Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

5 minutes with Jeff Horne – Top healthcare cybersecurity challenges and mitigation strategies

By Maria Henriquez
5 mins with Jeff Horne
January 22, 2021

As healthcare organizations continue to respond to the pandemic, cybercriminals have continued to persist in their attacks on providers, health plans and business associates – compromising sensitive patient data while impacting the delivery of care to patients.

Here, Jeff Horne, Chief Security Officer (CSO) at Ordr, discusses the top cybersecurity challenges for healthcare organizations, as well as mitigation strategies.

 

Security magazine: What is your title and background?

Horne: I joined Ordr, provider of security for enterprise IoT and unmanaged devices, as their CSO at the beginning of this year. At Ordr, I’m responsible for the security direction both within Ordr products and internal security. I’m also a member of Black Hat’s Review Board, which I’ve been on for more than five years now. I started my career in the security space as a Vulnerability Researcher at Internet Security Systems - working on vulnerability discovery, exploit creation, IDS evasion research, and behavioral detection of malware.

Before joining Ordr, I was the VP of Information Security for Optiv and was responsible for all security operations, governance risk and compliance, endpoint, internal incident response, physical security, and employee security awareness groups. I also had the pleasure of working for SpaceX as Senior Director of Information Security, where I focused on the overall security strategy of SpaceX and managed the information security, compliance (ITAR), security operations, and physical security groups. Even further back, I was the VP of R&D and Chief Architect for Accuvant LABS for almost five years and Director of Threat Research at Webroot Software for almost six years.

 

Security magazine: What are the biggest cyber risks that the healthcare industry faces?

Horne: The global pandemic has accelerated the healthcare industry as a target for cyberattacks and this will continue to proliferate. The supply chains for PPE, the COVID-19 vaccine, or even companies that produce standard medical equipment are at particular risk for attack.

Right now, healthcare organizations are dealing with the second wave of COVID-19. We’re seeing hospital beds at 90% capacity, there are heightened worries about ransomware, and there is reduced IT and medical support because staff is getting sick.

On top of these newer vulnerabilities, healthcare has been a sector that’s been plagued with these issues for years. Medical devices, like all other computer systems, are vulnerable to security breaches. In fact, Ordr’s researchers  found that nearly 20% of medical devices run on Windows operating systems that are Windows 7 or older. When we look at medical devices, this is a much greater issue since they are usually more difficult to patch -- or patches are not made available by manufacturers.

 

Security magazine: What are some of the latest ransomware/malware trends and threat groups that are targeting healthcare?

Horne: Recently, there have been high-profile cases of ransomware and researchers warn of a seven-fold increase in attacks, compared to 2019 alone. Hospitals are already a very lucrative target, and the pandemic provides a significant opportunity for threat actors looking to target healthcare providers. In addition, there has been a mass influx in connected devices deployed in facilities without the proper purview of IT and Security teams, leading to an incomplete asset inventory and clear visibility of how/where devices are communicating.

The three most common ransomware campaigns that are targeting healthcare organizations are Zeppelin, Ryuk, and Sodinokibi:

  • Zeppelin is believed to be operated by a Russian cyber group, however, very little is known about the operators. The ransomware code is based on a purchasable ransomware variant known as VegaLocker. Zeppelin either starts as a spam or phishing email with an infected document that downloads and installs malware onto the healthcare organization’s system or the operators attempt to exploit vulnerable RDP, Apache Tomcat, and Oracle Weblogic servers available on the internet, and once connected to the infected system, operators can execute their attack.
  • Ryuk, or Conti, is also known to be operated by a Russian cybercrime group. The Ryuk ransomware was largely based on a previous ransomware codebase known as Hermes, which was possibly created by a North Korean hacking group. Ryuk also starts as a spam or phishing email, but when the infected document is opened, it drops a Trojan downloader or bot that includes several tools for remote access, privilege escalation, and lateral movement. Once bad actors are in the health organization’s system, they quickly grant themselves privileges and turn off any anti-virus, logging, and detection systems that would detect their movement before distributing their ransomware and then reaching out to organization members via an anonymous email notifying them that their system and data has been taken for ransom.
  • Sodinokibi, or Sodin or REvil, is believed to be created and operated most likely by the same Russian group behind the popular GandCrab ransomware. Sodinokibi is somewhat similar to the other operators as there are several methods -- including manual and automated drive-by compromises using spam/phishing attacks, common exploits, and previously compromised passwords -- to gain access to systems. Once inside the network, operators drop various exploit and privilege escalation kits to laterally move throughout and compromise the network. Lastly, all system backup files are deleted and recovery mode is disabled to prevent restoring via local backup before the ransomware is deployed.

 

Security magazine: How do you go about detecting and responding to ransomware attacks?

Horne: The best thing you can do to respond to a ransomware attack is to take proactive, mitigating actions. Work with trained security experts to assess your vulnerabilities, close security gaps, train employees, and put a written incident plan in place specific to your organization. Of course, having a robust backup strategy that can be quickly recovered from once a ransomware attack occurs is the best way to mitigate the risk of damage, downtime, and having to pay the ransom. There are many antivirus and backup tools out there that can prevent or limit the damage of a ransomware or other malware attack.

However, in the case a ransomware attack happens:

  • Isolate infected machines quickly to stop the spread of ransomware to protect systems with important information and reduce the number of infected machines.
  • Research free decryption programs and determine which variant of ransomware has hit your network; you may learn that the keys to decrypt your data are easily available.
  • If important data is still encrypted, determine whether you should (or if it’s legal) to pay the ransom by following the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments by the U.S. Department of the Treasury and then ask yourself: How valuable is your lost data and can you do without it? Do you have that data backed up and archived? Can you recover from backups quickly? Does losing the data affected by the ransomware put the life of your business at risk?

Ransomware as a service is one of the more insidious attacks that can be unleashed by malicious actors. It usually enters an organization through phishing attacks or vulnerable systems deployed on a network’s perimeter. Once the ransomware operators gain a foothold, the operators spread throughout the network using common exploits or open shares, moving laterally from machine to machine and encrypting important data. Then, once the important data is encrypted, the attackers display a message to pay a ransom, or else the data will be lost forever; that is followed by instructions for transferring money to the attackers via usually untraceable cryptocurrency.

In most ransomware cases, the requested ransom amount increases overtime in an attempt to lure companies to act fast and pay a lower ransom payment. A leading institution of medical research was recently targeted by the Netwalker ransomware and paid $1.14M to recover its data.

 

Security magazine: What are some of the top mitigations for healthcare IT/cybersecurity teams?

Horne: By some estimates, there are nearly 650 million IoT and IoMT devices operating in the healthcare industry right now, and 82% of healthcare organizations using IoT/IoMT devices have had those devices attacked. With that in mind, the first question CISOs need to answer is “How confident are you in your asset inventory and does it accurately represent what is connected to your network this very second?”

Another challenge organizations face in securing their networks is the sheer scale -- from connected medical and consumer devices like glucometers to local automated machines like parking lot gates -- it’s difficult to have visibility into all the devices that could connect to a health organization’s network. Organizations must understand what is connected to their network at a deep level (i.e. device type, software being run, etc.) and in real-time. A patching strategy needs to be created and executed on devices that vulnerabilities can be mitigated by patching. For machines that remain vulnerable, organizations should segment any vulnerable systems on their network and regulate traffic among devices so that if a breach happens so that threat actors cannot use those devices as a pivot point to access and compromise other devices on the infrastructure.

Additional solutions to mitigate organizational risks and increase efficiency include:

  1. Computer maintenance management systems (CMMS);
  2. Vulnerability management solutions to inform an overall risk posture and enable vulnerability identification in networks with sensitive devices that cannot withstand active scans and security operations center (SOC); and
  3. IT service management (ITSM) tools.
KEYWORDS: cyber security healthcare cybersecurity information security ransomware risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Security’s 2025 Women in Security

Security’s 2025 Women in Security

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • 5 mins with Dmitriy Ayrapetov

    5 minutes with Dmitriy Ayrapetov - K-12 cybersecurity challenges

    See More
  • 5 mins with Kouns

    5 minutes with Jake Kouns - K-12 cybersecurity challenges during the pandemic

    See More
  • 5 minutes with Alerta

    5 minutes with Jeff Alerta - How Biden cashes in his cybersecurity promises

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • A Leaders Guide Book Cover_Nicholson_29Sept2023.jpg

    A Leader’s Guide to Evaluating an Executive Protection Program

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing