Security is a difficult thing to pitch. To summon Bastiat from beyond the grave, the costs of implementing security are seen but the costs of not implementing security are unseen. Making the pitch even more difficult is the fact most people think, “It’ll never happen to me.” But a breach can happen to anybody and the associated costs are often tremendous:
Hollywood Presbyterian Medical Center, the Los Angeles hospital held hostage by crypto-ransomware, has opted to pay a ransom of 40 bitcoins—the equivalent of $17,000—to the group that locked down access to the hospital’s electronic medical records system and other computer systems. The decision came 10 days after the hospital lost access to patient records.
$17,000 is already a decent chunk of change and 10 days of network downtime for a hospital is a very serious expense. This disaster could have been greatly mitigated with proper security practices. First of all, based on what we know so far about the breach, e-mail should never have been accessible on a computer with direct access to a mission critical system:
Stefanek did not say how the malware was introduced into the hospital’s EMR system. But the leading suspect, according to sources familiar with the investigation, is a phishing attack—likely a link in an e-mail that was clicked by a hospital employee on a computer with access to the EMR system.
E-mail is the source of a lot of malware and phishing attacks, specifically targeted ones, have become surprisingly effective. Knowing this, mission critical systems should be isolated from likely malware vectors (although I would argue those systems shouldn’t be connected to the Internet at all). Mission critical data should also be available redundantly so if one system goes down another can be made immediately while the down one is repaired. Frequent backups should also be part of any security plan in case something like this happens the machine can be quickly restored.
If you’re in a position that oversees budgeting give serious consideration to the unseen consequences of not providing funds for security and realize that an attack can happen to your organization.