Thousands of organizations are attacked with ransomware every year—and healthcare organizations continue to be among the top targets. Given the potential for severe operational disruptions and substantial financial losses from an attack, all healthcare organizations should be prepared. In addition to implementing preventive measures, they should develop plans for responding to incidents and minimizing damage. Robust plans can help organizations avoid service interruptions, reduce financial losses, and possibly help save lives.
Ransomware is malicious software that encrypts data and prevents authorized users from accessing that data. Attackers demand a sizable ransom in exchange for providing the decryption key. In recent years, some attackers have compounded their threats. They might threaten to steal—and sell—sensitive data, or attack partner organizations, unless victims pay up.
Many ransomware attacks begin with a phishing scheme. Attackers trick individuals into clicking on a link, and then entering login credentials into a fake website. The attackers can use those credentials to access the enterprise network. In other cases, attackers hack into the network or run a script that downloads ransomware onto individuals’ computers without their knowledge.
However they access the network, attackers often release ransomware that can spread on its own. It moves laterally across a network, reaching critical systems, encrypting data, and locking out users.
Since ransomware first appeared decades ago, attackers have introduced a variety of types and strains. The two types most commonly experienced by businesses are crypto ransomware and locker ransomware.
Crypto ransomware encrypts data, preventing users from accessing it without the decryption key. Locker ransomware locks users out of a system, though it typically leaves files and folders unharmed. Users might see a lock screen that displays a ransom note, sometimes accompanied by a countdown clock.
A successful ransomware attack can have disastrous consequences for healthcare organizations and individuals. For healthcare organizations that cannot access data or systems, an attack can bring critical services to a halt. Providers might need to cancel appointments and procedures; insurers might have to stop processing claims.
The financial costs can amount to millions of dollars. If an organization decides to pay the ransom, that is just the first cost. The organization must then spend money to conduct investigations, recover data and restore systems, and implement additional security measures. It could face regulatory fines, lose revenues, and be subject to lawsuits from patients harmed by the event.
Individuals, meanwhile, could suffer serious health consequences. They might be unable to fill prescriptions, communicate with providers, have procedures, or receive emergency care.
How should your organization prepare for ransomware attacks? Your first steps should be finding security gaps and building an incident response plan.
Before you start investing in new cybersecurity solutions, you need to understand your risks and vulnerabilities. You should inventory your data and systems, and identify which assets are likely targets for attackers. You should also scrutinize your existing security architecture and policies: Are there potential openings for network intrusions? If attackers were to steal a user’s credentials, what systems could they access? Evaluate your employees’ understanding of security best practices: Are you confident that users can identify phishing attempts?
Your risk and vulnerability assessment could be part of an established program, such as HITRUST certification. You could work with an external assessor to determine which controls you need to implement both to comply with key regulations, such as HIPAA, and to strengthen your security.
Developing an incident response plan is critical. In the event of an attack, you need to act fast to reduce the damage. From the moment infection is detected, you must immediately isolate affected systems to prevent the spread of ransomware. You also have to contact law enforcement, begin your forensic investigation, and (if possible) restore systems and data.
You might not be able to stop attackers from targeting your organization. But you can implement measures that help prevent ransomware from infecting systems. In many cases, a multi-layered “defense-in-depth” strategy, which uses multiple security products and practices, is the best approach for preventing ransomware attacks.
To protect from network intrusion attacks, you need to secure internet-facing systems and networks. Internet-facing systems might include any web applications or cloud services, such as patient portals or mobile applications. Firewalls and intrusion detection systems can help monitor network traffic and block out known threats.
Attackers often gain access to networks with stolen credentials. Preventing that access requires strong access controls and credential management. Usernames and passwords are not enough. Multi-factor authentication (MFA) can help thwart attackers by requiring users to provide additional means of authentication, such as the use of a USB key or facial recognition.
Establishing role-based access policies along with a principle of least privilege can also help. Even if attackers steal a user’s credentials, they would only be able to infiltrate the limited number of systems accessible by that particular user.
Implementing a Zero Trust security model can add another layer of protection. With Zero Trust, no user or device is trusted by default—even those operating within a network perimeter. Zero Trust access controls can restrict access to specific resources and use contextual information to determine if any access should be allowed.
Attackers sometimes spread “precursor” malware before triggering the ransomware that encrypts files. This precursor malware might conduct reconnaissance for attackers, identifying vulnerabilities or charting pathways for infection. The idea is that this malware will make it easier for attackers to later deploy the ransomware across the network.
Antivirus and anti-malware software can help identify precursor malware and stop it from executing. Meanwhile, firewalls can block malware from entering networks, and network monitoring tools can help identify malware communications with command-and-control servers.
Advanced threat detection tools analyze network traffic to identify and respond to a variety of advanced threats. While some security solutions can block only known threats, advanced threat detection tools are designed to uncover and stop new types of threats—like new strains of ransomware. They can also spot advanced persistent threats—slow-moving attacks, often launched by state-sponsored criminals, in which attackers establish a long-term presence in the network before executing ransomware or another type of malware.
Updating applications and operating systems should be a key part of your multi-layered defense strategy. Software vendors are continuously monitoring threat activity and attempting to identify—and fix—vulnerabilities in their products. Installing updates and patches promptly and completely across your systems can help prevent ransomware and other malware from infecting your environment.
Employee education should be a central part of your ransomware prevention plan. Employees should learn how to identify phishing emails and what to do when they spot them. They should also understand the importance of following all security policies, including the use of unique, strong passwords and adherence to MFA processes.
Regularly backing up sensitive data is vital for mitigating the possible damage from ransomware attacks. If your organization can maintain a complete, up-to-date copy of data in a secure system, you might be able to refuse attackers’ ransom demands. In the event of an attack, you could restore data to clean, uninfected systems and minimize disruptions.
How should you respond when a ransomware attack happens? Your first priorities are detecting the ransomware and determining what has been compromised so you can reduce the potential damage.
The earlier you can detect ransomware, the better. The first signs of an attack might be an increase in spam or phishing emails across the organization. IT or security teams might also see more unauthorized attempts to access network resources, atypical network traffic patterns, modifications to file names, attempts to disable access to directories and domain controllers, and even increased data backup activity, if backup systems try to back up newly encrypted files.
If you suspect an attack is happening, you should start analyzing the type of ransomware and assessing its progress right away. By identifying the strain, you can anticipate how it will spread and learn what you need to do to remove it. Pinpointing infected systems will enable you to isolate them from the rest of the network and understand whether customers and patients were affected. You should also determine whether data backups have been modified in the attack—if your backups remain unharmed, you might have more options for dealing with ransom demands.
If your organization is attacked by ransomware, you’ll need to notify law enforcement and regulatory authorities. Organizations subject to HIPAA rules that experience a breach of patient data must report the incident to the U.S. Department of Health and Human Services (HHS).
You’ll also need to notify any customers or patients whose data was exposed. You might need to provide credit monitoring and identity protection services to those people for a time after the event.
To contain the infection, isolation is key. Disconnect any infected systems from the network and power them down if necessary.
You can then start to eradicate the ransomware from those systems. Plan on removing not only the ransomware but also any modified files and registry entries. You might be able to employ anti-malware tools or use specialized malware removal tools. If manual removal is necessary, partnering with an outside security expert might be the best and fastest way to ensure complete removal of the ransomware.
When attacks occur, every minute counts. The sooner you can start the recovery process, the sooner you can resume normal operations.
If you have a secure, complete backup of data, you can start restoring that data to clean systems. Better yet, if you have redundant systems in place, you might be able to failover to those systems with minimal downtime. You would have more time to determine whether or not you need to pay the ransom, and more time to thoroughly disinfect the systems affected by the attack.
The analysis work you begin when ransomware is first detected should continue after systems are back online. Understanding the causes and process of the attack will help you develop a strategy for closing security gaps. For example, you might determine that the attack started when a single employee was tricked into clicking on a link within an email. If so, you might decide you need to improve employee education and implement software that prevents users from accessing spoofed websites. Whatever plan you develop, your remediation process should start quickly: Cybercriminals might prepare another attack when they know you are still recovering from the last one.
Your post-incident analysis will determine what additional security measures are necessary for preventing future attacks. In many cases, organizations will need to not only deploy new tools but also modify policies and step up education. For example, you might need to implement MFA to ensure that a stolen password won’t enable an attacker to access the network. Establishing policies of least privileged access can help stop malware from spreading far even if an attacker is able to impersonate an employee. And educating employees about how to alert IT and security teams about suspicious emails and texts could help shut down future attacks quickly.
If your organization is attacked, should you pay the ransom? Many law enforcement agencies and governments discourage organizations from paying, but there is currently no ban on ransom payments in the United States. Ultimately, your organization will need to weigh the pros and cons for your particular situation.
There are multiple reasons to refuse payment. First, the ransom might amount to millions of dollars. Second, paying the ransom will encourage more cybercriminals to launch attacks. And third, even if you do pay, attackers might still withhold the decryption key, sell your data, and attack your partners.
On the other hand, many healthcare organizations will be under tremendous pressure to resume normal operations and regain access to data. As a result, healthcare organizations often do pay—in fact, they pay more frequently than businesses in other industries.
Having an alternate means of restoring data will likely play a key role in your ransom payment decision. If you have a complete, clean backup of data and can start using that data quickly, there might be very little reason to give in to ransom demands. You can wipe infected systems without having to worry about regaining access to encrypted data.
Preventing, responding to, and recovering from attacks can be large-scale undertakings. Though healthcare organizations are increasingly committing budget and resources to those efforts, many will find that collaborating with external security experts and managed service providers offers the most effective and efficient means of addressing ransomware threats. Whether you have an on-premises, cloud, or hybrid IT environment, partners can help you protect your data, your systems, and your business from damaging attacks.
Third-party security teams and managed service providers have deep expertise in defending against all types of cybersecurity threats. They can help your organization assess risks, identify gaps, select the right security tools, implement best practices, and build comprehensive incident response plans. Managed service providers can also relieve your staff of the need to install, configure, manage, and maintain the security systems and services required for defending against attacks.
As with any partnership, a successful relationship with external security teams and managed service providers requires clear roles and responsibilities, and effective communication. At the moment when a ransomware attack occurs, you need to know who is going to do what. Will you turn over all responsibility for detecting attacks, isolating systems, conducting analyses, and recovering data to your partner? Or will you divide and conquer?
Assessing risks and addressing vulnerabilities should not be one-time events. By working with an external partner, you can establish a cadence for conducting regular security audits and assessments. You can continue to be well protected even as threats evolve and your company changes.
As long as cybercriminals believe they can extract large ransoms, they will continue to launch attacks aimed at holding data hostage. Healthcare organizations must stay vigilant and work to continuously enhance their defenses against these threats.
Regularly review and update your security protocols and stay informed about the latest ransomware threats and trends. An external partner can help. Security experts and managed service providers can use their accumulated client experience and threat intelligence to help you prepare for shifting tactics.
Read the blog: How to Choose a Managed Security Partner for Healthcare
Ready to start building your plan for ransomware mitigation? Cloudticity can help. Contact us today for a free consultation.