, the FBI and the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Health and Human Services announced they had credible evidence of a cyber threat to US hospitals. The Russia-based attack utilizes the Trickbot botnet to deliver highly infectious Ryuk ransomware. It has already impacted at least five US hospitals, resulting in their networks being taken offline.

Healthcare organizations typically rely on hundreds of third parties to deliver critical supporting services. Third-party vulnerabilities can severely jeopardize patient care, so it’s essential for hospitals to have a process for identifying, analyzing and mitigating such risks.

In this post, I’ll share five steps that healthcare organizations can take to identify and close third-party security gaps. I’ll also discuss the importance of infusing risk analysis with cybersecurity intelligence to proactively spot ransomware risks.

5 Steps to Healthier Third-Party Relationships

Here are five things your healthcare organization can do to identify, manage and reduce third-party exposure to ransomware and other threats:

  1. Build a complete, accurate and up-to-date inventory of third-party vendors. Simply knowing who your vendors are is a crucial first step in identifying weak links in the supply chain.
  2. Have a system for categorizing vendor services. Different types of vendors bring different types of risk. Once you categorize a vendor, you can better understand their inherent risk based on industry, location, and other factors.
  3. Calculate the potential cost of service disruptions. Estimating potential breach costs, and correlating them with the category risk data from step 2, enables you to efficiently triage, prioritize and plan vendor assessment and monitoring activities.
  4. Automate periodic vendor risk assessments. By migrating questionnaire-based controls assessments from “emails and spreadsheets” to a SaaS-based platform, you can centralize response and evidence management for greater efficiency and scale.
  5. Ensure risk visibility between assessments. Most vendor assessments provide static, “point in time” risk analysis. It’s therefore critical to identify vendor exposures as they arise.

Continuous Cyber Intelligence Fills the Gaps

Let’s expand on step 5. It’s essential to regularly assess vendor internal security controls, but these assessments typically only happen annually – and a lot can change in a year. Continuously monitoring your vendors for cyber exposures can help you to stay ahead potential attacks year-round.

There are two ways to access continuous cyber intelligence: the hard, manual way and the easy, automated way. You can look to a multitude of sources for vendor intelligence:

  • Public sources like Data Breach Today or the National Vulnerability Database that summarize newly disclosed vulnerabilities in commercial and open source software.
  • Hacker forums and other related onion and paste sites. This is where criminals sell exploits and stolen data, discuss attack targets, and share intelligence. By monitoring these sites, you can reveal vendor breaches and exposed credentials, or get early warning of potential attacks.
  • Private sources such as threat feeds, which provide continuous updates on new vulnerabilities and exploits (e.g., ThreatConnect and Exploit-db).
  • Regulatory monitoring sources like industry and government regulators.
  • Industry partnerships such as Information Sharing and Analysis Centers (ISACs) for healthcare.
  • Vendor communities such as libraries of completed assessments that enumerate and score risk for commonly used vendors.

The challenge doesn’t lie in finding cyber intelligence, it’s in ingesting, analyzing and prioritizing it so it’s understandable and actionable. That’s how you get from risk identification to risk mitigation.

How Prevalent Can Help

Part of the Prevalent Third-Party Risk Management Platform, Vendor Threat Monitor (VTM) gathers and centralizes vendor threat intelligence from thousands of sources. Using contextual machine learning, VTM then correlates monitoring data with assessment results for more holistic and current risk visibility.

By unifying vendor monitoring and assessment, Prevalent significantly streamlines third-party risk identification, analysis and response activities by:

  • Tracking vendor threat monitoring through a centralized management console
  • Normalizing assessment and monitoring data to contextualize risk and simplify remediation
  • Flagging critical risks based on event type, priority, date range, and threat category
  • Further gauging risk via straightforward scoring and high/medium/low risk scaling
  • Leveraging automated playbooks to trigger actions and workflows based on risk findings
  • Revealing behavioral anomalies with built-in cyber and business monitoring report templates

Next Steps

The Ryuk ransomware attack against healthcare providers was unconscionable, especially during a pandemic. Now is the time to make sure your third parties are able to prevent or mitigate these attacks. For more on how Prevalent can help, download the white paper, 5 Steps to Healthcare Third-Party Risk Success or request a demo a demo today.

Tags:
Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk
Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo