The Vicious Feedback Cycle of Ransomware and Insurance

Cyber insurance is motivating the black hats to pursue more ransomware attacks. Much like piracy in the Gulf, knowing there is insurance, and requesting a fraction of the insured worth means it is in the best BUSINESS interest of insurance companies to pay the ransoms, which creates a terrible cycle of destruction and costs. The pirates/criminal know the money is there, all they have to do is write the ransomware.

As is the norm in such cases (like piracy) it will require a government to step in and enforce a contractual policy through force. The government must mandate non-payment, which insurers will lobby against. If payment cannot be made, the government will be required to intervene to protect the business assets of the insured and insurance company or a black market will develop to pay the criminals.

If the government doesn’t want the insurers to pay the criminals then the government will need to have an actor (military etc) take action to discourage releasing ransomware. This will not stop the use of ransomware, only decrease the frequency and increase the intensity, just like piracy.

Unfortunately, this will not increase demand for highly qualified cyber security and risk personnel, who can help prevent successful attacks, it will merely increase the size of the insurance market. Consumers, as always, are a secondary consideration, and critical mass affect assets such as health records will be the biggest target, as in any terrorist style criminal activity. Criminal know they need to pick big targets if you want a big payday.

HIPAA security officers need to prepare for this impending increase in risk more than any other industry, because you’ve got the most to lose.

Unauthorized Data Transmission by Hospital Applications

As reported in Network World and from our own observations, there is a bit of trouble with unauthorized outbound information transmission from a variety of systems and software on business networks, including healthcare. Healthcare Providers are particularly susceptible to this, because they have more systems per installation than any other form of business.  Most of the problems are covered in the article link above, so we’ll focus on the two that aren’t, and then talk about what we can do to help.

As discussed in the article :

  • Security devices and systems transmitting configuration data and other information without consent or notice.
  • OT devices like MRI machines and other systems, misconfigured or with their own security problems.
  • Desktop operating systems like Windows 10, which is obnoxiously chatty with high risk components being transmitted.
  • Rogue devices brought in by employees with good intentions, which unfortunately are not secure and transmit all sorts of good data.

Then there’s these:

  • Applications, misconfigured or configured with malignant intentions in an unauthorized fashion by companies with poor practices or ethics.
  • Good intentioned or bad intentioned users, transmitting all sorts of company data.

Email leaks are bad enough, but when systems and authorized users are transmitting data without our knowledge, it’s a serious blind spot. YOu can implement some form of data loss prevention, which should catch the leaks over common channels, but what about the systems and applications that are authorized and more difficult to find?

For these unauthorized data transmissions by personnel, you need manual review and monitoring. To catch data theft by systems personnel, you need to capture their activities and then validate them during or after the fact for bad activities.  We’ve observed major players in the electronic medical records business transmitting large amounts of patient data back to their company systems without authorization.  That needs to be squashed when it happens, so implement a process to make sure it doesn’t happen to your company.

For unauthorized transmissions by systems, you also need monitoring, but because it’s part of the overall activities, you can’t just watch when it’s happening, because you don’t know when it’s happening.  For this, you need to capture and analyze traffic and build up a knowledge of what is normal so you can spot anomalies.  It’s usually easy to profile an application and then locate any strange activity.

If you want some reassurance that your processes are catching everything, or you don’t have the resources to manage the verification process improvement on your own, please call us.  Finding needles in haystacks is kind of our thing.  We’ll be glad to help you figure out your needs and then map out business process improvements to cover them.

We’re the best at finding evidence of bad actors on your network.  Call now 610-810-1727 or email us at sales@ .

Congratulations

to the big man himself for passing the HCISSP exam on the first try! Liticode considers the HCISSP a necessary standard for working on HIPAA and hospital security and litigation consulting. No cert is too much of a reach for our valued clients.

Identification Identity Crisis

Should organizations require and validate a government issued form of identification before granting network access? It’s easy enough to do. Costs a bit for the comparison books and an hour of training, but it will catch the majority of bad identification.  Of course, what to do with it after you’ve caught it…

But how much bad identification, as opposed to high quality forgeries, is seen in any business? No data.

More importantly, as has been pointed out by some bright people in the industry, the secretary is not a security guard, and the security guard is not a security professional.  Some small percentage of false identification is going to result in violence.  Better the guard than the HR representative.

Regardless of whom, outside of the government, nobody without a Treasury department background is going to catch the good forgeries.  So we can at best reduce a risk, but not eliminate it.

Given the possibility of violent confrontations, would a business be better served by a validation after the fact? It depends on the business, but in general, giving network access to the bad guys for any amount of time is a bad idea.

How do you test effectiveness when the mere act of copying a form of identification can be a Federal crime?

It makes perfect sense, wanting to identify persons with access to the network, but the process does not make perfect sense.  In the meantime, businesses will go on accepting fake identification and getting taken by fake ID holders.