“Shocked, but not surprised.” This sentiment sums up the healthcare industry these days when a ransomware attack cripples a hospital and forces it to invoke downtime procedures and divert certain patients. It’s still big news when it happens, but sadly it’s all too common and predictable of an occurrence.
It happened again in prominent fashion this past November, when malicious actors waylaid Ardent Health Services, a chain of 30 hospitals located across the U.S. The incident perfectly underscores why several federal agencies released guidance and toolkits in late 2023 to support the beleaguered healthcare sector. And if it wasn’t already obvious, the time is now to make the most of these offerings.
For example, in November the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) published a vulnerability “Mitigation Guide” for the healthcare and public health (HPH) sector – detailing three central strategies for eliminating common IT and application vulnerabilities.
The first of these core strategies is asset management and security. Organizations that fail to engage in this practice “risk exposing vulnerabilities or services that could be exploited by threat actors to gain unauthorized access, steal sensitive data, disrupt critical services or deploy ransomware, causing significant harm to patients and the organization’s reputation,” the guide warns. To address this issue, CISA recommends investments in asset inventorying, procurement and decommissioning, as well as network segmentation.
The second pillar is identity management and device security, which includes email security and anti-phishing protections, access management and monitoring, password policies and data protection practices. And the third strategy entails vulnerability, patch and configuration management. For this, CISA outlines a series of critical steps, including scanning your inventoried assets, and then prioritizing which discovered flaws are most critical “based on [your] internal network architecture and risk posture,” before ultimately taking action.
The guide also references an earlier document – co-issued by CISA, the National Security Agency and the FBI – that stresses the importance of proactively eliminating application and IT vulnerabilities by incorporating security into the design stage. In October 2023, an updated version of this “Secure by Design” document debuted, offering additional context around three main secure-by-design principles:
- “Take ownership of customer security outcomes and evolve products accordingly.”
- “Embrace radical transparency and accountability.”
- “Build organizational structure and leadership to achieve these goals.”
Additionally, CISA, along with the Department of Health and Human Services, unveiled in October a new healthcare cybersecurity toolkit, which includes vulnerability scanning/cyber hygiene services, health industry cyber best practices and an HPH sector cybersecurity framework implementation guide.
Around the same general timeframe, CISA also added new resources to its Ransomware Vulnerability Warning Pilot (RVWP) program, which is designed to warn critical infrastructure entities, including health facilities, if they are found to be susceptible to a commonly exploited vulnerability. These new resources include intel on whether a known vulnerability or misconfiguration has been associated with ransomware attacks.
According to CNN, CISA tried using the RVWP program to warn Ardent about suspicious activity in its network, though a company spokesperson said the healthcare provider had already been aware of the issue. Unfortunately, in that instance, the attack still took a toll. But if more hospitals adopt the advice and tools made available through the federal government, perhaps future attacks can be avoided or mitigated, thus preventing the kind of emergency that hospitals should never have to encounter.
At a time when ransomware attacks are ravaging smaller businesses, sometimes beyond the point of recovery, these partnerships are designed to be win-win: SMBs are incentivized to pay for these risk-reducing cloud-based services, knowing that a key perk is insurance eligibility that otherwise may be out of reach.
Among the latest examples of these offerings is the recently launched AWS Cyber Insurance Competency program from Amazon. As of late November 2023, Amazon Web Services customers hoping for insurance coverage can use this program to expedite the process, receiving an estimate within two business days.
That’s important to SMBs, which often find themselves in over their heads when dealing with cyber insurance, especially as the criteria for coverage gets increasingly stringent. If an assessment turns up even one oversight or source of exposure – like failure to patch a known vulnerability in a timely manner or existence of outdated legacy systems – that’s potentially all it takes for an insurance company to reject the application.
And it’s not just maintaining an acceptable security posture that’s challenging. The attestation process that determines eligibility can be overwhelming.
But by relying on a cloud partner, SMB can leverage a third-party architecture, framework and series of controls that have already passed muster with the insurance companies. As Amazon explained in its own product announcement, the company’s various insurance partners worked with AWS to “digitally transform their assessment and onboarding process” to facilitate the process for cloud customers – rewarding them for “following AWS best practices; similar to ‘safe-driver’ discounts.”
And it’s not as if AWS is the only major cloud player to get into the insurance game. Microsoft and Google have also worked directly with insurance companies to provide affordable cyber insurance coverage to their cloud clients. Conversely, insurance companies can leverage these partnerships to offer their own clients complimentary migrations to cloud companies’ services, thus helping policyholders become more secure.
For that matter, cloud partnerships are not the only third-party strategy through which SMBs can become insured. Alternatively, they can seek help via a managed security services provider relationship, whereby the MSSP helps their clients qualify for and obtain cyber insurance coverage by ensuring the company’s cyber posture meets or exceeds an acceptable threshold.
Whether SMBs use a cloud partner or a managed services provider, having a trustworthy and reputable third-party partner helps remove much of the burden off of the smaller company’s shoulders, allowing their modest-sized IT staff members to fully concentrate on their core competencies.
