Ransomware and Controlled Substance Security

Ransomware and Controlled Substance Security with Gil Vidals, CEO of HIPAA Vault

With ransomware attacks on hospitals increasing, there is a need to learn more about mitigating those attacks. They can have devastating effects on patient safety in addition to the well-being of the facility. We also need to be aware of risks to our controlled substance security. Something you may not initially think about, but exceedingly real. In this podcast, we talk about these issues and provide some suggestions for both mitigating ransomware as well as controlled substance diversion during these vulnerable times.

Transcript:


Terri
Welcome back, everybody. Today’s interview topic is Cybersecurity ransomware and how it affects controlled substance security. My guest is Gil Vidals, and yes, we are related. Gil is the owner of HIPAA Vault, and I will let him describe what his company does because he does it so much better than I do. Welcome, Gil. 


Gil
Yes, Terri, thank you for having me on today. It’s a pleasure. Hipavault, the company that I manage, we focus on securing patient and protected health information, primarily in the cloud. And we do have hospitals that are directly our clients, but we have a lot of healthcare app developers that make an application for the medical community, and then their clients are, in turn, the hospital. So either directly or indirectly, we do have quite a few hospitals as our clients, and we do have physical data centers, but we’ve been migrating a lot of clients into the Google cloud because I feel that’s a very secure footprint. 


Terri
Okay, great. I know I’ve been hearing a lot about ransomware attacks on hospitals in particular, because that’s where my area focus is. But have you seen an increase in ransomware attacks on hospitals in general? 


Gil
Yes, if you go year over year and you go back many years back and look forward, you’ll see that there definitely has been an increase. Now, in 2022, there were about 290 hospitals that were affected. Now, some of those are chains. So if you then multiply by the chains, and the biggest one was Chicago based Common Spirit, rather. And they had over half a million, I think, 600,000 patient records that were compromised. So it’s a pretty large footprint to be able to take that many patient records. 


Terri
Yeah, that’s right. I had forgotten about common spirit. I spent a little bit of time there and still have some contacts. And yes, I do remember having a brief conversation with somebody who was knee deep in all of that and sorting that out. So let’s talk about that. The whole ransomware business, based on the knowledge that I have with Cybersecurity and experience working at facilities, I feel like it’s kind of dependent largely upon the employees and what the employees are doing. Right. So they would send out these test emails, and then if you opened some email or attachment, you’d get this response like, oh, you failed the test, which, okay, it’s a test, but when it’s real, then that could have some real effects. So, in fact, I recently spoke to it was a COO of a hospital, and they were expressing to me that they had gone through some training in their district, but prior to that, they had opened an email and failed the test. 


And this is a COO who’s very aware of what ransomware can do, and yet they failed the test. Right. So how does one go about mitigating that when you have sometimes thousands of employees that some care more than others and some are more diligent than others? Is it dependent upon your people? And if it is, what can a hospital do to mitigate that risk? 


Gil
Yeah, you brought up some good points. Let’s unpack that a little bit. So first of all, hospitals, like any other organization or corporations, have what’s called a hardened perimeter. They’ll buy and spend lots of dollars on firewalls and IoT, Internet of things, monitoring, et cetera. And this perimeter can be hard. But once an attacker a bad actor, we call it in. The industry gets into the middle. The middle is mushy like a marshmallow. The outside is hard, but once you get past the perimeter security, they’re in. And by the way, that’s one of the reasons I like the Google cloud provider, because they assume that the attacker is already in. They make that assumption from day one. In any case, think about it from this point of view. If the bad actor is trying to get into this very hard shell, into the middle where all the patient records are, where it’s soft and they can get in there, then a lot of times they will use social engineering to get in. Why? Because they bypass the hard shell. So social engineering means exactly what you’re talking about. They send an email that the employee at the hospital looks at that email and they open it, and then they click a link and then it affects their computer. 

Now, think about it from this perspective. The employee is already inside. They’re inside the perimeter of that firewall. So the firewall was completely bypassed. Now, fundamentally, Terri, what’s happening is that human beings, we’re very curious people. If you walk into the bathroom to wash your hands at the hospital and you look over and you see a little USB key, you would be curious, as most human beings are, you have a choice to make. You take the USB and you deliver it to the It department, which is the right thing, let them examine it. But many people are like Curious George. They take the USB and they push it into or plug it into their desktop computer. They’re curious, hey, what’s on this thing? The moment they push it in, it triggers the software that’s on there to be installed on their computer. So that’s one way. 

Now, you were talking about email and phishing simulation is very important. It’s like practicing. If you don’t have those regularly every week going out to your employees, then you’re not going to be able to train them. You can’t train them by taking a learning module or by reading a document. And don’t get me wrong, let me back up for a second. Learning modules are good and they’re useful, so I don’t want to go the wrong direction there, but once you’ve taken the learning module, that explains what to do and what not to do. Now you need to practice. Now you need to practice. So you send out the simulation emails and those are very helpful because the employees will get scored. If they click on it’ll push a module out to them saying, hey, you clicked on this link that was in your email and that wasn’t the right move. And it will follow up and explain to them what to do and what not to do. 

And I’d like to go over one more thing that’s happening in social engineering. The old school, kind of old way of doing it was in the parking lot. The bad actors would drop USB keys in the parking lot. So when you walk to your car at the beginning of your shift, or at the end of your shift, you’d pick up this USB, go, what is this? And maybe you take it home and plug it in. But now you could be on a VPN to your hospital. So you’re still in the network, even from home, but that still works in the parking lot one. But now what’s happening is it’s taken the next level. So now you might get a piece of mail delivered to you as a hospital employee. You open it up and what’s in there is a USB from Best Buy or from Fries or some other store that says, hey, congratulations, you are going to get this gift card. You have this gift card, we send it to you and we have a USB plug in the USB and see all the wonderful gifts and discounts that you can achieve by using this gift card. And people want the gift card and they want to see what they’re going to get. So they plug it in and boom. Now the malware is on the computer and there’s no alarms that go off, right? It’s just infected. Maybe if you had a really good malware detection on your system, you might pick it up, but a lot of times it doesn’t pick it up. And that computer, that laptop is now being compromised. 


Terri
So it’s another reason not to do your personal work, personal stuff while at work, right. Put that USB in your home computer. 


Gil
Right? 


Terri
I think is it possible to? Because I feel like I’ve heard that hospitals now are making it to where nobody can use a USB. That’s just not allowed in a hospital. Is that even possible on a computer to block that port? 


Gil
Well, I would say not. I mean, the computers all ship with the USB port. It’s really a lot of awareness. And there’s training, the Phishing training is good. There are laptops that you can get that have been pre configured. So, for example, Chromebooks are really well locked down. And Chromebooks could be a suggestion. If you have remote workers, you could say, hey, our standard, our policy is to just use Chromebooks or even at the hospital. The attack surface for Windows machines is huge. Why? Because most of the world uses Windows machines. So obviously the bad actors, they want to infiltrate the most common platform. That’s Microsoft Windows. So if you had Macintosh computers instead, that’s not as popular. So you’re going to have less of the bad actors on that. And if you go to Chromebooks, then you’re going to even have a little bit less attack surface. So that’s one way to help mitigate this is by not using the most common platform, which is Windows. Now, I know many hospitals are going to use Windows, but it’s something to consider these days. 


Terri
Right? Okay, that makes sense. All right, so what does this have to do with controlled substance security? It’s kind of an indirect thing. When somebody is hit by ransomware, then you turn all of your things off. Right? So you’re back to the old school manual. And I have heard firsthand stories of nursing staff working through all of the issues that come with this. Machines that are off for patient care, pharmacy staff working through all of the issues because literally everything is shut down and offline and you go manual. So clearly, patient safety is the number one thing. But most of us are used to going through our day, and we’re relying on that equipment that we essentially take for granted and processes that are in place, assuming that all systems are a go and life just goes on, and we take all of that for granted. 


But when all of that goes down, because either the ransomware has shut it or the hospital has taken the initiative to literally shut everything down so they can try to minimize and contain the damage, then we are left without all of those processes in place and all of those machines. So first priority, of course, is patient care. And once we can address that and kind of get that back online and let people know, okay, this is what we’re going to do in this case, this is how we modify, this is what we do, then we need to start looking at other things. And this is not ransomware, which I’m sure that Gil can attest to. This is not like a couple of hours of interruption. This is days that goes into weeks. And really, it’s months before you get everything 100%, because everything you did while you were offline needs to be caught up with and when it’s online, put back into place. 


So we’re talking a long time before all of this sorts it out. But get your patient safety issues, of course, in line. But then you need to start thinking about your controlled substance security. That needs to be addressed because think about it, during this time, controlled substance access is literally a free for all. Do you know what or if the meds made it from the pharmacy to the automated dispensing machine when all of your ADMs are offline, do you know if the nurse removing the medication has an order to remove all those medications? Since your ADMs are now on override non profiled, meaning they’re not attached to any actual orders at all, do you know if the nurse charted the medication as given? Since the electronic medical record is not active? So everything is on paper, do you know if things are being wasted? And are they still being wasted with witnesses? 


They got a lot of things going on, right? Are they still witnessing the waste? All of these same questions apply to anesthesia in the or. When they’re accessing and administering. Granted, your elective cases have probably been canceled, but there will be procedures that are not elective and can’t be transferred to another hospital. So essentially, controlled substance access is literally a free for all during these times. So once the dust settles and your immediate patient safety matters are addressed, then you need to start thinking about your controlled substance security. How do we do that? Well, we go old school. We go manual. And for those of you that are about my age, you know what manual means, right? You think back when we had handwritten orders that we had to check the charts for, and we would handwrite the Mars and use that. So that’s what we’re going back to. 


That means going up to the units looking for the patient charts, going through those patient charts, looking to see if there are orders for the meds that have been removed based on your manual printout of things that were taken out of your automated dispensing machine, looking to match that up. What’s the latest order? What did the nurse remove? Do those match? Did the nurse chart on the mar? And then if there waste that needed to be done, confirming that there’s a record of that waste in your manual report and doing the same thing from a pharmacy perspective, the meds that were taken to refill up on the floor, matching those up, it was removed from pharmacy. Did it make it to the floor? And I’ll tell you a little bit of a funny story. So the old schoolers will get this, some of the new ones, well, if you’ve been through a ransomware, you’ll appreciate it too. 


I was helping a facility that had a ransomware attack, and I went on site to help them do some random manual audits. And, boy, it was like bringing back a blast from the past. I had to search for charts, which I hadn’t done in years. And where’s 307? Okay, here it is. You finally find it after ten minutes. You’ve wasted that time, right? And I sit down and I get all situated and I start looking through and who comes along but a physician who has a chart to 307. It’s like, I do. So then you got to give it to the physician so they can do their thing. So now it’s like, okay, great. I guess I’ll go look for the next chart, and then the process starts over again. Then at one point, I was sitting there reading a chart next to another nurse who was about my age as well, and a young nurse comes up to her, and she said, oh, my gosh, can you help me read this? 


I have no idea what this says. It was a physician’s order, which was hard to read, so the old time nurse had no problem. She read it for the young nurse, and then she and I just looked at each other and had a nice laugh, because that used to be exactly what we would have to do day in and day out before physicians started entering their orders. But this is what we need to go back to, and it’s an easier transition for those of us that do remember the old way. Now, can you check every single transaction that has happened during this downtime? Absolutely not. But you need to do your due diligence. You need to pick a random sampling. Make sure you look on all of the types of units and the floors. Make sure you look at day and night shifts, and just do a random sampling. 


And then what do you do if you find something that concerns you? Well, dig a little deeper on that particular transaction. Maybe look at that person’s activity more thoroughly, more comprehensively. Try to catch maybe 100% of their transactions. And then certainly when your systems do come back up, you may want to take a look at that person to dig a little bit deeper. That way when you have more information at your fingertips. But we cannot forget the controlled substance security after we go through an attack like this, because spend a little time thinking about it, and you will realize it is literally a free for all during these ransomware events. So, Gil, you had mentioned that there’s the hard shell and then the marshmallow on the inside, and that’s where they get into that inside piece. Is there anything that facilities can do to prevent the bad actors from even breaching that hard shell? Because it seems to me that’s where you can be a little bit more successful. 


Gil
Yeah, there is. Terri, before I answer that, I wanted to mention something that you had talked about before, which is relevant, and that is that a surveyor could come to a hospital during a shutdown due to ransomware, and you’re still held to the same standard. There’s no exception just because you’re under ransomware attack. Is that right? 


Terri
They can boy, I would hope that they wouldn’t. They would give you a little bit of latitude, but they are definitely going to be present, because they do want to make sure and see what you’re doing from a safety perspective. I honestly don’t know if they I would hope they’d be more focused on the more immediate safety concerns to looking and looking to see what the hospital has come up with for solutions to literally keep their patients safe. I mean, in some cases, things are turned off. You cannot monitor a mom who’s going in to give birth. You have no fetal heart rates and stuff being monitored. Your telemetry units, your machines are down. And so I would hope that a surveyor would be more focused on those types of things and what you’re doing for that. But if you had a bad diversion during one of those times and there was some harm, whether patient or employee, you’d probably still be on the hook, I suspect. 


Gil
Okay, yeah. So back to your question. There’s several things that hospitals can do to help mitigate that access. As we describe it, you have the hard perimeter with firewalls and devices. The middle is where the good stuff is. So one of the things that can be done is to change the protocol, change the philosophy, and that is to go with something called Zero Trust, and that’s a newer it’s not brand new, but it’s a newer way for It staff to think about it. So what the difference is this. The other one is a hard perimeter, and once they get in, they have access to everything. So you try to harden it as hard as you can. It’s like a castle. But the newer way of thinking about it is just assume the bad guy got into the castle he’s already in. So what you do is instead of having all your goodies in one area where they can grab it all, is you divide it up into lots of little pieces. 


So a bad actor might take one little piece of information, and that’s all, and the damage is contained because he doesn’t have access to everything. And that’s called the zero trust model. Zero trust model, you can look it up in Google, and it’s something that the It department would have to review. It’s a newer way of thinking and it’s a newer way of doing things, and I think it’s superior. But the other thing is, in practical terms, it is very important to continue those training modules for the social engineering, and it’s equally important and necessary to practice. So the Phishing simulation is important. Putting a USB, have your It step, put USBs around, see who picks it up, and when they plug it in, it’ll send an alert to them and say, hey, this employee actually plugged it in. So the practice is equally as important as the training module. So you have to do both. Otherwise you’re not going to have your employees really be diligent about it. 


Terri
Right now, that Zero Trust model, is that something I think hospitals, a fair amount of them maybe have their own. I don’t know if it’s technically a data center, but they have their stuff on site that they manage with their team on site versus in the cloud. I would think that more and more maybe are moving to the cloud as the trust for the cloud improves. But can you do that zero trust on site? Or is that more of a cloud based thing, or how does that work? 


Gil
Yeah, the Zero Trust, I’m more familiar with IT in the cloud, and it’s something that hospitals have to consider. If you go back ten years ago, hospitals wouldn’t really consider most hospitals didn’t consider the cloud. 


Terri
Right. 


Gil
But now, in the modern day, the cloud has superior technology for security, and it just makes common sense. Like, Google has employed thousands upon thousands of PhDs in security and so on, and no hospital is going to have that kind of bandwidth to employ that many experts. So the cloud, over time, has just gotten to be a better model. And each hospital has to consider what’s called on prem equipment, where they have all their equipment there, and they have to think about security and failover and everything, or do they want to put as much as they can into the cloud where it’s more secure and they can focus on other things? 


Terri
Right. What’s involved in taking going from on prem to the cloud? Do you have any tips or suggestions, since that’s what HIPAA Vault does? So how does that work? 


Gil
Sure. Well, there are critical systems in the hospital that some would prefer to have leave on prem. So you have to first have a strategy and decide, well, what can we put and what do we want to put in the cloud first? And then work with your It team to have a migration path, a migration plan, and begin the process of building new systems in the cloud and then run it simultaneously. You don’t want to turn one off to the other one’s working. So you have testing stages and so on. It is quite an extensive project. An It CTO would have to get involved and plan that, but it’s something that should be considered, and you should always be evaluating your It strategy. It’s evolving because you’re forced to evolve. The bad actors, they’re evolving, and they’re trying to get a new way. So that means the It professionals, they have to evolve as well. 


Zero trust is an evolution to help mitigate these attackers. And so it really behooves the It professional and the It leaders to really be evaluating on annual basis. 


Terri
It’s not unlike diversion. They’re always finding their way around our mitigation strategies. 


Gil
Sure. 


Terri
Okay. All right, well, thank you very much, Gil, for that information and for sharing that. And yeah, just a reminder that when the dust settles, if you are one of the unfortunate ones that fall prey to that ransomware attack, there are other things that you should be thinking about to secure your controlled substances. Thank you, everyone, for listening. Please hit that subscribe button. And I want to thank our sponsor, whose product line is an active deterrent to diversion. Check out their website, imiweb.com, to get that free trial box of Tamper evident caps for IV solutions that will be running through this month. May. Thank you, Bill. 


Gil
Yeah, thank you for having me, Terri. 

Picture of Terri Vidals
Terri Vidals

Terri has been a pharmacist for over 30 years and is a drug diversion mitigation and monitoring subject matter expert. Her years of experience in various roles within hospital pharmacy have given her real-world insight into risk, compliance, and regulatory requirements, as well as best practices for medication and patient safety.

Subscribe to Drug Diversion Insights with Terri Vidals to learn more about diversion mitigation.

Download White Paper