Speaker 1:
Five, four, three, two, [inaudible]-
Speaker 2:
Thanks for tuning into the Pharmacy Podcast Network, the most influential podcast dedicated to the profession of pharmacy, with over 80,000 listeners worldwide. Welcome to the Pharmacy Podcast Network.
Speaker 3:
Compliance is hard, but finding the answers doesn't need to be. Join Jeff Hedges and his staff on the Pharmacy Compliance Guide as they help you and your pharmacy staff navigate through some of the complexities to help you stay stress free and in compliance. The Pharmacy Compliance Guide is a proud member of the Pharmacy Podcast Network.
Becky:
Thanks for joining another episode of the Pharmacy Compliance Guide. We are joined today by the one and only guru of all things compliance, Mr. Jeff Hedges, owner and namesake of RJ Hedges & Associates. And we have a special guest with us today who is certainly an expert on technology security and systems management. We are so thankful for his services and his ability to share some wisdom with you all. Mr. Nick Dorazio is the president of LVTech based here in Western Pennsylvania. Today, these gents are going to be discussing something a lot of people don't want to deal with, or in some cases don't know much about, and that is ransomware. That's right, being held hostage from your own information and your own data. Today, we're going to talk about what ransomware is and how it happens, put some context behind the sheer cost of this type of event happening to your business. We'll go over some terminology and solutions for your business and even how you can prevent this from happening to your system.
Jeff:
Thank you, Becky. Today, we're going to talk about ransomware. Everybody hears about it on news when a major bank or major government agency has their system hacked, and they have to pay money to get their system unlocked. So we're going to talk about that with the pharmacy and other healthcare providers, as far as what they need to know, how they should set up, who they should talk to, and what they need to teach their staff. Joining me today is Nick Dorazio from a company that we work with very closely called LV tech out of Greensburg, Pennsylvania. A year and a half ago, I was at an entrepreneur's organization, or EO event, with the FBI in Pittsburgh. The Pittsburgh FBI office is one of the top cybersecurity offices within the FBI. We went through a training session about networks, security. There was about 25, 30 people there from my organization. And when we went through all the requirements that they were recommending all the businesses to have, I was the only one that had everything in place that needed to protect our network, our systems from ransomware, viruses, malicious attacks, anything that happens like that. So that's what Nick does. He does that for me. He does that for a lot of other businesses and healthcare practitioners. So we're going to start off with the basic question, what exactly is ransomware and how does it work?
Nick Dorazio:
Well, basically, what ransomware is, is it's nothing special other than a very targeted type of software, in the realm of malware, that its sole purpose is to encrypt your data so that you, the end user, do not even have access to it. That is basically what it is at its most simplest form. The malicious party will demand money in order to give you the keys to unlock your data. The really bad part about that is that there is no guarantee that they will even give you the key. You give them money in hopes that they unlock it for you. Oftentimes what they do is they will research a company ahead of time, and they will determine what amount of money you're able to pay. While it is the same software, I have seen organizations be held ransom for $10,000, and with the exact same software, be held ransom for $2 million. So this is not just a fly-by-night operation. This is a very coordinated global attempt to extort money out of businesses. And the worst part about it is, even if they give you the key, and even if you're able to access your data, there is no guarantee that there isn't some trace of that software left on your system that could hit you again later down the line.
Jeff:
Who actually is at risk for ransomware?
Nick Dorazio:
Jeff, today what we find is that everyone is at risk, whether you're a home user with a single computer and you just have your kids' pictures to fortune 500 companies, CEOs' computers that are worth millions upon millions of dollars. Everyone is a target because of the way that this software propagates. The way that it propagates are multiple vectors in which they attack organizations. And I will go over a few of those with you. Number one are poor security measures that are in place. One of the ones that we've seen used mostly are remote access in the computers. If you're a business that you work from home at night and you remote into your office computers, if that is not secured in the proper way, one of the ways that these malicious agents are able to penetrate at your network is through these remote access vectors.
Another potential one is end-user deception. We see this very common. You go to a website, a popup comes up, and says, "Your computer's infected. Call this 1-800 number." They claim that they're Microsoft. They claim that they're some other security agency that everybody knows about. When you call them, you actually let them on your computer and do the thing that they say that they're protecting you from. Another one are email attachments. That's very common. That has been happening for a long time. You get an email that looks like it's from somebody that you know, and you open it and you unwittingly download the malware onto your computer. Sometimes it's ransomware. Malicious URLs, very often, what will happen is you'll be searching online for something. You might be looking for the latest Medicare proposals or the newest guidelines that are coming down, and you inadvertently click on a site that looks like it might be a government site, but it is not. You click on a link. You end up downloading malware because you think it's a government site and that it is safe.
Along with that are compromised downloads. Websites can be compromised, too. You actually go to a legitimate website, but the download you're getting from them... Let's say you're downloading a free utility from Microsoft, as an example. If that particular website got compromised, they could have injected malicious code into that program. And even though it's legitimate, you get compromised. It's possible that let's say you're at a pharmacy and one of the computers is compromised, or you let someone on your network that has a compromised computer, that can travel across your network and hit all of the computers. So you've done necessarily nothing wrong on your computer, but another one on your network causes you to be attacked.
Jeff:
Yeah, we've seen that here. Our employees are all well trained, but we'll get emails and there'll be a hyperlink. Our staff has been trained that before they click on anything, that they look at the URL. If it's not visible to right mouse click on the URL and look at it. And if it's something that doesn't sound right, especially if the extension at the end has JP for Japan and a lot of different countries out there, you definitely delete that. When you delete that, you should also contact your IT company so they can look into make sure there's nothing there. The reason why I said JP, I just had one come in last week. We see them from Russia, from China, from Korea. We see them from Africa, all over the place. If you don't know that URL, you delete it immediately.
Nick Dorazio:
That's a really good point, Jeff, because a lot of times... I'll take you as an example. Everybody knows who you are. You're not unknown to the world. So what ends up happening is someone will create, let's just say, a Gmail account, 5632RJH@gmail.com. They'll put their name as Jeff Hedges. They'll even send that email to your staff. If they're not paying attention to the sender's email address and just look at Jeff hedges, they might not realize that it didn't actually come from you. So that's a great impersonation technique that they use. So it's extremely important to be very vigilant on those.
Jeff:
So this is a bit scary for everybody, every business owner. What can I do to prevent ransomware from getting into my system? But I know we've covered a couple items here.
Nick Dorazio:
Well, that's a great question because after you go over all of these scary things in ways that it sounds like, "Oh my gosh, I shouldn't even be on the internet," what can you do? Well, there's a couple of easy things. Number one, absolutely employee education. You should be constantly training your employees to be on the lookout for things like the email that we said and also other things that we listed that they might not realize "Don't download this. Don't click on that." Simple trainings that can really help the end user, because at the end of the day, that will be your weakest point are the end users. Another thing that you can use is EDR. EDR stands for Endpoint Detection and Response. Basically, what that is is it's the next generation of antivirus. Antivirus, as we've known it, is no longer viable or is a good protection mechanism. This malware and this ransomware is being created by computer AI faster than human beings can come up with the signatures to combat them. So you need an AI-based protection system in order to combat that. That is where EDR comes in. So not all protection softwares are the same.
Finally, you can do what you refer to as perimeter protect or a firewall. There are active business class firewalls that can help to stop these attacks at the perimeter before it even reaches your network, before it reaches your computer. Those top three things will give you the biggest bang for your buck in help protecting yourself.
Jeff:
Okay, so who do I talk to?
Nick Dorazio:
Well, you should talk to a security expert, not just simply an IT person. There are a lot of people that say that they do IT, and they might be able to fix your computer, replace the hard drive, things of that nature, but do they really know about cybersecurity? So if you have an IT company, an MSP that's working on your computers, have a candid conversation with them. Ask them, "Do you do cybersecurity? What types of measures do you put in place on my network in order to protect myself?" And if they are unable to do that, you should seek out a cybersecurity expert in order to check your network.
Jeff:
So this affects every business, but if you're working with a Fortune 500 company, they're going to look at it one way. But if it's a small company with only three or four employees, how do you scale this between the two? You don't have the money to put into that kind of security that a Fortune 500 company would.
Nick Dorazio:
Absolutely. Fortune 500 companies have millions upon millions of dollars dedicated simply to cybersecurity. Their IT budgets are enormous, but if you're a small three, four-person business, what do you do to protect yourself? That's where MSPs come in. That would be the old school IT vendors, the people like me, where most of my customers are not necessarily large enough to have their own dedicated IT staff that they pay $500,000 for a year, but they outsource their IT and their security to someone like us, and we do this for them. So even for those small businesses that have three or four computers, your MSPs are able to go in there and give you high-level service for a fraction of the price because they're scaling that across all of their customers.
Jeff:
Well, what happens if I do get hit with ransomware? Do I pay it? Do I contact the police? Do I contact the FBI, or do I have to just go out and buy a whole new system and start from scratch?
Nick Dorazio:
Well, the very first thing I would do is shut everything down. First and foremost, shut your computers down because the best thing you can do is to prevent anything further from being worse. The FBI actually officially recommends against paying that ransomware. They don't want you to pay that. Oftentimes, these funds go to nefarious dealings around the world. So it will go to fund terrorism, oppressive governments, more ransomware projects. It funds the development of newer ransomware. So from the standpoint globally, you should not pay the ransom. You should report it to the FBI. On fbi.gov, there's actually a website dedicated to that, where you can fill out a form. They give you numbers for local field offices to call them and make a report. They will investigate where they can, and they take it from there.
They can find where the same people are targeting multiple businesses, correlate that together, and try to go after these people. Oftentimes, they're in other countries, but they do everything that they can. Here is where most businesses sit themselves. You have a ransom. If you don't have a proper backup, if you don't have all of those things in place so that you do not have access to your data, you have a decision to make. You either pay the ransom and stay in business, hopefully, or you don't and risk the chance of not having a business. So while the FBI recommends against paying the ransom, they don't explicitly tell you not to because every business has to make that decision. And it is a costly one if you get ransomware, absolutely costly, because to your point, you don't have to go buy a new system, but effectively you end up doing that. The only safe way to ensure that you have no remnants on your system is to pay the ransom, in some cases, recover your data, and then wipe out everything you have and start it over from scratch. You can keep the hardware, but you have to redo all the software.
Jeff:
Okay, Nick, let's take my company, for example, with all our equipment and tablets and everything we have. How's the EDR system working for our company, and have we ever been attacked?
Nick Dorazio:
Jeff, so far, in 2021, your company has survived four separate ransomware attacks that EDR has stopped.
Jeff:
Really? I had no idea.
Nick Dorazio:
That is great because you don't want to know about it. We knew about it, and we did what we needed to do on our end, but the fact that you didn't know means that it was doing its job. As a matter of fact, by virtue that it stopped four attacks in this year alone, it has paid for itself. The cost for the EDR, just the EDR, has been paid for for 10 years, at least, by my estimation.
Jeff:
If it didn't work, how much would've cost me if it would've got into my system?
Nick Dorazio:
When it comes to your system and ransomware, you have to look at all of your endpoints. So we're talking about servers, computers, laptops, routers, printers, wireless access points, tablets, phones, all of that. If you had a ransomware event in your network, all of that would have to be addressed. It would cost you anywhere between, on the low side, 50 to $60,000 to remediate that. And that's because you have a backup in place, assuming we could just recover your servers without rebuilding them. So I would figure about $1,000 per device. Again, that's phone, tablet, router, anything on your network, $1,000 a device to recover.
Jeff:
So how much time would this take?
Nick Dorazio:
For a company your size, I would need to dedicate two or three technicians around the clock to getting you back up and running as quickly as possible. I estimate that it would take about a week before you were fully operational.
Jeff:
So for me, personally, and for our company, that would be devastating, but what about a pharmacy or other healthcare provider? They could be down for a week?
Nick Dorazio:
It's possible they could be down longer. If they didn't have their primary server system or their databases backed up in a way that ransomware did not penetrate that, you could be down for a month, two months just recovering your data points. It would be absolutely devastating to a small business to the point where most of them would go out of business.
Jeff:
Okay. What about my cyber insurance policy?
Nick Dorazio:
So for cyber insurance, most of them are starting to require EDR. So you even have to have the EDR package to even be able to have the privilege of buying it, but there are still out there that don't require it. If you happen to have one of those and you didn't have EDR and you are attacked, there is a chance, and a good chance, if you have the right cyber insurance policy, which you need to consult your insurance expert agent on all of this so that you can find that out... But if they would pay for it, they should pay for that. But there are other costs involved in that, too, such as all of the HIPAA notifications and things that I know that you know much more about than me that are required for a breach of this magnitude.
Jeff:
Well, thinking about my clients, if they have the standard policy, which is normally around $100,000 for cyber insurance, is that going to be enough for them?
Nick Dorazio:
Well, if you have all of the available options, assuming it will pay for you and pay for everything that it's supposed to pay for, in your case, if that was your size, it may not be enough, because that number that I quoted you was just my time to get you back up and running. All other expenses occurred by an event, whether it's employee wages that you have to pay are lost, notifications, credit fixing of the people that you affected, the costs are extremely difficult to tabulate because it totally depends on what information has been breached. So it is entirely possible that even for a company that $100,000 is not enough.
Jeff:
So what steps should they take today to prevent this from happening to them tomorrow?
Nick Dorazio:
There is absolutely preventative measures that while sometimes they might seem like they cost a little bit, primarily because they might not be paying for at all, but a ransomware event will cost you 10 times, sometimes 100 times the cost of the preventative measures. I always tell my customers "You have to view it as another insurance policy." You pay for insurance and you hope you never have to use it. That's what these preventative measures are. So step one is what I was talking about before, the EDR. There are different vendors. You may have heard, one of the most popular ones in the news is CrowdStrike. There's Cylance. There's Sentinel one. Anyone that is that AI-based, newer style endpoint protection, read antivirus, you have to have one of those in place, properly configured. Backup is essential, not just backing up onto a hard drive attached to your computer, but you need an onsite and an offsite backup solution that is segregated from your network.
And what I mean by that is if your network is compromised so that your backup does not become compromised, you should be discussing that with your IT professional, with your MSP. Ask them, "Do I have an offsite backup that's protected against ransomware?" Because, at the end of the day, if all the preventative measures fail, as long as you have your data, you don't have to pay the ransom. Education. You should be educating your employees at some kind of recurring basis, whether depending on your turnover, should it be once a year, twice a year, four times a year? That needs to be decided by you. But the more education your employees have, the less chance they have of actually compromising your system to even have to activate the preventative measures. If you can stop it before it starts, you're in a way better position. And finally, that perimeter protection, having an active firewall. If you have the proper firewall on the outside, even if your employee clicks on something bad, if it can stop it before it even gets to their computer, you're ahead of the game.
Jeff:
So, Nick, thank you for this information. It's very, very time sensitive, very important. We hope that everybody will look at this podcast, listen to all the advice that we've received today, and that we can go through it. It has helped me out a number of cases where we get something that we're not sure of. We call Nick and LVTech. They look at it, they can identify it, and they tell us whether it's safe or not. Now, the next thing we're going to be talking about, on the next podcast, is HIPAA breaches. If you get hit by ransomware, your data's not available or it's been downloaded, now we're talking about a breach. HIPAA breaches are very important to file, go through a process, because if you don't report them or if you don't report them correctly, the Office of Civil Rights can come back and give you a pretty hefty fine, corrective action plans. So that'll be our next podcast. We'll have it released here soon. And, Nick, I really want to thank you, one, for being here today, and two, making sure my network and my systems are all safe.
Speaker 3:
Thanks for listening to another episode of the Pharma Compliance Guide, sponsored by RJ Hedges & Associates. Be sure to search the entire library of podcasts, helping you stay informed on the latest pharmacy compliancy issues, by visiting pharmacycomplianceguide.com.