BY LANDON WOODROOF
Information security expert Mark Fulford said there is no “silver bullet” to protect 100 percent from cyberattacks like the large-scale ransomware one that spread across the globe last Friday.
There are, however, concrete steps companies can take to keep their data out of harm’s way.
Fulford works in the Information Security division of the professional services firm LBMC, which is headquartered in Brentwood. Clients hire Fulford and others in his 50-person division to audit their security systems.
“They will hire us to penetrate their systems to perform phishing to identify vulnerabilities and report on those vulnerabilities so they can use their internal resources to shore things up,” Fulford said. Phishing is the term used for the sending of fraudulent emails designed to trick people into turning over things like credit card numbers or passwords.
The majority of information security work Fulford does is for healthcare providers.
Hospitals in the United Kingdom were hit particularly hard by last week’s WannaCry ransomware attack, which locked computer files and demanded a $300 Bitcoin payment to unlock them.
An article from The Guardian detailed how the attack left some doctors unable to access patient records or perform x-rays, delaying potentially life-saving medical intervention.
Healthcare companies are especially enticing targets for cyber criminals for a couple of reasons, Fulford said, mainly due to the regulatory history of the healthcare industry and the type of information hospitals and other similar facilities handle.
Brentwood, of course, is a healthcare hub, with major hospital systems such as Community Health Systems and LifePoint Health based here
Fulford said security regulations for the healthcare industry are a relatively new phenomenon, which has left places like hospitals playing catchup.
“As compared to other industries, it’s really only fairly recently that there’s been significant regulatory activity around security and healthcare,” he said. “When you combine that with the fact that we’ve had rapid adoption of electronic medical records and new technologies that leverage the data in those types of systems to provide care it really sets up healthcare to be a prime target for these types of attacks.”
In addition, health care facilities have uniquely high-value information stored in their systems.
“You literally have life safety issues if you don’t have access to that data,” Fulford said. “You have weak security and high value data, which makes it more likely that an organization will pay a ransom.”
The plethora of different access points for ransomware at hospitals also presents a challenge. As Fulford explained, it’s not just desktop computers that can become infected. Many biomedical devices found in hospitals are in effect computers.
“Even a hospital that’s doing a relatively good job internally, if their vendors are not doing a good job with some of these biomedical devices, then the compromise can make its way into those devices as well, which can be pretty devastating,” Fulford said.
Even a single security breach can be devastating because of the nature of the malware attacks. They are what is called “wormable” which means that once it gets onto one device in a certain network it can move across the network, infecting even file servers and hosts that store data.
Fulford said ransomware attacks have been increasing in recent years mainly because they are so successful. The WannaCry one had infected over 300,000 computers in at least 150 countries by the start of this week.
“There are a large number of companies that are not prepared with good backup and they have few options but to pay the ransom,” he said. Once that happens, the people who propagated the attack can use that money to develop malware that is harder to counter.
“We’re seeing more and more unfortunately because they’re doing it more and more because it’s effective and profitable,” Fulford said.
Indeed, NBC News reported Thursdsay that some companies are “stockpiling” bitcoins so that they will be able to quickly regain access to their files in the event of a ransomware attack.
As for what companies can do to defend themselves, LBMC Information Security has prepared a Ransom Preparation Checklist with steps for protecting data.
One item on the list calls for vigilance toward known security flaws in computer software. WannaCry, for instance, exploited a known vulnerability in Microsoft products for which there was a fix, or patch, readily available.
“If people had been diligent in applying those patches those machines would not have been susceptible to this attack,” Fulford said.
Companies can also make regular backups of their data to protect themselves.
“A data backup is a quick way to recover from a ransomware incident,” the checklist reads. “Performing regular backups ensures that a current backup of your data will be ready at a moment’s notice.”
Whatever challenges may await security experts like Fulford in the future, as criminals innovate new ways to assail computer networks, the reality of the digital world in which we live is unlikely to change.
“The horse is out of the barn in terms of our medical records being digitized,” Fulford said. “It’ll just be up to organizations in the private and the public sector to come up with ways to continually enhance our security and ensure the privacy that everybody wants.”