The Rising Stakes of Ransomware During the Global Pandemic

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The steady drumbeat of ransomware and related breaches and outages in healthcare persists despite our industry’s need to grapple with yet another surge in the global pandemic.

Healthcare CISOs and leaders are also reeling from the recent revelation of a patient death directly attributable to ransomware. Healthcare organizations are moving swiftly to deploy capabilities to predict, detect, contain, and respond to these attacks; and the stakes have never been higher.

Join us as we celebrate 50 episodes of The CyberPHIx in this special interview with Stoddard Manikin. Stoddard is the Director of Information Security for Children's Healthcare of Atlanta (CHOA) and has over 18 years of progressive experience in the information technology, security and privacy field. Highlights of the discussion include:

  • Attack trends and escalating impacts to patient safety from ransomware attacks
  • Ransomware's evolution and availability as a SaaS solution for malicious actors
  • Risks and supply chain impacts to health systems when Business Associates get infected with ransomware
  • The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC)'s decision to begin fining healthcare organizations that pay the ransom
  • HIPAA implications for ransomware attack response approaches
  • Ransomware incident response approaches including during a pandemic with a remote workforce
  • Evolving prediction, detection, and prevention strategies
A Message from Brian Selfridge: Celebrating 50 Episodes of The CyberPHIx

I am honored to share this engaging interview with Stoddard Manikin, which we are releasing as our 50th episode of The CyberPHIx. I want to thank our listeners and the amazing guests we've had over the past few years on the show. We appreciate the time that these industry leaders have taken out of their busy schedules to share their insights and knowledge with the community.

We also appreciate your willingness to tune in and stay up to speed on the many challenges and solutions facing health care, security and privacy programs. I have learned a great deal through these sessions, and I hope you have, too. I look forward to sharing many more interviews in the years to come and look forward to working collaboratively with each of you to keep our healthcare organizations and information safe.



Brian Selfridge: [00:00:19] Hello and welcome to CyberPHIx, this is Brian Selfridge, your host of your leading podcast for information security, privacy and governance, specifically for the health care industry. I'd like to welcome my guests. Stoddard Manakin serves as Director Information Security and leads the security program for Children's Healthcare of Atlanta. I would also like to take a brief moment to mention that this is our 50th episode of the CyberPHIx. I want to thank our listeners and the amazing guests we've had over the past few years on the show. We appreciate the time that these industry leaders have taken out of their busy schedules to share their insights and knowledge with the community. We also appreciate your willingness to tune in and stay up to speed on the many challenges and solutions facing health care, security and privacy programs. So now let's get on to another great conversation with yet another amazing guest, Stoddard Manikin.

Brian Selfridge: [00:01:09] I'd like to welcome my guests, Stoddard Manikin. Stoddard is the Director Information Security and leads the security program for Children's Healthcare of Atlanta. Stoddard has over 18 years of progressive experience in the information technology, security and privacy field and has a number of leadership roles with prominent organizations. Over the years. Prior to Children's Healthcare of Atlanta, Stoddard led Fishnet's, identity and access management practice and also spent a number of years as a senior manager for Ernst and Young, specializing in business continuity services. Stoddard has a long list of accomplishments inside and outside of health care, and I'm very excited to have the opportunity to speak with him today on the CyberPHIx. Specifically, we'll try to make some sense of the surge of ransomware attacks and their escalating impacts on health care entities during the pandemic. Stoddard, thank you so much for joining us today and really appreciate you taking the time to be on the CyberPHIx.

Stoddard Manikin: [00:01:58] Thank you, Brian. I am delighted to be here. I can't wait to hear us on the big screen, so to speak, called the Internet. And I appreciate you inviting me.

Brian Selfridge: [00:02:08] Absolutely. So we're talking about the rising stakes of ransomware. And I think if we mention the stakes in particular, it's hard to avoid the recent news story where there was actually a patient death directly attributable to a ransomware event in Germany. So I'm not sure if that's hit your radar, but if it has, I wonder if you could give our listeners a quick sort of summary maybe of what happened there so we can dive in and dissect this a little bit and see what we can learn from it.

Stoddard Manikin: [00:02:36] Absolutely, Brian. And this was truly just a terrible story. And it's what a number of security professionals have been concerned about related to cybersecurity and health care for many years. And unfortunately, the University of Dusseldorf in Germany was the victim of a ransomware attack in September. Their hospital system was more of a bystander in this situation where the university was the primary target. But because they share systems and network connectivity, the hospital was impacted. And as a result, they had to shut down a number of their medical services and go to diversion.

Stoddard Manikin: [00:03:13] And there was an ambulance in coming with a patient who had a significant condition. And unfortunately, that patient passed away because they could not get treatment in time due to the ransomware.

Brian Selfridge: [00:03:24] So this is a terrible case. I know we've we've been worried about this for years. Right. The potential patient safety impacts of not only ransomware, but other security threats. This this really hits home for those of us I know that have been trying to avoid these outcomes that are there almost seem inevitable. Now, what I read about this story sort of interested me was that they actually ended up paying the ransom and getting the decryption keys pretty early, relatively early in the cycle. And they had trouble rolling it out so they couldn't get the deployment of the ransom key out quickly. It's not like you just you literally turn the key and all the systems are back online. Do you think it was worth paying the ransom in this case? Should they have waited a little bit longer? Do you think any patient deaths would have been impacted one way or the other? They had one. Could it have been more? I realize it's hypothetical, but any other ways this could have played out if they had acted differently?

Stoddard Manikin: [00:04:16] I think it's a fair question to ask. Every time this type of situation arises. My general practices, I prefer not to second guess the decisions of other organizations and professionals, especially when I am not in any way involved in the decision making process. I don't know all the details beyond what was publicly relayed. However, I'm sure that they really struggled with that decision and made the best choice possible that that would impact the patient the least. That said, I think that we all have to figure out what is the right way to handle these situations when they arise as much as possible in advance so that we can think it through instead of in the moment when we might not be thinking quite as clearly. And we can make informed decisions or at least a framework for how we will make decisions so that it takes a little bit of the edge off when we're actually in the scenario.

Brian Selfridge: [00:05:06] What are some of those aspects of sort of a game plan that you would recommend thinking about ahead of time? So if you were in Dusseldorf six months ago and responsible for the security program, what are some things you would have liked to have in front of you or have done in advance before entering into that situation?

Stoddard Manikin: [00:05:25] I would have liked to have had my incident response plan from somewhere completely defined. And whether that's sitting in a binder or on a shared drive somewhere, it's totally up to each individual. But I would recommend both, because if if your drive is impacted by the ransomware event, then you're not going to be able to get to it. For our team. We keep those types of documents on local PCs for people who go home at night so that we have access to it, regardless of whether you're connected to the network or not and so forth. I would want to have our communication plan documented to know who and when we would do notifications, when we would bring in broader teams outside of city to go through vacations potential. Law enforcement and so forth, and even to have on speed dial or crisis communications firm, possibly law enforcement, legal advice and that sort of thing.

Brian Selfridge: [00:06:18] So we're going to focus on ransomware predominantly in this discussion. So don't worry, I'm not going to move too far off of it. But we've been worried about for the last several years, it seems like the the patient safety discussion has been really centered around medical device security and things that are a little more, I don't wanna say tangible, but have been the front of mind for the last five, 10 years. Now it seems like ransomware is becoming perhaps one of our primary patient safety issues versus just a regulatory thing. But do you think this should cause us to maybe prioritize our our programs and focusing more on ransomware versus medical devices? Or maybe those are our top number one. And number two, what what are your thoughts on the is there any shift in prioritization of your thinking based on these these patient safety type stories?

Stoddard Manikin: [00:07:07] I do think that now is the time where we need to reconsider sort of the controls based, compliance based approach to security that health care typically has taken and moved much more towards a threat and risk based security approach. So from that perspective, I'm absolutely worried about medical devices from a patient safety issue. But typically a single medical device being compromised will impact one or a few patients, whereas a ransomware incident can affect all of your patients in one way or another. So I think that as an industry, we have historically focused on being compliant here in the US. We're focused on things like HIPAA. And what we really need to be focused on is what is the risk to the patient. We've always been mostly worried, too, about disclosure of data and the fact that hackers would steal data and post it or expose it online and that sort of thing, and then we'd have to report it as a breach and go through that whole legal compliance government rigmarole. Patients can recover from a data breach in those cases. They cannot recover if they are killed due to a safety event created by either a bad medical device or a ransomware event. And I think that needs to be the number one focus as we run our security programs to say, of course, we're worried about patient data confidentiality.

Stoddard Manikin: [00:08:35] But at the end of the day, the most important thing is to do no harm. And we have got to make sure that we're enabling our caregivers to take care of patients in the best way possible. And that means that they need the availability of systems that are otherwise compromised due to ransomware.

Brian Selfridge: [00:08:51] So apart from this single instance of the patient's fatality, unfortunately, in Germany, let's talk about the sort of more global trends of ransomware, particularly around health care. Are these the attacks and the attack methods and the attackers any different in the way in which they go about attacking? Are they they targeting health care more or less than last year? Are they doing things differently? Have you seen any changes or is it more of the same types of approaches that they've been taking year over year here?

Stoddard Manikin: [00:09:21] Yeah, I think in in one major respect, ransomware has not changed, and that is that the infection vector is still very similar and it's primarily coming through phishing messages to modify it slightly, to be more Covid related and so forth. But in general and users are the weakest link and they are the easiest way for bad actors to compromise the healthcare system. And so we have to continue to train those users to help be on that front line and recognize that security is everyone's responsibility. Now, ransomware also has evolved where it is now available as a service for hire. You do not have to be an advanced threat actor who writes your own malware and finds vulnerabilities to exploit. You can literally rent these services on the dark web. You can pay a subscription fee and it's completely commodity's. That is a game changer because it's enabling less sophisticated hacking groups to still deploy the most sophisticated tools and to hold us all hostage through digital extortion. Another one is that there is a higher sense of urgency with some of the targets because they might be involved in research into Covid. Maybe they're working on a vaccine.

Stoddard Manikin: [00:10:40] Maybe they are doing some other type of therapeutic research and waiting a week while you figure out whether you can recover from backups might not be an option because of the lives that you could save by saving that week. So there is that additional sense of urgency. There is another way that ransomware has evolved. And this is perhaps the most odious aspect is that there's really a dual threat to it. So it used to be that they would lock your computers up and they wouldn't give you access to your stuff until you pay the ransom or got a decryption key some other way. But now they're not only blocking your access to the data, they're also saying, go ahead, decrypt it. But if you do and don't pay the ransom, we're going to disclose the data online and do a data dump. Whether that's for profit due to sales or just embarrassment, it's not always clear. But that dual threat is a totally new factor to consider. And I think organizations really need to weigh those consequences as they make their decisions on how to handle it.

Brian Selfridge: [00:11:39] Has our ability, meaning health care providers, in this case, our ability to respond to ransomware attacks evolved in any way and maybe maybe devolved, I don't know. But with the pandemic and Covid and the remote workforce, does that change our ability in any meaningful way to be able to respond effectively from what you've seen?

Stoddard Manikin: [00:11:59] I think we have a lot of people who are working from home, but clearly in a healthcare setting, you have plenty of people who don't work from home. So in terms of responding to ransomware, I don't see a huge difference. And unless you have a system that needs to be physically turned off to protect it from spread, that could be an impact. But I think the bigger situation here with all the work from home distributed workforce is the expanded attack surface. Because if you say you have a VPN that allows access into your corporate network and at the same time lets you have access to the general Internet, that PC is at risk significantly more so than if it were on your home, on your work network. And so I think that there are more ways into your device, your end point for the hackers to come in. And and that's the bigger concern I've got, is that there are more ways to get infected and not so much about how a response might be impact.

Brian Selfridge: [00:12:56] How about the recovery itself, I know we don't like to think about if many of our systems are locked up, home user workstations, are we just we going to be shipping new laptops out to folks, for example, or PC towers if if they get locked up on the end user perspective with the remote workforce or or is there some deployable way to resolve ransomware with a remote workforce that might be easier, different than if they were in the building down the hallway? I don't know if we even thought about this that far. I mean, just just curious if you've sort of played out any of those scenarios.

Stoddard Manikin: [00:13:31] I don't know of very many organizations that once they decrypted ransomware infected PC, they keep using it as is. I wouldn't trust it because you never know what else might remain on that workstation after the fact. So the general approach is eventually to do the new campaign for you're completely reimaging the system if you even continue to use it. So I do think that particularly with end users, you're going to be shipping them out a reimage laptop or having them come in just to get reimaged any time they're impacted by ransomware. And that's assuming that you can even recover the PC in a lot of cases, the amount of time it takes and effort it takes to recover a PC, even if you have the decryption key, as you said earlier, is significantly manual. And so you've got to determine which ones are really worth trying to recover versus which ones you just roll over and start again. And so I think that's going to be part of the problem and part of the situation to deal with when you're recovering from an event.

Brian Selfridge: [00:14:29] You and I had traded emails previously about a ransomware attack on Samaritan health care in New York that left their systems down, or at least a significant portion of their systems down for over two months, as far as the media reported. Any way it might have been longer, more extensive? I don't know. Is this typical or is this an anomaly? Do you think we can expect to see longer outages like that from these ransomware attacks? And why would that be if we see folks like Samaritan just out for months at a time?

Stoddard Manikin: [00:14:58] Yeah, and my heart goes out to Samaritan as a victim of this thing, because I'm sure that they worked as hard as they could to recover from that incident. It sounds like it was a really rough one. And I bet just like all of us, they were prioritizing which systems that were going to focus on recovering. And they left a lot of lower priority systems until later. I don't know how much of the news reporting is accurate or not, but I can't imagine that my organization wouldn't be in a similar boat with some of our less used, less critical apps. We've got limited resources. We want to make sure that we're getting the most important patient facing or provider facing applications up and running. First, make sure that they've got accurate up to date data and that the systems are available. And that takes a long time to do. If you think about how long those I.T. departments have been running in all these different organizations, it's at least a decade or more. Think of how much effort went into building and rolling out all these systems in 10 plus years and then try and recover it in less than a month. I mean, in some cases you're rolling it out from scratch. That just can't be done that much quicker unless you have just a super duper top tier recovery plan. And even then there's going to be hiccups along the way. So I do think we're going to continue to see extended outages due to ransomware. And I also think we've got to pack in a little bit more planning and prevention than we do and into the incident response. So just like in healthcare, where we've got these different epidemics and just different pervasive diseases that affect our population, we've got to focus not just on treating it once the symptoms appear, but the prevention aspect, because a little bit of investment in prevention will save you a ton of money and how you have to respond.

Brian Selfridge: [00:16:48] So we've been talking quite a bit about these scenarios where the healthcare provider themselves get the ransomware attack and have to respond and get new machines online and nuke and replace or I'm not using the terminology correctly, but something along those lines, the nuke and pave; nuking is the important part. But what, what do you think of these attacks like we saw in 2017 with the one WannaCry attack, for example, that impacted business associates and vendors servicing healthcare entities in this case, just to catch our listeners up, I know you're familiar with this one, but Nuance, the transcription company had a malware ransomware attack and then they had VPNs with several health care providers and that ransomware jumped over the VPN infected systems and the provider side and caused issues that way. So how do you recommend organizations handle and prioritize ransomware risks that are introduced by potentially by third parties in addition to worrying about their own networks and teams and people?

Stoddard Manikin: [00:17:50] And that's a great example to bring up, Brian, because that incident with the nuanced transcription service impacted so many of us in health care, I remember that time because even our CIO ran out to the local office supply store and bought all of their personal recorders just so we had something to do. Transcription with I think part of it comes down to your supply chain. And if you only have one vendor for critical service like transcription, then you need to be prepared for some type of outage because it may not just come from a cybersecurity event, it can come from anything. And and that's where it may be more effective to have a dual vendor strategy or at least a backup plan so that you can move this to somebody else should you need to. Now, that said, third party risk is one of the major areas of concern from a cybersecurity perspective. In health care, it's probably double what it is in other industries because we have so many systems that are on premise and supported by vendors who are offering us so many times. I find these things where the vendors say, oh, we need Always-On, VPNs, or we have shared accounts because we have twenty five different people and we don't know which one is going to be on call to address your issue.

Stoddard Manikin: [00:19:05] The third party vendors are the ones who are more likely to have compromised accounts. We've seen this outside of healthcare too, such as the big target hack several years ago. So I think that we in health care need to limit the access that our third parties have, and we need to have standardization of that access. Just a couple of years ago, we still had vendors using consumer grade solutions like LogMeIn or go to my PC to remotely administer systems with ePHI on the web trying to protect the health information. And that's just not OK. So we have moved towards a model where we have a standard that says here are the three ways you can remotely connect into us in order preference, choose one or we're not going to be doing business together. And that allows us to, through that standardization to make sure that we vetted each of the solutions and that we have enough people to actually monitor those approaches to make sure if anything odd is going on, we are more likely to notice it.

Brian Selfridge: [00:20:06] I'm going to switch gears a little bit here, because we're talking about the very real and important operational patient safety impact to from ransomware events, and that's creating some major social and global issues for us as a society. When that happens, historically, the regulators are close to follow and try to help in the ways that they can to to stem the negative aspects of these these ransomware attacks.

Brian Selfridge: [00:20:33] I want to talk about the regulatory stuff, in particular the announcements very recently this month from the US Treasury Department's Office of Foreign Assets Control or OFAC. I never remember that, but they warned that they may start to issue fines for organizations that facilitate payment to ransomware attackers.

Brian Selfridge: [00:20:57] So, you know, we've been working with clients ourselves through on the Meditology side, through ransomware incidents and tabletop exercises. And very often the decision is made to pay the ransom like we saw with Germany in that in that case and many others in the interest of protecting patient safety and operations. So what do you think about OFAC's move to start issuing fines for health care entities, any entities that that pay the ransomware and and which are just sort of gut reaction to that?

Stoddard Manikin: [00:21:27] I understand the intent because we know that a lot of ransomware payments go back to organized crime and in some cases may even finance terrorism and extremism. And we certainly don't want that. At the same time, I'm not really clear on how that agency would even determine jurisdiction. So if I understand correctly, I believe that they are focused on international type of payments. And with the ransomware event, you don't necessarily know who you're paying if you do pay a ransom. So that'll be interesting how they determine whether someone is actually liable for violating any rules that they might publish.

Stoddard Manikin: [00:22:04] But that said, I think that if if government as a monolith wants to require that we not do something or face fines, then government as a monolith should also provide more resources to help prevent it from happening to us. In a lot of cases, ransomware is an international problem. In many cases, it's even financed by state actors and foreign governments. The healthcare organization like mine or many others out there, we don't have a private army, we have a private security force that should be supplementing what is already provided by our country, by our local jurisdictions and so forth. And we can't all be in this arms race where everybody has their own private security army to defend against all these other groups coming against us. There needs to be some more centralized support and help to eliminate the threat and defend against it. If they want to convince us that we shouldn't ever pay a ransom and possibly find for doing so.

Brian Selfridge: [00:23:08] Now, I'm sure in the war room, when you're going through an incident like ransomware, you've prioritized patient safety operations and you're doing all that risk based approach that you mentioned. And then the topic of regulatory compliance comes up. How do you reconcile this sort of competing, these competing requirements, particularly on the regulatory side? So you've got HIPAA and similar regulations that say don't release the data, protect patient privacy and security information. And on one side, you've got OFAC and others now saying, well, you've got to you can't pay the ransom. And you mentioned earlier that the ransomware people are saying, well, if you don't pay, we're going to release all the data. Right. So now you've got you don't have an OFAC problem anymore, you have a HIPAA problem, and the potential of getting fined and hit from multiple angles. So is how do you reconcile that in the war room with potentially with the ransomware event to you? What type of decisions are you making to try to do the least damage from a regulatory compliance perspective, I guess?

Stoddard Manikin: [00:24:09] Well, in the US, we've got the HIPAA Security Rule and HIPAA Privacy Rule. And one of the key phrases in that in that statute is what's reasonable and appropriate. And when you have a cybersecurity incident, you have got to take reasonable and appropriate steps to address it. Any organization can be compliant without being secure, and we can't confuse those two things. There is no regulation out there that if you comply with it, you will be one hundred percent secure. That includes the credit card standards for PCI, includes HIPAA for health care and many other industries.

Stoddard Manikin: [00:24:43] So we as security professionals need to take that balanced approach of saying, yes, we want to be compliant, of course, but we're not doing a security program as a box checking exercise. If we have leadership that says show me we're compliant and that's all we're going to invest in, that's not the right approach. And I think that very few boardrooms take that perspective anymore, given how high the incidence of ransomware is. So I think we've got to take that balanced approach and make sure that we're secure and compliant at the same time. And if we have to choose one over the other, I would probably to secure in most cases and document why we chose not to be compliant so that we can justify it and prove that we don't have willful negligence.

Brian Selfridge: [00:25:27] Is there any way you think that regulations could be tailored, improved, modified, changed to be more helpful? And I'm not implying that they're not helpful, but but be better at supporting healthcare delivery organizations in these types of situations. And I know that's a tough ask because the regulations are complicated. But I don't know if you have a perspective on know if you sat down at the table with the hip designers and see what kind of recommendations or asks you might have for them.

Stoddard Manikin: [00:25:58] I think it's a very fair question. And generally what I've seen across multiple industries is that the HIPAA Security Rule is the least specific and the least prescriptive of most of the industry regulations. It leaves a lot of things up to the the Covered entity as to how they choose to meet the requirements, which is good from a flexibility perspective. But it also leaves a lot of uncertainty as to whether what you're doing is going to meet that bar or not when you're assessed either in a routine audit or after a breach. So I would suggest that the things that are typically the most helpful coming out of government for health care in the last five years or less. So the specific regulations and tweaks and more so the guidance documentation or they say, hey, related to encryption, here are the ways you can achieve it related to transmission. Here are the ways you can do it securely and give us that kind of information so that we understand how the regulating agency might interpret the laws that aren't as clear. And that'll help us make good decisions as we're trying to meet the spirit of the law versus just the letter of the law, ticking the boxes, moving on.

Brian Selfridge: [00:27:13] So we talked a little bit earlier about briefly about incident response and prevention and things we can do to to keep these attacks from happening, because everything we've been talking about so far has been really about responding and adjusting. I think appropriately so, because of the likelihood that most health care organizations are going to experience a ransomware attack at one time or another. But I suppose that shouldn't stop us from trying to prevent them as best we can. What are some recommendations or strategies you would have for organizations to build processes, strategies, policies to to better prevent the likelihood and impact of a ransomware event?

Stoddard Manikin: [00:27:49] Yeah, this this one is a dear one to my heart because we've been, quote unquote, "shifting left" for years as our security program matures. And by that I mean in the attack kill chain so to speak, you try and get further and further to where the first foothold begins by that bad actor and block them there. And then as each successive measure may not succeed to block the ransomware infection. Right. Right. And right. Then you get into more escalated response times. So the cycle used to be prevent and then detect and respond. And now we predict and then prevent, detect and respond. So I think that we're at a point where we can use big data to our advantage to predict what might happen. We can do information sharing with organizations like the Health ISAC (H-ISAC) where we share a threat intelligence. If one organization gets a phishing attack, they post it and then we can all put that phishing message into our systems to automatically block as just one example, we've got to do joint defense and information. Security is not a solo sport. It is a team sport. And it can't just be the team that you have hired working at your location. It is all of us in industry.

Stoddard Manikin: [00:29:04] And I think that's one of the big focuses on how we can predict things from a prevention standpoint. I mentioned earlier that every investment you make in prevention saves a heck of a lot more time, effort and money in the detection and response portion of your incident plan. The good things to do in order to prevent are the basic security hygiene tasks, but when I call the basic blocking and tackling from a football analogy, you've got to do good vulnerability management. You've got to scan for vulnerabilities routinely and get patches in place. That ransomware incident that affected the German hospital, I believe they knew about the vulnerability in December of last year. That's over nine months where they could have put that patch in place as a priority and blocked that from ever happening. So basic vulnerability management taking backups so that you can recover when something happens, but not just saying, oh, yeah, we take our snapshots actually testing that recovery plan, put your team in a room and say, OK, you don't have access to primary systems, get the system back up and running in a day, see what they learn. They will learn a lot and it will help them better define their incident response plan for a real event related to that whole tabletop exercises so that you know how you might respond to things.

Stoddard Manikin: [00:30:22] And you can flesh that out not just from a perspective, but the entire organization, including legal and communications. I think network segmentation is also a very beneficial thing, because what we saw recently were another international chain of hospitals was affected. They had to shut down all of their systems globally with good network segmentation. You can isolate where the infection is and the spread of it so that it can't get beyond that localized location without good network segmentation. You're going to be shut down for a while across your entire set of locations, and that's not the best position to be in. And finally, helping your end users with better training around fishing, because, like I said earlier, that is the number one threat vector for introducing ransomware. They have access to your system already. And if you get in through an end user who happens to have administrative access, then the game is basically over anyway. So I think that those are the key things for prevention, the vulnerability management, the backups, the the tabletop exercises, good network segmentation and fishing training.

Brian Selfridge: [00:31:30] So I want to talk a little bit about budget and resources for that, those type of preventative activities. Now, without speaking for your organization specifically, because I know that that's not where we won't go there. But I know you talk with a lot of your peers in the industry and see what they're up to. Do you do you feel or get the sense that the healthcare systems of the world are getting adequate budget, resources, technologies, whatever it may take to implement those prevention measures? Or do you think we have we could do more to to sort of drum up investment in those areas?

Stoddard Manikin: [00:32:00] I think there's an imbalance. I mean, a national chain of health care hospitals is going to have a larger budget to play with than a small community provider. And that's just the reality of the situation. But I think that that's where you need force multipliers because you can't do it all. You can't be your own private security police force with a single or even just a couple of locations and a team of one or two people. You've got to look for services that you can use beyond just the H-ISAC. You've got to find some some off site security providers. You don't have to spend an arm and a leg to do it either. You can figure out what are the key things I need help looking for and just get that.

Stoddard Manikin: [00:32:42] I also don't think that everything is solved with a new tool in the security space. We have sort of an odd ecosystem because all of these startups are trying to solve one problem and security. And if you keep buying one tool for each problem, you end up with a shed full of tools and there's no way you're going to have the time to use them all. So as an industry, I think we've got to mature. And what we typically do is we wait for the smaller fish to be eaten by the sharks and we try to limit the number of vendor relationships we have and tool sets we have and we ask the vendors to integrate those things.

Stoddard Manikin: [00:33:22] Now, if you've got a significant vulnerability that needs to be addressed, we're not opposed to going out and buying a one off solution or point solution. But in general, we don't want a proliferation of twenty five plus security tools because you're just not going to get the value out of that. I think it's much more important to focus in on the top five and 10 of your security tools and the intelligence that those provide and do correlation. And that also does not necessarily take a huge investment. There's even plenty of open source security tools or very low fee security tools that you can use. So as an example, you can automate Google searches to scan your own organization's website for the word password. And it's amazing that you will find tipsheet being posted by you or your partners that say here's the way that your password will be. It's a format that just shouldn't be a giveaway on the public Internet and that doesn't cost anything to set up that Google alert. So there are creative ways to do it without worrying about budget. And at the same time, we've also got to continue to invest where the risk CyberPHIx.

Brian Selfridge: [00:34:27] I love the the cost-effective solutions because there are a lot of tools and most of them are expensive. One of my favorites is the password filters that you can plug into Active Directory, for example, that just stop you from making stupid passwords like the same way it alerts you if your password is not complex enough. OK, that's easy to do. But if it stops you from making the password of your OrganizationName123$ or something even even more simple than that. That's actually when the more complex ones. But they don't cost much, don't, don't have a lot to implement. But geez, if we did that wouldn't we be in such a better, better place. So are there any other resources now that have to be cost effective? But we talked about HIPAA, we talked about a couple other areas. Where would you point your peers, your colleagues to tap into some of those collective team based resorts as you use it? How do we how do we leverage folks outside of our organization around ransomware, but maybe even more broadly, anywhere you could point us?

Stoddard Manikin: [00:35:25] I think everybody has their own personal preferences, and I don't want to promote any any single platform. But I think that there are places on commercially available tools that have discussion groups that are very beneficial. There are automated alerts that you can configure for news updates and major vulnerability analysis. Even the federal government now has alerts related to medical device advisories. I get one about every day that this medical device has been has been announced that they have this vulnerability. And so now we have a response plan that takes that message. Figures out, do we have that type of medical device in inventory, is it deployed and does it have the corresponding operating system and model number to be vulnerable? And if so, we go address it with the vendor, and if not, we check it off the list and move on. That doesn't cost anything other than some time.

Brian Selfridge: [00:36:21] Fantastic. Well, I wish we could talk for days and days, and we have it in some cases on on these topics. But but out of respect for our listeners, we'll try to wrap things up a bit. So. Well, any closing thoughts you have for the ransomware topic, prevention response, anything else that you'd like to sort of share as some takeaways for for your peers and for the industry more broadly?

Stoddard Manikin: [00:36:45] I don't think ransomware is going away any time soon. It has proven to be highly lucrative for the people who use it. And so we do need to focus on prevention, but also be ready with response plans. So define your plan in advance. Have retainers in place with a good security resource in terms of doing forensic analysis and recovery, have contacts at law enforcement on speed dial and crisis communications, and just be ready because it will happen to all of us at one point or another. It it just varies on how widespread the impact will be. And the wide spread portion of it is really up to each organization as to what preventative controls they have in place.

Brian Selfridge: [00:37:26] Wonderful. Well, thank you so much Stoddard. This has been a fantastic discussion on on ransomware as it as it exists right now, at this moment in 2020, I'm sure it will continue to evolve. So we'll keep tabs with you on how this plays out over time. So I'd like to thank my guests. Stoddard Manakin, Director of Information Security for Children's Healthcare of Atlanta. Stoddard, thank you so much for taking the time for us. Great insights.

Stoddard Manikin: [00:37:46] My pleasure. Brian.

Brian Selfridge: [00:37:52] Again, I would like to thank my guest Stoddard Manakin for sharing his insights on ransomware attacks and protection mechanisms. The impact and importance of information security programs has never been greater as we face these escalating attacks on our critical health care infrastructure. I learned a great deal here from Stoddard on ways to protect ourselves and the patients we serve. And I hope you have some actionable takeaways from the discussion as well. As always, we would like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you'd like to hear about a thought leader you'd like to hear from. Our email address is [email protected], Thanks again for joining us for this episode of the CyberPHIx. We look forward to having you join us for the next episode coming up soon and maybe the next 50 episodes after that. Thanks so much.