Healthcare organizations are among the most frequent targets of ransomware attacks. Cybercriminals know that providers, insurers, and other healthcare organizations have sensitive patient data and mission-critical systems—and these organizations will feel tremendous pressure to minimize interruptions and regain access to data, even if that means paying a large ransom.
There is little your organization can do to prevent being targeted by attackers. But you can implement a wide range of measures to help thwart attacks, mitigate damage, and resume normal operations. Building a robust ransomware resiliency plan starts with understanding what ransomware is and how it can harm you.
Ransomware has existed for decades. But the ability to use untraceable cryptocurrency for ransom payments has led to a rise in attacks, especially attacks on large enterprises. Today cybercriminals can hold sensitive data hostage, demand millions of dollars in ransom, and potentially get away with the crime.
For healthcare organizations, ransomware attacks can be financially disastrous. Beyond the cost of the ransom, they could lose revenue from interrupted services, need to pay large sums to conduct investigations and restore systems, be forced to pay regulatory fines, and be subjected to lawsuits from patients or customers.
Individuals suffer as well. During an attack, they might be unable to communicate with providers, fill prescriptions, have necessary procedures, or receive emergency care.
Most ransomware attacks follow a common pattern: Attackers gain access to an enterprise network and install the malicious software. That ransomware might then self-propagate through the organization’s IT network. Ultimately it encrypts sensitive data. Attackers then demand ransom in exchange for providing the decryption key. They also might threaten to steal—and sell—data or attack partner organizations unless the ransom is paid.
Organizations are most frequently attacked with one of two types of ransomware. Crypto ransomware encrypts data, preventing users from accessing it without the decryption key. Locker ransomware locks users out of a system, though it typically leaves files and folders unharmed. Users might see a lock screen that displays a ransom note, sometimes accompanied by a countdown clock.
Ransomware attacks often begin with phishing. Attackers trick users into clicking on links within emails or text messages. Users are taken to spoofed websites where they are asked to enter login credentials. Attackers then steal those credentials and use them to access the enterprise network.
Alternatively, attackers could launch network intrusions or use “drive-by downloads” to implant ransomware on computers. Drive-by downloads occur when individuals inadvertently download malicious software. They might believe they are downloading a legitimate application, or they might visit a compromised website that executes a download script without the user even knowing it is happening.
Is your organization at risk of becoming a ransomware victim? Assessing your vulnerabilities can be a first key step in developing a ransomware resilience strategy.
How might cybercriminals gain access to your corporate network? Would they be able to log in using stolen employee credentials? Once attackers access one area, can they access everything? Do you regularly back up data—and could backups be modified by someone with the right access privileges? Find your environment’s weaknesses before attackers do. You should scrutinize every possible avenue for entering your environment and doing damage.
What areas of your IT environment are at the greatest risk? What are your most valuable assets? Any databases, repositories, or apps that store patient or customer information are likely targets—they contain the data that attackers are most eager to hold hostage. Critical systems that support daily operations are also potential targets, since attackers know that you will be under pressure to restore access to those systems. Your data backups could be at risk as well: If attackers can encrypt both primary data stores and copies, they have better leverage for demanding ransom.
Many organizations will benefit from working with outside security experts to conduct a ransomware risk or resilience assessment. You can work methodically through your environment to find all potential vulnerabilities. You can also evaluate your plans for responding to and recovering from an attack. Partnering with an outside firm can help ensure that you are prepared for the latest tactics and ransomware strains.
This assessment could be part of an established program, such as HITRUST certification. You could work with an external assessor to determine which controls you need both to comply with key regulations, such as HIPAA, and to improve security.
As you start to develop your plans for ransomware defense and resilience, consider organizing your strategy around three key elements: people, processes, and technology.
Because ransomware attacks often begin with phishing or another type of social engineering tactic, your people should be a primary focus of your defense. Many organizations need to raise awareness about the prevalence of phishing attempts and help employees better identify suspicious emails and texts. Moreover, providing best practices about everything from choosing strong passwords to adhering to security policies can help you address multiple types of threats.
Strengthening your security policies and procedures can further help prevent attacks from reaching fruition. For example, you could implement role-based access policies and the model of least privilege access. With these policies, employees can access only the resources that they need for their job. Consequently, you will limit the spread of attacks even if cybercriminals steal employee credentials.
Many organizations also need to augment their current security capabilities. Legacy solutions might be insufficient to combat the latest threats. You might need to implement multi-factor authentication (MFA) to address the vulnerabilities of employing only usernames and passwords. Installing the latest antivirus and anti-malware software on all user systems can help identify attacks early, before they spread to the enterprise network. And using firewalls and intrusion detection systems can help monitor network traffic and block out known threats.
In addition to bolstering defenses, you should develop plans for responding to attacks and returning to normal operations.
Having an incident response plan in place is crucial. In the event of an attack, you need to act fast to reduce damage. From the moment of detection, you should isolate infected systems to prevent the spread of ransomware. You can then start conducting a forensic analysis, work to restore data access, notify law enforcement and regulatory agencies, and contact patients or customers who might be affected.
Beyond educating employees about identifying ransomware and adopting best practices, you should train them on what to do when they receive phishing emails—or when they believe their computer is infected. For example, they should know which teams to contact and when to shut down their systems to prevent the spread of malware.
To improve your ransomware resilience, you should have plans in place to mitigate the impact of an attack.
If you have a complete, up-to-date backup of data, you might be able to refuse ransom payment demands. You could recover backed up data to clean systems and resume operations quickly. You would then have the time to thoroughly wipe infected systems.
Robust access controls will help prevent initial access from unauthorized individuals. Just as important, those controls can stop attackers and ransomware from moving laterally across systems if they have already infiltrated the network. You could halt an attack from reaching critical systems and encrypting your most sensitive data.
At the same time, you could use data encryption to work for you—and against cybercriminals. Encrypting your data and your backups can help ensure that information will not fall into the wrong hands. Even if your data is stolen, attackers might be unable to decrypt it and use that data to commit further crimes. Of course, encrypting your data before attackers get to it will not stop a ransomware attack, but it can reduce the attack’s damage.
Ransomware attacks continue to evolve. Attackers are adopting new techniques and developing new strains to evade defenses. Your goal is to remain one step ahead.
Learning about new threats before you face them can mean the difference between a successful defense and multi-million-dollar losses. But staying up to date on ransomware trends can drain internal resources. In many cases, organizations benefit from partnering with outside security experts and managed service providers to do that work for them. Partner organizations can use threat intelligence services and draw from extensive client experiences to help keep you well informed.
As threats change, so must your ransomware resilience plan. You should conduct regular reviews, making sure you identify any new vulnerabilities. Periodically, you might need to update employee education, revise processes, or implement new capabilities to address emerging threats.
Periodic risks assessments and vulnerability testing can help ensure that you are prepared for whatever lies ahead. Conducting these assessments and tests as part of a program, such as HITRUST certification, can help you not only strengthen security but also earn a badge that reassures your partners and customers.
Preparing for ransomware attacks does not have to be a solo effort. Across the healthcare industry and beyond, organizations can benefit from collaborating and sharing information.
Take advantage of industry best practices when developing your policies and strategies for combating ransomware. There’s no reason to reinvent the wheel when many organizations have already learned important lessons from previous attacks.
You can also draw from the latest threat intelligence as you optimize your strategies. Many cybersecurity companies offer threat intelligence services that can provide insights on the latest ransomware strains and fast-changing techniques. Some security tools—such as anti-malware software, firewalls, and security information and event management (SIEM) systems—use threat intelligence to find and block new types of attacks.
There are numerous communities in healthcare and cybersecurity designed for sharing information. Your organization should consider participating in online and in-person forums, where you can share your experiences and learn how other organizations are building their resilience strategies.
The rise in ransomware and other types of attacks has forced healthcare organizations to spend more time and money on cybersecurity. But you do not need to pull in-house resources away from your core business. Establishing partnerships with cybersecurity experts and managed service providers can help you tap into rich expertise, experience, and tools while enabling your staff to focus on more strategic goals.
For healthcare organizations, regulatory compliance and legal considerations should always be an essential component of ransomware resilience planning. As you implement new tools and processes, you must be aware of how changes will affect your compliance posture.
You know how vital HIPAA compliance is to your healthcare organization. But you must also understand all other relevant laws and regulations pertaining to data privacy and security. For example, if you are planning to implement a new data backup strategy that involves using cloud services or geographically distant data centers, you need to be aware of data sovereignty and data localization laws that might apply to your organization.
In your preparation for ransomware attacks, you might be focused on preventing access to systems and stopping malware from executing. But remember that ransomware attacks can do more harm than encrypting your data and temporarily locking you out.
You need to implement measures to protect that data from theft or loss: Attackers might never provide a decryption key, and they might in fact steal and sell the data. Having adequate data protection and backup tools in place enable you to retain irreplaceable data. Moreover, implementing data privacy measures—such as encrypting data—can help ensure that patient or customer information is not accessible to criminals even if it is stolen.
Any attack or data breach can make you liable for regulatory fines and potential lawsuits. Consider adopting cyber insurance as a way to cover some of these costs. But also be sure to have a plan in place for how to alert regulatory agencies and then how to reach fair settlements with the government and any harmed individuals. Working with outside cybersecurity or legal teams can be the most efficient way to develop strategies and ultimately address the legal and regulatory consequences of attacks.
Ready to start building your plan for ransomware mitigation? Cloudticity can help. Contact us today for a free consultation.