Readers Write: Malware Lessons Shared: Seven Key Questions for Health Leaders to Ask About Cyber Preparedness
Malware Lessons Shared: Seven Key Questions for Health Leaders to Ask About Cyber Preparedness
By Joe Petro
Joe Petro is SVP of engineering for the healthcare division of Nuance Communications.
As business leaders, we must confront a new reality: our organizations are facing an unprecedented threat from cybercrime. The number of cyber incidents is growing and the nature of the attacks is evolving. They are becoming faster, more sophisticated, and more potentially destructive. As the severity of incidents increases, the knowledge to address the technical aspects and manage through an attack has become essential to our skill set.
For those reasons, we think it’s important to share some of the lessons we’ve learned since we were affected by a global malware incident on June 27. Cybersecurity experts later identified the malware as NotPetya, highly sophisticated malware written to provide disruption and destruction rather than to demand ransom. It spread quickly, and unlike some malware, patching alone would not have stopped its propagation.
Our first priority was to contain the incident and protect our customers. This meant immediately commencing shut-down procedures across our global network to contain the spread of the malware. These actions affected our ability to communicate with our customers, employees, and other stakeholders, and we immediately sought alternative ways to alert them to the situation. To ensure they had up-to-date information, we hosted daily conference calls and corresponded via email with affected clients. We regularly posted updates to a dedicated Web page in addition to conducting a very large number of one-on-one client calls and meetings.
Importantly, we were able to tell them that NotPetya does not have the ability to copy or extract file contents from affected systems or allow any unauthorized party to view file contents on affected systems. In other words, no Nuance customer information was altered, lost, or removed by the malware.
After containing the spread of the malware, our focus turned to restoring our clients to full functionality. Our dedicated staff—along with third-party experts in cybersecurity and forensics—rapidly initiated restoration efforts. At the same time, we enhanced our security against similar future incidents to ensure we emerge from this incident with an even more secure operating environment.
We are committed to sharing the knowledge we have gained from our own response and recovery process. The more we know about malware like NotPetya, the more powerful we all can be in combatting future cybercrimes. Early lessons include:
- Incident notification protocols should be as simple as possible, with multiple layers of redundancy to ensure stakeholder communication can continue at all times. This is particularly critical in the early days of response, when normal channels may not be viable.
- Increase network segmentation, including adding micro-segmentation.
- Even fully patched Windows machines remain vulnerable to certain exploits and vulnerabilities. We have deployed a hardening process that disables SMBv1, enables additional blocks on host-based firewalls including blocking unnecessary SMB ports, disables unnecessary usage of WMI and PsExec, disables unnecessary admin shares, increases logging levels, and validates that each system meets a minimum baseline of security measures.
- Cyberattacks can occur very quickly, challenging even the best prevention systems. Thus, the best strategy is a combination of prevention, detection, and containment.
Healthcare and IT leaders need to ask the right questions now so that they can be better prepared for a malware incident in the future. Below are seven important security questions every leader should consider:
- Cybercrime is part of the new reality for every company, organization, and person. What can you be doing now to prepare for this scenario?
- How comprehensive are your security policies, and do those policies actually translate into deployed security capabilities?
- Have you developed a crisis and disaster plan and communicated it broadly throughout your organization?
- How would you communicate to your staff, your board, your customers, and your patients?
- What are your primary vulnerabilities? What measures are you taking to ensure patient data is protected?
- Do you understand and align with your vendors’ security policies and do you have the appropriate validation and/or risk assessment programs in place?
- Have you identified a team of outside experts to help in case of an incident, including cyber security firms?