Saturday, 20 February 2016

Lessons learned from the Hollywood Presbyterian Hospital Cyber-Ransom attack: Top Security Experts Weigh In

A major metropolitan hospital was recently hit with a devastating cyberattack that crippled its operations and put patients lives at risk. The response by hospital administrators took almost a week, but was also wrong on many levels.

Salinas, CA, February 20, 2016 - The purpose of the attack on Hollywood Presbyterian Medical Center was not to steal medical records or personal health information, but rather to seize control of and lock down the hospital's entire computer system and all of its networks.

Known as “ransomware,” the attackers are demanding $3.6 million (or 9,000 in virtually untraceable BitCoins), to release control of its systems back to the hospital.

The hospital's CEO, Allen Stefanek, has responded by saying that the attack appeared to be random and that no patient or employee information is at risk.

According to one of country's leading cyberattack experts, Steve King, chief security officer for Netswitch Technology Management, Stefanek's response was inadequate at best and possibly dangerous.

King said there are four things never to do in case of a breach of this magnitude.

* “Never wait to acknowledge a breach,” says King “The longer you delay, the more it looks like you have something to hide and the less your customers will trust you. A week is crazy-long.”

* “Never insult the public's intelligence by saying that ‘no patient or employee information is at risk’ when it is obvious that if the attackers were clever enough to lock down the hospital's systems, they are certainly capable of stealing the medical records as well.”

* “Never suggest that you were attacked ‘randomly’ as if by some quirk of fate this horrible thing came your way simply out of the blue. It is likely that these hackers targeted the Hollywood Presbyterian Medical Center specifically because they knew their cyber-security defenses were weak or non-existent.”

* “Never pay the ransom,” says King. “Take the hit. Pay whatever you have to in order to re-create it all and button it up so it won't happen again. Then, walk back everything you have said and come clean.”

Mary Siero, an experienced CIO in Healthcare and a prior recipient of the Chief Information Security Officer (CISO) of the Year Award, concurs that companies need to be better prepared for ransomware, which is increasing at an alarming rate.

“Organizations should not assume that the breach is minor without an in-depth assessment and should also not assume that sensitive data has not been breached until they have their assessment,” says Siero. “Hopefully the organization has considered the seriousness of these and other breaches and developed an Incident Response Plan in advance of breaches.”

But Siero also acknowledges that the complexities of networks and organizational systems and the technology consumerization movement has made it difficult to protect from attack on all fronts.

“Security is not a perfect science, it is dependent upon people processes and technology,” Siero says. “It is a mistake for an organization to think they can prevent all types of breaches and as such, detective controls need to supplement preventive controls as part of a comprehensive security program.”

Kim Green, Chief Information Security Officer (CISO) for Zephyr Health Technology, agrees that preventative measures are the best defense against an attack, but that healthcare has always lagged behind other industries in implementing and assuring secure computing environments.

She says the reasons for this are well documented, i.e., inadequate security funding, ineffective security training, unpatched healthcare legacy systems, ability to provide secure systems that do not impact the continuum of care, and system integrations with suppliers and partners who have not undergone proper security assessments.

“First, all businesses should have a sound anti-ransomware policy in effect,” she says. “An anti-ransomware policy is a highly confidential document and differs from incident response and data breach communication policies.

Green says the policy should define: 1) How the business plans to communicate with the attacker. 2) Who the business plans to contact and communicate with during and after the attack, such as the FBI or a security consultancy firm specializing in ransomware cleanup. 3) Whether or not the business plans to pay. If so, how much? 4) Whether or not a data silo and/or offline backups must be maintained. 5) What type of cyber insurance coverage should be maintained.

Both Siero and Green agree that the attack on Hollywood Presbyterian is a wake-up call to the healthcare industry, and that nobody is immune.

“Hopefully they can learn that 1), it can happen to them, 2), an incident response plan is vital and 3) the value of a comprehensive cyber security program is worth every dollar,” says Siero.

Green says implementation of an anti-ransomware policy and defenses are vital, but also providing employees with hands-on, real-world security scenario training in tactics like phishing, baiting and tailgating, are also imperative.

“If you are in the healthcare space and are fortunate enough to have avoided a breach thus far, take a lesson from this event and start investing in your own cyber-defenses right now,” says King “I am sure you are on someone's list somewhere.”

Steve King, COO, Netswitch Technology Management, Inc. was selected for Nine Lives Media’s sixth annual MSPmentor 250. The global list identifies the world’s leading Managed Services Provider (MSP) executives, entrepreneurs, experts, coaches and community leaders. You can see the entire list at:

“I am honored to be selected,” said King, COO, Netswitch. “We are pleased that our innovative Managed Security Services platform MADROC, has received so much attention and acknowledgement. MADROC is the first integrated Advanced Threat Defense solution available as a SaaS and we have been overwhelmed by the market response. We will continue to innovate with new advanced threat protections in order to maintain our leadership position and stay ahead of the cyber-criminals and the continually evolving nature of malware.”

The sixth annual MSPmentor 250 list is richer and deeper with MSP executives from across the globe. An associated list, called Locked in the NOC (network operations center), honors MSP Hall of Famers who have made a lifetime impact in the market (

About Netswitch:
Netswitch is a global technology solutions provider, serving businesses of all sizes whose model for success relies upon secure, smoothly running, and fully integrated IT systems.

Netswitch provides next generation Managed Security Services and IT Infrastructure Support in the US and Asia with offices in San Francisco, Chicago, Thailand, Beijing, Hong Kong and Shanghai.

The MADROC® Integrated Security Platform is in use at over 3,000 client sites around the world providing intrusion detection and prevention, advanced behavioral analytics, preemptive breach detection, monitored and managed web firewalls and gateways, security information and event management, managed incident response and remediation and complete audit-ready regulatory compliance.
For more information, please visit us at

Marci Bracco Cain
Chatterbox PR
Salinas, CA 93901
(831) 747-7455

No comments:

Post a Comment