Privacy Please
A genuine and informative podcast about data privacy and security. Your reliable place for best practices, interviews, belly laughs, and real stories.
Privacy Please
S5, E211 - Exposing the Ransomware Crisis: Unveiling the Threats to Healthcare Data Security
Explore the dark side of cyber threats as we unveil the terrifying impact of ransomware attacks on the healthcare sector. In a gripping discussion with Cameron Ivey and Gabe Gumbs, we uncover how healthcare institutions are targeted for their sensitive data, risking patient privacy and trust. Through real-life stories of ransom payments gone wrong and the looming threat of repeated attacks, we reveal the harsh reality: paying ransom is just the beginning of the nightmare.
Drawing insights from the 2023 Verizon Data Breach Investigation Report, we highlight a disturbing trend where ransomware aims not just to steal data, but to cripple operations, leaving vital medical equipment useless and multiplying the risk of human error. We delve into the shortcomings of data backup strategies and debunk myths surrounding the security of SaaS platforms. Join us for this conversation to empower yourself with more insights to safeguard your organization's data and people against cyber threats.
All righty, then. Ladies and gentlemen, welcome back to Privacy, please. I'm Cameron Ivey hanging out with Gabe Gumbs. I think that's who it is. It's my good friend. Gabe Gumbs Sounds like him. It does. There's that voice. There's the voice that both women and men love to hear.
Speaker 2:Yes, the voice that launched zero wars. Love triangles absolutely. Uh. No new radio stations, no late night. Uh, r&b request live hot bikes no radio.
Speaker 1:Who needs a radio? Huh, it's radio. We would be pretty good at radio huh this is not radio.
Speaker 2:Well, I guess that's true it is. Consider this radio. This is basically like time-shifted radio.
Speaker 1:Yeah, this is new age radio. Just everybody can do it from their house. Yeah, well, how you doing, man? How's it?
Speaker 2:going you good, I'm well, I'm decent, I can't complain too much.
Speaker 1:Same.
Speaker 2:Another day, yeah, another day. Another privacy incident, another data breach.
Speaker 1:Always, aren't they?
Speaker 2:Another ransomware attack.
Speaker 1:In healthcare Surprise.
Speaker 2:In healthcare it's a day that ends in Y. Last night I mean it's unfortunate, it's very unfortunate. I was talking with some let's call them lay people recently in the medical field and they were fascinated by some of the data around healthcare attacks. This particular person, their organization, is still being affected by one of the outages across some of the pharmaceutical networks, right, so it's really difficult for them to get patient scripts filled and stuff. It's leading to some challenges with human error. So folks have to like where they used to be able to just put in the information and then they'd walk over to another terminal in the building and the medication would be there and the machine would have already checked to make sure, a it was the right medication, b it was the right number of pills. So that doesn't happen anymore. So humans have to do a bunch of that stuff now because those systems are still out of commission post-ransomware attack, and so they were curious as to like why is healthcare getting beat around so badly?
Speaker 2:And the answer, of course, is because healthcare data is super, super expensive on the dark web, largely because of healthcare fraud, but also because, healthcare being an absolutely massive industry, it is lucrative. It's a ridiculously lucrative industry, and so as a target, it's decentralized, right. There's no universal healthcare in this country. Don't bother adding me people, right? I'm not suggesting I'm for it, against it, hint, I'm for it, but nonetheless, that wasn't what I was suggesting. I was suggesting that don't bother adding me on that topic.
Speaker 2:And so it's a lucrative, decentralized business to go after, and operationally, it's a business that, if you cripple them operationally, there's a huge financial impact, and then there's also the human impact, and so a lot of healthcare companies are perversely incentivized to just pay the ransom. This company paid their ransom, by the way, I'm not naming names for all the obvious reasons, and so, if you think of it to yourself. But, gabe, you just also said that their system still weren't back online. That's right. That's right. They paid the ransom and they got back some of their data. Honestly, I think they were lucky to get back anything, but they got back a very small amount of their data, very small amount.
Speaker 1:So let's go back to the financial impact of it all. Obviously, there's substantial financial losses for Change, healthcare and when it comes to any ransom attack.
Speaker 2:Which is not who I was talking about in that story, by the way. I just want to be clear.
Speaker 1:Change.
Speaker 2:Healthcare was also hit.
Speaker 1:Yes, okay, so you're talking about somebody else.
Speaker 2:Yeah, I was. I very much was intentionally was. I was this. This was a real story from a conversation I literally had last week. This person was not part of the change health care um ransomware attack. Change health care was in a similar scenario. I do not know how they were affected or not affected, but they finally just admitted. I think that's what you were going to bring up, right, right?
Speaker 1:But this ties into exactly what you were probably talking about. Anyways, it's the same. They're going to deal with the same thing, yeah, so Change Healthcare.
Speaker 2:You know. They finally acknowledge paying the ransom and they still haven't gotten back most of their data, at least you know, based on their own words. That's a problem.
Speaker 1:It certainly is a problem. I mean, we're talking about crippling operations, but also affecting customer trust, and I mean there's a couple of different challenges that they're going to be facing Same example that you were going over when it comes to data security, the financial impact of it all, customer trust, regulatory compliance with HIPAA with this ransomware attack. Yeah, yeah, it's huge.
Speaker 2:Allow me to share another real story.
Speaker 1:I love stories Gabe.
Speaker 2:Yeah, the thing is, to see it and witness it happen up close is always fascinating. It's one thing to read about it in the news, but allow me to share with our guests another real life story. I'm having a conversation with a different organization or a different person that works for I won't even give away the vertical this business is. It handles a lot of PII, so you know there's a lot of, there's a lot of you know, regular people's information that they have, and they were hit with a ransomware. They paid the ransom. They also did not get back all of their data and then they got hit with a ransomware attack again a few weeks later by the same people, by the same people, and they were like what the hell? And I was like what? I don't understand. What exactly do you not understand? Oh, you're talking about the part where you trusted criminals to make good on their work. I understand, yeah, yeah, yeah, I understand the problem. You made a miscalculation and so you know, look in their defense just trying to get back up and running. Sure, I don't know if that's really a good defense, because I'm not certain what the current best advice is.
Speaker 2:The FBI had issued some advice years ago. You know that I knew was like do not pay the ransom and I know that's been updated because in some cases the FBI will even. I do not know how frequently this happens, but they will even help negotiate with the ransom attacks. My assumption is that probably happens whenever it's a vertical or a business that might be deemed too important to allow this to be any more problematic than it already is. But paying the ransom is a problem. Last story with Gabe, a different organization who is purely in the business of ransomware recovery. So we happen to partner with them, we partner with them and they offer services to help folks recover.
Speaker 1:And we.
Speaker 2:by we you mean Myoda. Oh, we be Myoda. Yes, yeah, we be Myoda. Myoda is we don't talk about them frequently on the show but for those of you paying attention, it is the data security organization that I represent. I do a lot more than represent. Go check this out, myotaio, check it out. Shameless plug, shameless plug. Go check it out, check it out. So, anyway, we partnered with this organization and they help organizations recover from ransomware attacks.
Speaker 2:Some of the things that they were sharing with me, I was actually surprised by and shocked by the things that they were sharing with me. I was actually surprised by and shocked by they were saying that on the high side, 60% of someone's data is all that they ever see recovered. On the high side, it's usually somewhere between like 20 and 40%. I hadn't actually known that. I hadn't actually known that, largely because I hadn't spent a lot of time discussing in detail with someone who has paid the ransom what the recovery impact was. Right, like I hadn't had that conversation. And so, as I'm having these conversations with you know these folks that have literally been hit and paid the ransom and not got back their data, and I'm having this conversation with these folks that come in to help clean things up and they're like, actually some of those numbers aren't bad, because we rarely see 60%. Most people don't get back that much of their data. I'm like, so I should go back and tell this guy he's actually lucky. I should go back and tell this guy who got hit twice like, by the way turns out, you're actually lucky. You could have lost both legs and arm and your head. You only lost a couple arms, right, yeah, and so you know, if that is the pattern, why are folks paying these ransoms?
Speaker 2:Still, it encourages future attacks. There's no guarantee that your data is going to be recovered. You will potentially be extorted. Again. You already mentioned the legal and compliance risk. Right, like, depending on your jurisdiction, paying a especially if it's to a sanctioned entity, could lead to legal consequences, right, including violating compliance regulations. So like, let's say, you pay a ransom to like Al-Qaeda and you just didn't know it was Al-Qaeda. I'm just making things up because sanctioned entities, right, like, maybe their name was posted right on their ransomware bill but you just, you know, didn't pay attention, didn't care, didn't think it was real. But even just doing that is a problem. On top of the, you're also taking resources out of your own business and just basically setting them on fire. I say that because, if you're still not getting your data back, you've just set a big pile of company cash on fire.
Speaker 1:That's true. Now, for fun, I actually asked ChatGPT to give me an easy analogy of this situation when it comes to cyber attacks, and this is this is what it came up for change health care. So change health care is like a fortress protecting valuable treasures. Patient data hackers, akin to cunning thieves, breached his defenses and demanded ransom, holding the treasure hostage. Despite paying, the threat remains, as other thieves claim to have copies, leaving the fortress vulnerable. Does that sound right in these situations? It sounds about right.
Speaker 2:And here's what sticks out about this scenario, because that is exactly one of the things that Change Healthcare was worried about was this data leaking out? Right? The second the data is in the ransomware attacker's hands. It's too late, it's already leaked. They are also, they being the bad guys. On top of not returning all your data, are still selling your data on the dark web. So people will pay the ransom and that data will show up on the dark web still, because, again, you can't trust them. So, again, why are you paying for? You didn't get your data back. It still got sold on the dark web. What did you actually pay for? What are you paying for? And so, yeah, in this case, others claiming to have copies of it was true. Others did have copies of it and will continue to have copies of it.
Speaker 2:The 2023, last year's Verizon Data Breach Investigation Report, which 24 hasn't been released yet. But if you look at there's a trend in there that it highlights, and the trend is that availability has become the number one impact of ransomware, not data loss, right Like. So. Not getting your data back has become the biggest impact of ransomware. Them keeping it hostage has become the biggest impact your data simply ending up on the dark web hasn't become the biggest impact, and part of the reason for that is because, well, it just happens anyway, right? Because that's part of the reason why the impact, the impact to your business isn't it's still there, but it's way outsized by your inability to run your business Right, like that lady who now has to I didn't say it was a lady, maybe I did, but that lady I was mentioning before who now has to.
Speaker 2:I didn't say it was lady, maybe I did, but that lady I was mentioning before who now has to, like go manually, go check the prescriptions and, by the way, they found errors. There's been multiple errors because humans make errors, and before their error rate was like super low and now the error rate's like 8%. That's a lot. So now this lady has to keep doing this manual effort. That is far surpassed. The fact that that patient's healthcare data is leaked, yes, that's a problem, but that patient's healthcare data was probably leaked in a different breach any freaking way, and so now that that patient can't even get care or count on the care being accurate, that's a bigger freaking problem. It's a massive problem.
Speaker 1:A lot of things are going on in my brain right now. There's too much when it comes to this topic. Did we even mention the amount of this ransom? It was uh, I think it was like 22 million yeah, this one in particular was 22 million. 22 million dollars to not get your data back now my question and you might have highlighted this, but this is change plug number two for less than 22 million dollars.
Speaker 1:I'll make sure you always get your data back, like my, yoda will make sure you always get your data back For less than $22 million, a lot less.
Speaker 2:My Yoda will 100% guarantee you could always get your data back.
Speaker 1:That's what I was going to say, Like how do these organizations put themselves in a situation when someone does this to like a cyber attack? How do you not have your data and a way that you can actually still access it?
Speaker 2:You want some more wild statistics? So that same company that kind of comes in post-breach was also telling me that somewhere north of like 50% to 60% of all the companies they work with just don't have backups at all, which is why they just don't even have any like zero.
Speaker 1:What do you think the reason is Money?
Speaker 2:I don't have it. I think do nothing is the reason. I think because a lot of people, just you know. So here's a couple of reasons. One is a lot of people think that because they use sas platforms, they're fine, like well, I use salesforce.
Speaker 2:So, like, salesforce protects my data it's not untrue they do but like if I breach your salesforce instance, take your account, lock you out of it, delete, delete everything and do so over time such that you can't get any of that data back. The only thing Salesforce guarantees is that the platform will be available for you to use and the data that you put in there will be. But if you look at all cloud shared security models all of them the data is your responsibility and so part of it is a lot of people have this misinformed idea that whatever SaaS product they use, that is good enough and they don't have to worry about whether or not their data is backed up. The second problem is, because of that first problem and others, they just don't do anything about it. They just don't do anything about it. The other problem because I'm certain Change Healthcare had backups. I'm certain they did. The other problem is the backups are the first thing that gets attacked, because how else am I going to get you to give me $22 million? The backups are the first thing I attack and there's lots of ways to attack the backups. Right, they are vulnerable themselves. It doesn't matter the backup platform. There's lots of different attack factors specifically targeting just those platforms. So even if you have the backups, you have to protect those backups.
Speaker 2:I think I posted this is I posted a meme on linkedin moons ago. I'll have to do it again, but you know it's the one with the black guy pointing at his head like this you know waking and oh yeah, that I wrote yeah, yeah, I didn't know he was british I don't think I ever knew the origin.
Speaker 1:I saw I saw a meme of the actual video and everybody's like after all, this time I actually see. This is the first time seeing the video and him talk that's funny.
Speaker 2:Yeah, that's funny. I may have to check it out, but the caption I put on it was you don't have to worry about securing your backups if you don't have backups. That's. That's the genius to it you don't have to worry about you, you do not have to worry about protecting those things. If you just don't take any backups and when someone asks you, do you have backup security, you'd be like I'm good, I'm solid over here okay, so that to that point.
Speaker 1:Uh, you've mentioned myota and and we're not trying to promote myota here, but I think a good question is for those. I mean, I'm not no but yeah yeah, but I guess a good question is is how? What are some steps that you can take to prevent something like this happening?
Speaker 2:so that's so, yes, let let's put this into, you know less biased context. You have to A actually take the backups right, like back to my meme pointing at the head right. Like duh like yeah, it's true.
Speaker 2:You don't have to secure backups if you didn't take them, so you have to actually have them, and the fact that, like 50% of folks are running around without any, it's just wild. So step one, you have to. Step two, you have to really understand where your data is and how it's actually protected. That ties back to the SaaS platform conversation. Your data in a SaaS platform isn't guaranteed to be backed up in any meaningful way that will protect you from ransomware. That is, they're guaranteeing service availability full stop. That shared cloud security model does not account for that period. If you read your Ts's and C's, you will see that Hopefully, you don't have to read them post-attack to get to that.
Speaker 2:Number three you have to secure the backups. You take the backups, now you have to secure them. That requires a whole effort onto itself.
Speaker 2:Traditionally, backups have been the purview of just the IT teams, which is to say not the security teams or not the IT security teams. And so a lot of times I'll talk to security people and they will say things like oh well, that belongs to the infrastructure engineers or the IT infrastructure engineers or the IT guys, and it's like, yeah, but that's the last stop saloon, though. If that thing gets breached, you're paying 22 million for a bonfire. And so there's still this gap between the security professionals understanding their role in protecting that last mile, the backups. And so, again, the non-biased answer is you have to protect those backups. The thing is that's becoming so much harder because it's literal target number one, because it's leverage. It's the first thing they target Before they lock up all the operational data, before they lock up all the daily operational data, they go find the backups, because once I put a lock on that, you can't just tell me to pound sand and go away, because I know I have a backup.
Speaker 1:Once that happens happens, you're gonna pay me 22 million easy, easy 22 million okay okay, it's maddening, it's confusing, and everybody that has their patient data in some kind of where form we all do it is crazy that that isn't the most protected data. Like you know what I mean. Like how is the health care industry not the most protected data? Like you know what I mean, like how is the healthcare industry not the most secured? It's probably one of the worst. I would say Probably One of Allegedly, I agree.
Speaker 2:I agree, like I'm just thinking through some real world, you know, not calling any names or even giving any hints towards, but I will agree. I've seen some things in healthcare that are astonishing. I've seen some things that have made me literally avoid some of the larger providers, like that provider. I won't go with them for any services whatsoever because I know they don't even have a basic vulnerability testing program. I've seen some of those things up close. Some of our audience members have probably witnessed and been privy to similar. So, but for those of you that haven't, you know that this the sky isn't falling. I want to be clear about that. The sky isn't falling, but yeah there's a lot of work.
Speaker 1:There's a lot of work to be done I don't know, man, we're coming up on time, though I don't know. My mom always said that we're living in hell in a handbasket. I'll tell you what the world kind of looks like, but I mean we know it's not falling it's not falling, but uh, yeah, yeah, we'll see. It'll be fun to monitor this as it continues. But, gabe, thanks man, great episode this week. Uh, anyone has anything, shoot it our way, we'll see you guys next week. Next week, see y'all.