A ransomware attack can have a sudden and serious impact on a healthcare organization. When cybercriminals hold patient data hostage and lock authorized users out of systems, organizations can suffer from severe disruptions to services and experience significant financial losses. Recovering from an attack can be a painfully slow process—especially if an organization doesn’t have a plan.
What is your organization’s plan for recovering from a ransomware attack and getting back to business? Following a few best practices can help you mitigate the damage from an incident and speed the resumption of normal operations.
What is Ransomware Recovery?
Ransomware recovery is the process of returning to normal operations after an attack. It involves regaining access to the sensitive data targeted in the attack, and resuming use of critical systems and applications.
Importance of having a recovery plan
A recovery plan can help your organization minimize service disruptions and speed resolution. You can avoid the chaos that can ensue when an attack occurs and ensure that team members can work quickly and efficiently to address the damage caused by attackers.
Potential consequences of a ransomware attack
For providers, insurers, and other healthcare organizations, a ransomware attack can be devastating. The attack can force hospitals to halt critical services and require insurers to stop processing claims. The financial impact is often felt immediately: An organization might have to pay a hefty ransom while simultaneously losing revenue from service disruptions. It will then need to pay for data recovery, forensic investigations, and vulnerability remediation. Later, an organization could face regulatory fines and the costs of litigation brought by patients.
Attacks can also put patient health at risk. If individuals are unable to communicate with providers, fill prescriptions, have procedures, or receive emergency care, they could suffer serious health effects.
Preparedness and Prevention
Improving preparedness and prevention can ultimately aid with recovery. Strengthening cybersecurity, backing up data, and educating employees can help avert large-scale attacks and enable organizations to recuperate from incidents faster.
Implementing strong cybersecurity measures
There are several cybersecurity measures that can help contain the potential damage from an attack. For example, deploying antivirus and email security capabilities on endpoint devices can help prevent phishing emails from reaching employees and setting a ransomware attack into motion. Multi-factor authentication (MFA) and role-based access management can help ensure that attackers and ransomware cannot burrow deep into networks even if attackers manage to steal login credentials. And firewalls can help identify and block malicious traffic.
Creating a comprehensive backup strategy
Backing up data is one of the most important measures for reducing the damage of a ransomware attack and accelerating recovery. If your organization has a complete, up-to-date, and immutable (unchangeable) copy of patient data that cannot be reached by attackers, you can reduce the need to pay a ransom.
Educating employees on ransomware threats
Educating employees can reduce the likelihood of large attacks. Phishing is often the first step in launching an attack: Attackers hope to acquire usernames and passwords for apps and systems so they can impersonate employees and then implant ransomware within an organization’s IT environment. Employees should learn how to identify phishing attempts, and how to avoid suspicious links and downloads. At the same time, they should understand the importance of using strong, unique passwords and adhering to company security policies.
Detecting Ransomware Incidents
The recovery process can begin the moment a ransomware attack is detected. But what are the signs of an attack?
Common signs of a ransomware attack
Individual employees with malware-infected desktops, laptops, or mobile devices might experience slow performance, unexpected software crashes, operating system freezes, or reduced storage space. They might notice that their usual web browser has a new toolbar or URLs are redirecting to odd pages.
As an attack begins, IT and security teams could see a spike in spam and phishing emails across the organization. Administrators might also observe numerous attempts to access network resources, network scanning, the presence of known hacker tools, scrambled file names or contents, attempts to disable access directories and domain controllers, and increased backup activity (since a backup solution might try to backup newly modified files).
Monitoring tools
Employing the right monitoring tools can help IT and security teams identify patterns that indicate an attack. Antivirus and anti-malware tools can spot infections on endpoints. Networking monitoring tools could identify a range of abnormal behaviors—such as excessive login attempts or the relabeling of file names with new suffixes. Network monitoring tools might see not only odd incoming traffic but also odd outgoing traffic, which might indicate the ransomware is contacting an external command-and-control server.
Whether operating in on-premises or cloud environments, some organizations will benefit from outsourcing 24/7 monitoring to partners. Outside organizations can draw from threat-hunting intelligence and apply automated, continuous monitoring solutions.
Importance of early detection
The sooner you can detect ransomware, the better chance you have of containing its spread and controlling its destructive force. If you can detect ransomware in an employee’s laptop, for example, before it reaches the corporate network, you can avoid the large-scale damage it will cause when it locks users out of critical systems.
Initial Response and Assessment
Your ransomware response plan should be put into action immediately when you detect—or even suspect—a ransomware infection.
Isolating infected systems
The first step in a ransomware response plan should be to isolate infected systems to prevent further spread of the malicious software. Sever the network connections and, if necessary, shut the systems down. Depending on how early you detect the ransomware, you might need to isolate anything from a single laptop used by a remote worker to numerous servers in your IT environment.
Determining the scope of the attack
As soon as possible, you will need to determine how deeply attackers have infiltrated your environment. Is the infection limited to endpoints? Has it reached critical systems or sensitive patient data? Is it restricted to a particular on-premises or cloud environment? Has it affected your data backups? Understanding the scope will help you start your recovery work.
Gathering evidence and documentation
At each step of your response, gather any evidence and documentation that could be useful in catching attackers and preventing future attacks. Try to determine the source and pathway of the attack, the number of infected devices, the variant used, the number of files affected, and the systems targeted. Collect the ransom note, messages from attackers, and any files that could be used as signatures that identify the attackers.
Recovery Strategies
As you determine what has happened, you can start the recovery process. Your goals are to resume normal operations as quickly—and safely—as possible.
Restoring data from backups
If you have a clean, complete copy of the data encrypted by attackers, you can start restoring that data to clean, unaffected systems. In the best case, you would have installed redundant systems already as part of your business continuity strategy. You could then failover from primary systems to secondary systems with little to no disruption.
Exploring paying the ransom
At some point early in the attack, you’ll need to decide whether or not to pay the ransom. There are good reasons to refuse: First, the ransom will be expensive. Second, paying the ransom will encourage further criminal behavior. And third, paying does not guarantee that attackers will give you the decryption key. Of course, if you have a complete backup of data, you have another good reason to refuse payment.
Still, paying the ransom is often the fastest way to get back to business. Given the severity of business disruptions and patient harm that can be caused by attacks, it’s not surprising that many healthcare organizations do wind up paying.
Utilizing decryption tools and techniques
Whether you refuse payment or attackers fail to give you the decryption key, you might need to decrypt the data that attackers have held hostage. Fortunately, there are several decryption tools and keys readily available to help you regain access to data. Still, you might encounter a ransomware strain for which there is not a decryptor readily available. In that case, consider working with an outside expert.
Working with Ransomware Recovery Services
Healthcare organizations have been forced to invest more time and internal resources on cybersecurity. But working with outside experts is often the most effective and efficient way to accelerate recovery from a ransomware attack.
Benefits of professional assistance
By working with numerous clients, cybersecurity experts and managed service providers often have accumulated deep experience in identifying ransomware and eradicating it from IT environments. They are aware of the latest attack techniques and newest ransomware variants. And they can apply best practices for recovering your data and restoring your systems. In many cases, these professionals can help you move on from a ransomware attack faster than you could on your own while also helping to address lingering vulnerabilities.
Choosing the right recovery service
If at all possible, try to find external partners before an attack occurs, so you have the time to thoroughly evaluate the fit with your organization. Depending on your specific needs, you might want to find a partner that has: a local presence, round-the-clock support, experience with your types of systems and environment, and transparent pricing. Finding a partner with healthcare expertise could help streamline the process of notifying the relevant authorities, contacting patients, and closing security gaps in line with healthcare regulations.
Collaboration and communication
A successful relationship with external security businesses or managed service providers requires clear roles and responsibilities, and effective communication. From the moment a ransomware attack occurs, you need to know who is responsible for each key function. You might decide to turn over all responsibility for detecting attacks, isolating systems, conducting analyses, and recovering data to your partner. Or you could share responsibilities.
Best Practices for Ransomware Recovery
Most of the best practices for ransomware recovery are activities that you should undertake before an attack occurs. These practices will help reduce the impact of attacks and enable you to streamline recovery.
Identify critical systems and data
Which of your systems and data are most likely to be targeted? Identify mission-critical applications—such as patient scheduling applications, electronic health record systems, or systems that transmit insurance claims. These are systems that, if compromised, could bring your day-to-day operations to a grinding halt.
Similarly, identify all of your sensitive data—not only patient data but also employee data, financial information, and any intellectual property. Pinpoint all the areas where that data might reside. And implement a strategy for regularly backing it up to a secure location.
Establish clear roles and responsibilities
Just as you should set clear roles and responsibilities with an outside partner, you should do the same with your in-house team. In the event of an attack, which team members will be responsible for disinfecting systems? Which will handle data recovery? Who will work with communications teams to notify patients? When people know their roles and responsibilities, you can avoid confusion and speed up necessary tasks.
Maintain up-to-date backups
Backing up data is crucial to minimizing the damage from ransomware attacks. But to experience the full benefits of your backup strategy, the data must be up to date. You need to ensure that you are backing up data very regularly, if not continuously. Restoring data that is a day or week old will leave you in a vulnerable position: You will still be under pressure to decrypt the data that attackers are holding hostage.
Implement strong access controls
Controlling access to your apps and data should be a high priority. Using MFA can prevent attackers from accessing your network even if they successfully steal login credentials.
Implementing role-based access controls in conjunction with a policy of least privilege can help ensure that their incursion into your network will be limited: If attackers steal a user’s credentials, they would only be able to infiltrate the systems accessible by that particular user.
Test and update the recovery plan regularly
How sure are you that your recovery plan will work when it’s needed? Test the plan regularly. For example, make sure your procedures for recovering data and failing over to redundant systems work as they should. Adjust your procedures over time to accommodate changes in technologies and teams.
Consider cyber insurance
As you add new security capabilities, you might also consider cyber insurance as a way to address the high costs related to ransomware attacks. Policies could help you cover costs ranging from ransom payments and data restoration to regulatory fines and legal settlements.
Enhance cybersecurity awareness
The importance of cybersecurity awareness and education cannot be understated. In addition to knowing particular best practices, all employees should understand why these practices are necessary. After all, the survival of their company depends on all employees collaborating on preventing attacks and keeping data secure.
Post-Recovery Activities
Even after the smoke has cleared from a ransomware attack, there is more to be done. Your organization should be prepared to conduct a more thorough investigation of what happened and start working to prevent future recurrences.
Conduct a thorough forensic analysis
The forensic analysis begins during an attack: Your team needs to determine how you were attacked, which endpoints were infected, what data was encrypted, and so on. Once you’ve restored data and resumed operations, you can go deeper, identifying the vulnerabilities that enabled the attack to occur. Evaluate not only systems and security capabilities but also processes and policies.
Address vulnerabilities and patching systems
By understanding the root causes and progression of the attack, you can start to address gaps. That work might include patching applications and updating operating systems, if, for example, attackers were able to exploit recent software vulnerabilities. You might also need to step up enforcement of existing policies, such as the use of MFA. And you might have to modify existing strategies. If your data backups were corrupted during the attack, for instance, you might need to ensure that future data backups are stored in offline environments.
Review and updating the recovery plan
If you had a recovery plan in place before the attack, assess how well it worked. Were you able to resume operations within your target recovery time? Were you able to refuse the ransom payment? Did you avoid significant disruptions that affected patients or customers? Start modifying the recovery plan right away—the next attack might occur sooner than you think.
Preventing Future Ransomware Attacks
A recent attack does not reduce the odds of a future one. Even as you strengthen security and close gaps, cybercriminals are devising new ways around your defenses. Your work to prevent future attacks should begin the moment the last one is resolved.
Regularly update software and systems
Keeping software and systems updated is a relatively simple and effective means of preventing future attacks. Remember that your software and operating system vendors are continuously monitoring threats and working to address vulnerabilities in their products. Take advantage of their work to protect your environment.
Implement advanced security capabilities
In some cases, you will need to implement more advanced security capabilities. For example, to address vulnerabilities, you might need to use new antivirus software, MFA capabilities, web application firewalls (WAFs), network monitoring tools, or threat intelligence services.
Some organizations might benefit from more dramatic change. Adopting a Zero Trust security model, in which no person or device is trusted by default, can help. You can establish policies that prevent attackers from moving freely within your environment even if they get past initial entry barriers.
Forge new partnerships
As you explore ways to prevent future incidents, it might be a good time to forge new partnerships with cybersecurity experts and managed service providers. Working with outside experts—especially organizations with healthcare-specific experience—can help ensure you are investing your time and resources on the most important areas.
How Cloudticity Can Help
Cloudticity has been helping healthcare organizations stay secure on the public cloud (AWS, Azure, and GCP) since 2011 and we've never had a breach. With our team of cloud experts, advanced technology platform, and proven processes Cloudticity cloud managed services can help you strengthen and simplify cybersecurity.
Ready to strengthen your ransomware prevention strategy? Work with a team that combines deep cybersecurity skills and healthcare-industry expertise. Contact the experts at Cloudticity for a free consultation today.