Daniel Reardon on Cybersecurity and Health Care Industry

Prior to joining Delta Risk(https://delta-risk.net/), Dan worked at Protiviti, where he performed a wide variety of security and privacy assessments, architecture, transformation and management services to help organizations identify and address security and privacy exposures before they become problems.  Prior to Protiviti, Dan was at Accume Partners, employed as a manager, in charge of leading and overseeing various IT security, vulnerability, and risk management engagements across the banking and commercial industries. This included all phases of the business process such as putting proposals together, selling potential clients on the technical offering, performing the work, and managing the relationship with clients.

Dan has more than 15 years of experience working in information technology (IT) and IT security, before he transitioned from a hands-on engineering background to management consulting. Dan has extensive experience in the following disciplines: systems administration; application, system and network troubleshooting; IT project management; security engineering and implementation; data security and modeling; desktop and server vulnerability and patch management; Windows Infrastructure management and support.

Dan was a PCI QSA at Protiviti and he is current on PCI 3.2 requirements.  Dan’s certification includes PCI QSA, MCSE and Security +. Dan received his Executive MBA from Saint Joseph’s University.

LIFARS: Tell us some background on you and how you got where you are today.

Daniel: For 15 years, I worked as a hands-on desktop, network and security engineer in the DOD space, and I gained a lot of on experience supporting and protecting classified systems, networks and their sensitive data. 

I started my career at Lockheed Martin right after 9/11 as the demand for technical folks in the intelligence agencies really picked up.  This exposed me to a lot of information security fundamentals that I’m able to apply to cyber security consulting I am doing now.

I have been in cyber security risk consulting for the past three years, and I am now a managing consultant working closely with the following areas for Delta Risk: IT Risk Management, Information Security, Privacy and Healthcare Compliance.

LIFARS: Could you tell us about overall risk in the face of ransomware attacks in healthcare industry?

Daniel: The overall risks to the healthcare industry regarding ransomware attacks are very high and they will continue to increase in 2017. While most industries have experienced their issues combating ransomware, the healthcare industry is being targeted more and more and with even greater precision.  Why is this? 

The healthcare industry and healthcare data affects human lives, and these organizations are in the business of doing whatever they can to help and protect human life.    This makes healthcare data (PHI) absolutely mission critical to the nature of their business.  These healthcare organizations must operate under HIPAA compliance to satisfy the healthcare data requirements. 

I believe the increased risk from ransomware is because the secret is out that hospitals and healthcare organizations have been paying ransoms to get their encrypted data or systems back online.  Healthcare organizations are submitting to these criminals, and are taking no chances at losing patient data, potential lawsuits, or even worse, putting human lives at risk.   

There are examples out there where healthcare organizations have paid tens of thousands in ransom to get patient data back.   Cyber criminals are aware of these payments, and they are using ransomware as their weapon to expose this policy weakness.

While healthcare organizations should primarily focus on preventing ransomware from getting on their networks in the first place, some organizations are paying the ransom because it is the quickest way to get their data back and or/a system back online.  Delta Risk has had clients seek our advice on whether they should pay a ransom if they are impacted.  While we advise highly not to pay a ransom, there are clients considering it as part of a contingency plan if such a problem where to occur on a mission critical system.  

Paying ransoms has really created momentum in the ransomware risks to a healthcare organization. Paying a ransom doesn’t guarantee you will be able to even get the data back, and it will also put a bigger bullseye on the organization’s back as the criminals begin to target any paying organization more aggressively. 

Another factor I believe attributed to the increase in ransomware attacks is the cryptocurrency bitcoin.  Bitcoin has been a boon for criminals looking to make a quick buck, and it compliments ransomware extremely well.  Bitcoin is a means for these criminals to blackmail healthcare organizations without much trace to the financial transaction.  It has gotten easier to setup a bitcoin account, and to link a bitcoin account to the malware so that a ransom can distributed easily and anonymously.  Bitcoin has perpetuated the spreading of ransomware with criminal intent for financial gain.

As more healthcare devices get integrated online, these devices will continue to expose healthcare organizations to more risks as their digital footprint expands. As the old adage goes, “There is no honor amongst thieves”, so I foresee the ransomware threat to healthcare industry to continue to develop and in a more tactical manner, without any mercy.  Spearheaded ransomware that targets entire business functions or operational systems that are mission critical will continue to disrupt healthcare organizations.  As long as the potential for profit is greater than the likelihood of getting caught, healthcare organizations will to continue to be a criminal’s primary target.

LIFARS: According to the recent news, the US government recently began investigating smaller healthcare cybersecurity breaches. Could you further explain what this means for businesses which handle healthcare information?

Daniel: Any healthcare organization, large or small, that stores, processes or transmits personal healthcare information is at risk, and is a potential target for a data breach.  Security research indicates very often organizations are breached, and they don’t even know it.  It is critical that these organizations have the processes and data security controls in place that can help identify, prevent and detect if a data breach were to occur. 

To properly address cyber security risks, businesses need to fully understand what healthcare data they store, and what their healthcare data flows are internally and externally leaving the organization.  These investigations are a positive signal that US government is starting to take cyber risks more seriously, but so much more still needs to done.  Investigations are often reactionary to breaches that have already occurred so therefore the damage is already done.   It is imperative for these businesses to take a proactive approach when addressing cybersecurity risks and preventing a data breach.   

LIFARS: The Office for Civil Rights (OCR) has released a fact sheet with specific guidance for meeting Health Insurance Portability and Accountability Act (HIPAA) regulatory requirements. Could you highlight important takeaways from this guidance?

Daniel: I found the fact sheet with specific guidance for meeting HIPAA regulatory requirements to be very informative and appropriate guidance for any organization looking to address ransomware risks.   

It is evident that the OCR understands ransomware is a serious risk to a healthcare organizations, and this guidance indicates covered entities should be planning for these risks immediately.  I liked how the fact sheet highlights the regulatory language in the HIPAA standard which an organization can reference in management discussions when discussing ransomware risks internally.  The guidance also highlighted the importance of conducting annual risk assessments which can potentially uncover any lack of security controls that could help thwart ransomware risks.

I believe another critical factor to addressing ransomware within organization is education and annual security refresher training.  The more educated a user base is in regards to the ransomware risks, the likelihood of a ransomware incident occurring is reduced significantly.    

Now is the time that healthcare organizations address the risks of ransomware proactively, and this fact sheet is a great reference point for any organization on how to address ransomware risks while trying to adhere to the HIPAA standard.