Ransomware: Is There a Technology Solution to Protect Healthcare Data?

The year 2021 has been a tough year for data centers, as the curve of ransomware attacks looks more and more exponential. In June 2021, one of the most prestigious healthcare institutions in the United States, Scripps Health, revealed the details of a ransomware attack it had sustained the month before.

Technology to counteract and mitigate the effects of ransomware attacks is in a never-ending arms race with cyber-criminals who launch ever-more sophisticated attacks, recently impacting American’s energy infrastructure (the Colonial Pipeline attack in May 2021) and a variety of other vital online services (the Solar Winds attack in December 2020).

In an effort to understand this technological arms race, and how healthcare companies can protect themselves in 2021, I interviewed Jim McGann, vice president of marketing and development at Index Engines, a provider of anti-ransomware technology. The interview was conducted on June 2, 2021.

A Data Integrity Approach in Healthcare and Beyond

MedicalTechnologySchools: I’m curious to know if there is a technology that can tip the balance of power back towards the defenders, away from the attackers. And it sounds like you’ve been doing a lot of thinking about that.

Jim McGann: It’s a big business right now. And there’s been a rise of ransomware as a service industry. You can execute an attack on someone like Scripps or a healthcare organization with zero knowledge. You can call a company that will do all the dirty work for you, and they’ll split the ransom with you as well.

Supposedly, some of these recent attacks were done as ransomware-as-a-service organizations. They’re all located in Russia, North Korea, and China. There are really no repercussions to these people. They’re also proected from that because they’re not really doing the attack themselves. They’re providing a service to others that are executing the attack.

I was watching an interview recently where, after one of the attacks that occurred, the representative from the federal government says, “You don’t realize this happens every day of the week, to almost every company, because it’s just so easy to execute these attacks.”

And a lot of organizations like health organizations have embraced the internet and these open networks to communicate with partners and suppliers and satellite organizations. Those are not as secure. Trying to secure and protect the environment is absolutely critical. But with organizations using the internet and connecting to partners, and collaborators, and so on, that becomes a challenge.

It’s really about constantly checking the integrity of the data. Because what we’re seeing in organizations is that these attackers get in there, and there’s a notion of dwell time. The dwell time is the time that they get in there, and they’re sitting inside your network before they start executing an attack.

And their dwell time is getting much longer. They’re looking for sensitive content, for patient records and medical records, and things that they could hold hostage and ransom and threaten the organization. And if someone like Scripps or a healthcare organization has thousands and thousands of sensitive patient records, extracted from their data environment, and is threatened with a ransom, the organization really doesn’t have a choice: either pay this or we’re going to publish this information.

And you have HIPAA and the California Data Privacy Act—[publishing sensitive data] really could cost organizations significant fines. Organizations have spent a lot of money on these real-time security solutions, which are critical, but we know they’re not 100 percent effective.

So let’s constantly monitor the data integrity and understand when they start to execute an attack, be able to recover the data, and stop it very quickly. It’s kind of a last line of defense, saying they’re already in there, but when they start encrypting or corrupting records or files, know that they’re doing that, and be able to recover by replacing it with a good version that’s a protected environment.

MedicalTechnologySchools: It sounds like intrusion detection technology that I’ve written about in the past. But knowing you have an intruder, and acting on that, are two different things. How do you then stop the intruder from doing further damage now that they’re in?

Jim McGann: A lot of the attacks can happen over a long period of time. You want to minimize the time of that attack, minimize the time that they are corrupting, stealing data, and so on.

The other piece is to really understand what they’re going after. There are cybercriminals that can go in and change passwords to critical systems, can destroy backup copies of data, and so on.

What we have the ability to do is to search this data to see if they’ve planted any of those files in there. The real-time security solutions are looking at signature-based files to see if they’re there. They’re already doing that.

When [cyber-criminals] fail is when they start to execute and their fingerprints are all over the data, and they start touching the data. That’s what we’re focused on: looking at the data integrity and seeing if there’s unusual behavior going on and stopping it very, very quickly, versus having it go on for days or weeks.

I don’t know how long Scripps was down, but it seems like they were down for a very long time. Someone like Colonial Pipeline was down for 12 days before they started bringing their environment back up and running. And it wreaked havoc on the East Coast gas stations.

Getting a business operational as quickly as possible to avoid that interruption—but then also looking and seeing what files were touched and what they actually got access to—is important as well. Keeping them out is getting next to impossible. It’s trying to minimize the damage of what they’re doing.

Information Technology Turns to Air-Gap Backups for Protection

MedicalTechnologySchools: I wrote about a cybersecurity company last year that was touting air-gapped backups, so the backup copy isn’t actually on the same network that the intruders are. That sounded interesting. Is that a viable defense against ransomware?

Jim McGann: Very much so. If you think of your home, and you have valuable documents, insurance policies, jewelry, things that are very important to you, and if you feel like you live in a neighborhood that’s not safe, where you feel like someone will come in and steal it, a lot of people put that in a safety deposit box at a bank. It’s out of the house; it’s isolated; it’s protected.

It’s the same concept in air-gapping: to take your critical data assets, your network infrastructure, your critical files, critical databases that run your business, and put it in an air-gapped, isolated vault, so the cybercriminals don’t even know that it’s there. It’s really hiding off the network and securing it.

We have a partnership with Dell Technologies to provide this cyber-recovery vault, and what our product, CyberSense, does is check the integrity of the data. Does it look like the data has been touched and modified by cybercriminals? And if not, then your customer has confidence that they could recover very easily.

If [the data has been modified], that’s when you have an alert. Immediately, you would say, “Hey, it looks like there’s some corruption going on, and they’re starting to attack the data. All hands on deck! Let’s go and shut this down.” The beauty of that is, as you make it more difficult for cybercriminals to successfully execute these attacks, they’re going to move on to somebody else.

There are other people that have fewer types of protection. The air-gap or the isolated vault is a very solid solution. It’s really creating a reliable, secure environment to protect your critical data assets. We were partnered, as I mentioned, with Dell on that. It’s doing very well.

With Solar Winds, which was an attack that happened in December, they were in the federal government since March of last year and detected in December. So what were they doing? What did they see? What did they get? Still, nobody knows the answer to that. But you know they were there for a long time.

MedicalTechnologySchools: The story I wrote about air-gap technology was about a hospital in Indiana: Rush Memorial. When they got the federal cybersecurity warning last October about protecting backups, that’s when they brought in this technology. If it’s that good, why would people not be rushing to buy something equivalent to that and putting it in place now?

Jim McGann: Well, the strange thing is, we talk to a lot of customers, and they drag their feet, do their research, and they make slow decisions, and then something like Scripps happens, or something like Solar Winds or Colonial Pipeline, and they get fast-tracked.

Because of Covid and because of work from home, these projects just are slower than they normally are.

The Role of the Dell Cyber Recovery Vault

MedicalTechnologySchools: What role does Dell play? Are they a distribution channel? Are they a technology partner? Help me understand that.

Jim McGann: They have a product called their Cyber Recovery Vault. It’s exactly as you say. It’s an air-gapped, isolated vault. It’s a piece of hardware and software that basically grabs your critical data assets off of your production network and pulls them into an isolated vault. It then shuts it and air-gaps it off the network. It does a bunch of other things like applies retention locks, locking the data down so nobody can get access to it.

And our partnership with [Dell] is our CyberSense product. Once the data is isolated, the vault scans it to check the integrity and to make sure that it hasn’t been corrupted because the fingerprints of what the cybercriminals do are pretty similar: data corruption, data encryption, etc. They change extensions, so we use machine learning and analytics to basically process it and come up with a red light/green light. If it’s a green light, the data looks okay and we’re confident to recover it—or with the red light, it looks like there are signs of corruption, so you need to start a recovery process.

MedicalTechnologySchools: What assurance does this give a customer?

Jim McGann: Our product is tested on a continual basis against all the common trojans, malware, and ransomware that exist. Based on our tests, we have a 99.5 percent level of confidence that the data will have integrity.

We also analyze the analytics from different customers to look for unusual behavior. We’re sharing that knowledge to be able to help find these types of corruption as early as possible.

No one is going to guarantee 100 percent because that’s just not possible. So far, we have had customers that have had attacks and have recovered successfully. We do know that it works.

MedicalTechnologySchools: Have you had any customers where the recovery was not 100 percent?

Jim McGann: Not that I am aware of, no. The challenge that people like Scripps and others have is when your network infrastructure gets destroyed. Rebuilding that from scratch [is difficult].

The second thing they’re putting in there are databases, like Epic Cache, Oracle, or SAP databases that run their business. Checking the integrity of those, and being able to put those into production with confidence—all that can happen within hours or a short number of days versus weeks and months. That gets a business operational. If you have a confident copy that’s been integrity-checked and you’ve got a clean backup of that, rebuilding the business is much, much faster.

Cloud Considerations in Protecting Healthcare Data

MedicalTechnologySchools: What about cloud architectures and hybrid architectures?

Jim McGann: Our product can run in the cloud and scan data sources in the cloud to be able to check the integrity there. There are a lot of hybrid architectures, where you could have a local cloud in your data center that’s managed by people like Dell, Amazon, or Google to keep it secure.

And maybe some companies need to get out of that business of running an IT data shop and let professionals do it. People like Dell announced this whole Apex-managed cloud service for customers. Maybe that’s the future, but we have the capability to run in the cloud and check the integrity of that data as well.

It’s heading more to a distributed or some type of hybrid architecture, which includes cloud and on-prem. It’s just hard for customers to change that dramatically.

And most of the cyberattacks that we’re seeing are happening on-premise, so maybe that is going to push people to rethink the cloud and is going to drive cloud activity.

MedicalTechnologySchools: Do you see any drawbacks of going to a cloud data center?

Jim McGann: There are a lot of different models in the cloud, where you’re on different shared servers and so on. As long as you have dedicated and secure servers and are comfortable with that level of security, I don’t think there’s really a downside to it anymore.

We had a customer that got attacked: a school system in California. And when they paid the ransom, they are added to a high-value target list. And then in the meantime, since the first attack, they put in our product and got attacked again. They had backups that were clean and recovered very quickly, without paying the ransom. They haven’t been touched since.

If you build a resiliency strategy, whether it be on-prem or in the cloud, that makes it hard for them to do their job, to attack you, and get ransom out of you, [cyber-criminals] are going to move on to somebody else.

I talk to a lot of local hospitals or local school systems that don’t have IT budgets to really protect against these terrorists. The cloud is a better solution for them than trying to build something on-premise.

Ransomware File Corruption Explained

MedicalTechnologySchools: How does your company detect file corruption?

Jim McGann: We do a full content analysis of the file. We open up every file and database and look inside and see what’s happening. Because we know that cyber-criminals could do a very light-touch type corruption. They could append “.lol” or “.encrypted” to a file name. They can encrypt the file and things like that.

But what we’re seeing now is that they’re hiding their tracks and they’re going inside, embedding encrypted content inside a PDF, encrypting a page of a database, or using valid file extensions. They do not want you to have access to your data. They want it to make as difficult as possible for you to use your data because that’s the way they can extract as much money from you.

We’re seeing customers that have had a very light-touch basic metadata scanning. Cyber-criminals get in the data center and see that they’re using those tools and go deeper.

In terms of data resiliency—and that’s our claim to fame—you need to be able to open it up and inspect inside the file and look to see if it’s intact. So, for example, you could read the header of a Word document or a PDF. The header will tell you what the true file type is. Is this a “.doc” type extension? Is it a valid [file extension] or not? And it’ll tell you the structure of the file as well. Is this structure intact, or is there some strange behavior going on in here?

By reading the header and doing content analytics, they can’t hide from that. They can’t hide and do any other type of corruption that wouldn’t be undetected there.

MedicalTechnologySchools: You’re going to catch things that start small and take a little while to work.

Jim McGann: If you were the person responsible at Scripps for data protection, for backup and disaster recovery, and you came in on Monday morning to that disaster, your challenge is: how do I rebuild? Where’s my good data? And so on.

CyberSense would say that the Tuesday backup, for example, has corruption and you have a problem. You’re in crisis and recovery mode from that point on. And what CyberSense will tell you: here are your last good backups. Get them into production as soon as possible.

But what happened at Scripps and other companies, I’m suspecting, is that they came in and they said, everything’s shut down and locked. We need to rebuild the networks and buy the last good backups, but we don’t want to restore them into production. We need to create a cleanroom. Because if they’re bad, we don’t want to put them in production.

So, create a cleanroom. Set that up: new servers—clean servers—get them installed and set up and running. Start restoring what we think are the good backups. It’s a guessing game. Check to see if they’re good. If they are good, then move them into production.

CyberSense eliminates that process. [It says] these are your five last good backups that need to be recovered for the corrupt data—just replace what’s in production and get back going again. It’s the idea that you know when it happens within the backup cycle, and they can start small.

Coordination Between Security Vendors

MedicalTechnologySchools: We already have too many security products. When there’s a common threat, I don’t always see those vendors rallying together.

Jim McGann: That’s where the cloud is interesting. The cloud creates an elastic ecosystem of these partners that can work together. And you could really apply their resources, either independently or together in some way to your data environment.

I know of some companies that are more in early stages or think tank mode, where they’re taking all the MD5 signature-based scanning tools, 20 or 30 of them, aggregating them together, and then adding some of their own security stuff, and doing that as a single scan.

There are vendors that are taking some of that stuff and pulling it together because those signatures are published. But in the cloud, you’ve got the big guys out there. And Amazon AWS does a lot of that. They have a lot of security tools that they put up that you can deploy or not.

That’s the future: not having 75 security applications, but a robust cloud environment or robust security platform that’s going to apply all that stuff.

The Future of the War on Ransomware

MedicalTechnologySchools: Where do you see the future for this? Is there any cause for believing that we will somehow bend the curve of ransomware?

Jim McGann: It’s a combination of technology and some of the other political and financial stuff that’s going on. It can’t be just one thing. It’s a bunch of bad actors that are funded by governments. You’re seeing terrorist organizations using it now. We’re not even catching up. They’re so far ahead of us in terms of what they’re doing.

I know organizations that have published their security strategy and made their customers feel secure. The next week, they were attacked and shut down. Some companies suffer from that long-term. Technology solves a lot of problems, but it’s a combination of technology, with a lot of political and financial pressure onto these organizations, that’s going to stop it. It can’t be just one thing.

MedicalTechnologySchools: Do we have to have something even more outrageous than Colonial Pipeline? Now we have the slaughterhouses, with meatpacker JBS. When do we get to a point where people say enough is enough?

Jim McGann: When it starts impacting everyday citizens, and you’re lining up for gas, it becomes personal. There are many attacks that have happened that you haven’t even heard about. They just keep it on under the covers.

I’ve seen attacks in plastic surgeons’ offices, where they’re threatening to publish plastic surgery records, and that’s embarrassing. No one’s going to go back to that doctor. When it becomes very personal for people, and when it increases your gas prices, or if on the Fourth of July, no one can buy hamburgers, then people just start screaming about this stuff.

My biggest fear, honestly, is infrastructure. And if they start shutting down the electrical grid and the water systems, that scares me. I don’t think that your water company or your electrical system has the cyber-resiliency that they should.

Scott Mace
Scott Mace

Scott Mace has been writing about technology for 40 years, and about technology's role in healthcare for the past 20 years. He served as a senior editor at InfoWorld in the 1980s and 1990s, and as technology editor for HealthLeaders Media from 2012 to 2017.

He studied medical writing at UC San Diego Extension and won a Neal Award for his healthcare journalism work in 2015. (Twitter: @scottmace)