Heath Renfrow, is widely regarded as one of the world’s leading cyber security experts. He has more than two decades of experience as a high-level information security specialist, much of it as a chief information security officer (CISO) in the United States Department of Defense, where he addressed some of the nation’s most significant cyber challenges. In 2017 he was named Global CISO of the Year by EC-Council, the largest cyber- training organization in the world.
Health officials said they have to figure out COVID-19 statistics by hand because of the attack.
The threat is real, says Heath Renfrow, chief information security officer at Conversant Group. Healthcare organizations generally aren’t where they need to be when it comes to cybersecurity.
Many hospitals use disaster plans created for other crises, like technical failures and storms, that don't capture the scope of cyberattacks.
If the MD Health Department had truly been alerted to the intrusion when it occurred, then their systems should not have been encrypted. I would guess that they were taken offline after the successful encryption of most of their systems and that the encryption stage had already completed what it needed to complete.
I would be curious if outside breach counsel has been engaged for this incident, and what the ultimate results of the Data Forensics Incident Response results will show (how the threat actors gained access, what sensitive data could they have touched, and if data was exfiltrated). Health and Human Services Office of Civil Rights will most likely have to be notified of potential Health Insurance Portability and Accountability Act (HIPAA) violations, and possibly notifications sent to the victims of the potential exposure of their personal health information.