"More than 11% of ransomware attacks are targeted at healthcare”: Aimee Cardwell

The pandemic led to rapid digital transformation in the healthcare sector. But that also increased the sector’s vulnerability to cybercriminals. Hospitals, pharma firms, healthcare companies and insurers have all faced increased attacks, since healthcare data can fetch handsome sums when sold on the dark web. In an interview, Aimee Cardwell, chief information security officer (CISO), UnitedHealth Group, explained how vulnerable the sector is and what it needs to do to prepare. Edited excerpts:

Do you see a major gap in the security posture of companies in India as compared to those in the US?

The difference is not just between the US and India, but also between South America and many other different markets. It is incumbent upon each company that holds data of patients or partners to keep it secure, no matter which market they are in. Sometimes it is safer to have data in pen and paper, but then you are not serving the patients as well. It is complicated, but it is important for us to ensure that we are bringing best practices to protect data in every market we are operating.

How are you fighting the increasing ransomware problem?

More than 11% of ransomware attacks are targeted at healthcare. It depends on where the attack happens. If it happens on an individual's computer, which is often the case, those are not hard to defend. It requires us to filter emails before it comes in. More than 90% of emails that come to our servers get discarded as most of it is malware or ransomware. It reduces the burden on individuals to not click on the wrong link. But that burden on individuals is also important as sometimes that filter may miss some emails. Education is an important aspect of it.

It's also important to watch the system so that we can isolate something that we detect. We want to keep the blast radius as small as possible because lateral movement is one of the things that makes it worse.

Do you think companies should pay the ransom when they fall victim to such attacks?

Most companies do pay the ransom, but most of them don't get their data back. It's like negotiating with terrorists. You can't trust them. Even if you give them the money, most systems will not get restored. Only 60% of them are restored in most instances. 

Many companies are attacked again by the same groups. Companies should think about what would happen if they are caught in that situation and spend money on preventive measures instead of paying the ransom.

How can healthcare companies minimize disruption after a ransomware attack?

The best way is to have backups more frequently. We are talking about backing up (data) on an hourly basis and not months or weeks. The more regularly you are backing up your data, the less likely disruption will be. We used to think, the best way for disaster recovery is to have two nodes- active-active. If one node goes down, you switch over to the other one. The problem is if one of them is hit by ransomware, since they are talking all the time, they both go down. So now, we are thinking about having a second node that is ready but not active. In case of an attack, we isolate the first one to limit the attack and bring up the second one.

Is the need for security pros growing? Are there enough security professionals available?

Unfortunately, there are not enough cybersecurity professionals in the world. There are more than 3.5 million open roles globally right now and it is only projected to grow. It is one of the reasons why our team is global. But if you are running a small hospital, you may not have access to the same talent.

What about IoT devices used in healthcare? We know they can be vulnerable; doesn’t that increase threats?

It is not difficult to secure IoT devices. It is just not done. It is important to know where all the devices are. There are all sorts of software that can look at all the network traffic and which device is sending traffic. We also know that IoT companies are not updating their software, knowing where the devices are can help in preventing something bad from happening. So, if a glucose monitor is suddenly sending something different from what it usually does, it is a red flag and our systems alert us instantly about it.