With the recent cyber attack against MedStar Health, many are asking, “How did this happen?,” “Why is the FBI involved?'” “What exactly is ransomware?” and “Has my personal health information been compromised?”. To answer these questions, the Los Angeles Post-Examiner spoke with Christopher Ensey – Chief Operating Officer of Dunbar Security Solutions. Ensey – a cyber security professional with more than 15 years in the field – has a background, which includes everything from work with the Department of Defense and other intelligence agencies, to handling commercial security, network analysis and monitoring for a wide range of business entities. Dunbar Security Solutions is a full service security company, based in Hunt Valley, Maryland.
LAPX: Thank for you taking some time today to speak with us about this important subject. I’m sure you are aware of what is happening at MedStar Health. What is the current threat landscape that the health care industry faces?
Ensey: It’s pretty broad, in the sense that we’re not just talking about an environment where you’ve got the typical stuff, like basic office computing equipment. I mean, this is an environment that is incredibly diverse. It’s got a ton of different technology, and as time has gone by, we’ve seen an explosion in the use of that technology in every aspect of the care giving process.
The thing that is most interesting about health care is it’s not only the very broad technology base that they’re working with, but it’s also relatively new. And it’s an environment where they are often forced to give open access to large communities of people, some of which are health care staff, others are visitors that are involved in the entire environment they’re working in. So it’s a very different animal from other industries, and because of that, it’s open to all kinds of different threats other industries have not yet been exposed to.
LAPX: Are you familiar with the particular virus which was launched against MedStar Health?
Ensey: I wouldn’t say that I’m familiar with the exact scenario that MedStar is in right now. The information I’ve seen that’s been released has the same kind of feel to it as other cases. What we’ve seen in the industry is that there are new types of attacks that are surfacing in health care organizations, and one of the specific viruses that we’re seeing is a very unique type of ransomware that is being used to hold hostage systems that are critical to their entire health care process during that part of the infiltration.
LAPX: Are these ransomware threats originating domestically or are they foreign born?
Ensey: Most of the threat indicators that we’ve gleaned from sources that we have access to lead us to believe they’re originating outside of the United States, but it’s really hard to tell. We’ve got such a global network of systems and platforms out there, it’s easy to position attacks from anywhere at any time. It seems like every month, there is a new source for this type of malicious content and these malicious applications. And they’re spread through a global community of people who are involved in organized crime and other types of nefarious activities.
LAPX: How soon might MedStar’s computer systems be back up and running?
Ensey: I’m not an insider there, so I wouldn’t know.
LAPX: You say this particular virus is called ransomware. Does this mean some sort of an actual ransom has been demanded?
Ensey: Yeah. Typically what you’ll find is the ransom can be anywhere from several hundred dollars to upwards of thousands. And what the ransomware is designed to do is find its way into either an individual user’s system or a shared enterprise system that’s on a network. It’s looking for an opportunity to take information and imprint it so that it can’t be used without the access to a decryption key, which is essentially what they’ll provide, if a ransom is paid.
LAPX: Depending on the size of an organization, could the perpetrators up the ante?
Ensey: Oh, absolutely. It all depends on how strategic and greedy the actual operator of that malware is. A lot of times, we see a big corporation get hit by ransomware, and you say, ‘Wow, they only asked for $300′. You scratch your head about that, but the reality is a lot of this stuff that is happening is just happening at random. It’s a land grab and they’ll take any money they can get. But you also find more targeted attacks where they’ve actually gone through the effort of finding a way through an organization’s basic protections then either compromise the user account or find another soft point on the perimeter. Once they’re in, they’re leveraging malware, specifically ransomware, to really go after the core data set that the organization relies on. And then you see those higher ransom fees.
LAPX: Would that be why the FBI gets involved?
Ensey: The FBI is looking for reoccurrences of similar tactics, especially against those that are in the critical infrastructure. Those can be defined as anything related to health and human safety, or critical communications, or financial systems. They are going to look for opportunities to get more information and get involved. Sometimes, they’ll actually find trace examples of this activity happening prior to even the organizations that have been hit even noticing. They have great intelligence and the ability to analyze data coming in from various partners. I would say that there is a multitude of reasons the FBI gets involved. I know that they’re there specifically looking to find individuals that are involved in these groups. Any intelligence they can gather, especially in a situation like this when it’s a system where criminals are actively holding an organization hostage, it’s of benefit to them to find where these people are coming from.
LAPX: How long does it take to effect a fix if they refuse to pay the ransom?
Ensey: Generally speaking, it’s really at the mercy of how prepared an organization is for these types of issues. In most organizations, you’ll find that ransomware will get on an individual machine, and it’s simply a nuisance. If they had back-ups, they may be able to restore them over the course of a weekend. But in cases where you’re talking about some of these more targeted attacks, they’re hitting systems where it may not be as simple as just restoring the data. It may be a matter of having to take networks completely off line and restore functionality in waves. That’s where you see these longer windows of time, where massive outages occur or instability of the systems is a problem. The other issue you face in determining how long it takes to restore the information or get systems back on line is the fact that, sometimes the first attempt to get into these criminal organizations that have a foothold in the network, that first attempt to get them off the network isn’t as successful as they had hoped. So if they miss something, you’ll see reoccurrences of outages, and they have to start over at certain points. More prepared organizations recover much faster than ones that didn’t prepare or lacked good security layers.
LAPX: Is there any danger of a rebound attack from ransomware?
Ensey: Any organization that has been hit by something like this, has to very quickly ramp up their ability to see traffic that’s indicative of someone malicious on the network. If they don’t have the ability to see that questionable traffic quickly or can’t bring in an organization that can help them through that process, it is highly likely that there could be that rebound, or another outage or some sort of other malicious activity occurring.
LAPX: Presumably MedStar Health had some sort of premium grade antivirus software in place. Why is prevention no longer a sufficient defense against ransomware attacks?
Ensey: It’s interesting. As a country, we spend billions of dollars on antivirus products and perimeter security tools. Yet we’ve still got challenges that are associated with new pieces of software evading those protections. The thing that we’re starting to see is that the adversary out there – these organized crime groups – are actually developing this software, specifically the malware, that are finding ways to circumvent those protections. And they’re coming up with new customized boutique malware for each individual attack. That raises a pretty significant challenge for any of the traditional anti-virus products and the perimeter protections that they have. Most of those technologies were based on the same technology that we’ve been using for the last 20 years, which is there is a signature that is generated when the first person gets hit with that envelope malware, and that knowledge of that signature is spread throughout everyone who had those products. Without employing those critical updates, you normally would also get hit with those viruses. But now, with almost every individual attack having a unique signature – a custom signature that they’re generating for the malware on the fly – it’s very hard for antivirus products to keep up with the pace.
LAPX: What can health care institutions do right now to better protect themselves?
Ensey: Again, you talk about prevention not being a viable option as your sole tactic when approaching or addressing these types of challenges. I’m a very firm believer that we have moved into a model where defense and detection as a strategy is more critical than ever. We have to think about more monitoring of systems and network activity as our primary focus of defending critical applications. So Step 1 for every organization that is trying to avoid having something like this happen to themselves is to ensure that their systems are in fact backed up and they’ve got that reoccurring cycle of back-ups happening all the time.
The next step is they have to be evaluating all of their systems for either vulnerable software or vulnerable configurations in a manner where there are soft points or exposures to anyone, either on the network or outside on the internet. And they have to do that evaluation on a continuous basis, so that they are keeping pace with software patches and finding any additional exposures being introduced by new systems that are brought online. Thirdly, they have to ramp up on their monitoring. It can’t be this, ‘We just checked the box, and we do an analysis of our network configuration, our firewall, once a year’. This has become a world where, especially critical organizations – critical services – have to be monitored 24/7. We’re looking at a time when many organizations don’t have the resources or the staff, particularly in the world of cyber security, where there’s a significant need for talented individuals. I think that’s a trend line that we’ve seen in the industry, and it’s something that we at Dunbar are out there doing every day.
LAPX: On Wednesday, MedStar released a statement which said in part, “We are pleased that our analysis continues to show no patient or associate data have been compromised.” That’s great news, of course, but we’ve been told by some of our readers that, not only are patients still having trouble logging into their accounts, but that hospital staff members have been asking their banks to flag their accounts against possible fraud. Is this an overreaction? What is the extent of the possible damage from this attack?
Ensey: It’s probably too early to really speculate with the MedStar case. If you look at some of the other cases that have happened recently, and really anything involving ransomware, the disruption is the more predominant feature of these attacks. There’s always going to be your cyberattacks that are solely purposed for stealing intellectual property or private information, records of some kind; and those are clearly usually an attack on a data source that has millions of records. It’s hard to tell if there’s any component of that in this case, but the ransomware attacks that we’ve seen have been largely focused on taking information and holding it hostage, so that it disrupts operations for a business, or an organization like a hospital, and getting that ransom paid out. At this point, without any further details, it’s hard to say that there’s a case being made for going out and doing fraud analysis and blocking some things; filing the protocol you see with the normal large-scale breach that we’ve seen in retail examples and others in the past. But I can’t say that you can rule it out either, so we have to wait and see as more details emerge. Obviously, with the data breach response procedures that everyone is following these days, and also the state regulations that are out there, they do have to do that reporting, so we’ll find out when the case can be made.
Ensey: In this day and age everybody should be taking steps to ensure that they have good things, like credit monitoring and identity protection, happening for them. And that could be through one of the credit bureaus or be through another third party service that specializes in that type of service. From a business standpoint, any partners that integrate with any service provider that has been hit by any kind a cyber attack should think of themselves as part of that scenario and take steps internally to shore up their defenses. Do that analysis to make sure there wasn’t any collateral damage as a result of that attack. It’s really about practicing good cyber hygiene. When you see something happen, you take a look within and if need be, consult with an outside professional that specializes in security. That would be the best thing they could do today.
LAPX: Many of us are familiar with HIPPA (Health Insurance Portability & Accountability Act of 1996) guidelines and know they are in place to protect a patient’s privacy. But given the pernicious nature of these industry wide computer threats, does the collection of so much personal data by medical providers potentially put the privacy of patients at greater risk?
Ensey: Everybody has been subject to the realization that, with convenience in technology innovations and all the good stuff that we want to get out of a more automated and interconnected world, that privacy becomes tough. Every day we expose our personal information as users of the internet. If you spend any money at a retailer, you’re exposing your personal information. So, to get the best possible health care, to ensure that you’re fully covered when sick, and the doctors that are working on you have full access to data, we have to give up a little bit of privacy. The responsibility is there for health care organizations to protect that information; like you said, the rights that are out there like HIPAA, are designed to ensure that best practices are followed. The biggest challenge that we face in any industry that has sensitive information under special regulation, is keeping pace with, not only the regulations, but the patient technology and the cyber attacks that are occurring. There is a constant race going on between the good guys and the bad guys. So with the security industry, we have to focus every day just to match the adversaries out there designing new tactics, new tricks to get around the defenses. And while we have to be right all the time, they only have to be right once to win.
LAPX: Your company is Maryland based. Can our readers here in Los Angeles benefit from your services?
Ensey: Absolutely. We support clients from here to Hawaii. Because of the internet and what we do, we can be integrated with any system at any time. We’re here to help. Your readers can lean how if they visit us at Dunbar Security Solutions.
Anthony C. Hayes is an actor, author, raconteur, rapscallion and bon vivant. A former reporter at The Washington Herald and an occasional contributor to the Voice of Baltimore, Tony’s poetry, humor and prose have also been featured in Smile, Hon, You’re in Baltimore; Magic Octopus Magazine; Destination Maryland, and Tales of Blood and Roses.