For healthcare organizations, ransomware is one of the most serious cybersecurity threats. An attack can severely disrupt operations, forcing providers to cancel procedures and insurers to halt claim processing. Organizations might have to pay millions of dollars in ransom while also covering the costs of IT remediation, regulatory fines, and lawsuits. Patients, meanwhile, could feel immediate and long-term health repercussions if they are unable to receive care or fill prescriptions.
How can your organization reduce the likelihood of ransomware attacks and mitigate damage from incidents? A comprehensive ransomware strategy is critical. You need plans to prevent attacks, identify infections, and respond rapidly if attacks occur.
Ransomware is malicious software, or “malware,” that encrypts data or locks authorized users out of critical systems. Attackers demand a ransom in exchange for providing the decryption key or restoring system access. In recent years, some attackers have compounded their threats. They might threaten to steal—and sell—sensitive data, or attack partner organizations, unless victims pay large sums.
Since this type of attack first appeared more than 30 years ago, cybercriminals have developed numerous variants of ransomware. At a high level, the two types most commonly experienced by healthcare organizations are crypto ransomware and locker ransomware.
Crypto ransomware encrypts data, preventing users from accessing it without the decryption key. Locker ransomware locks users out of a system, though it typically leaves files and folders unharmed. Users might see a lock screen that displays a ransom note, sometimes accompanied by a countdown clock.
Most ransomware attacks begin with phishing. Attackers try to trick individuals into clicking on a link within an email or text, and then entering login credentials on a fake website. The attackers can use those credentials to access the enterprise network. Alternatively, users might receive an email attachment that is ransomware disguised as a legitimate file.
Attackers have also been known to launch network intrusions, run scripts that download ransomware onto individual systems without users’ knowledge, and exploit vulnerabilities in software or operating systems. In each case, the goal is to gain access to the enterprise network and infect systems with ransomware.
Attackers often target healthcare organizations because they have valuable patient data and mission-critical applications that make them sensitive to operational disruptions. Attackers know that these organizations will be eager to resolve ransomware events quickly, potentially by paying large ransoms.
You cannot control whether attackers target your organization. But you can implement some key ransomware prevention solutions that reduce the odds of a successful attack.
Backing up critical data should be an essential component of any ransomware prevention strategy. If you can maintain a complete, up-to-date, and unchangeable copy of your data, you might be able to refuse attackers’ demands for ransom. In the event of an attack, you could restore backed up data to clean systems and resume operations.
Because ransomware often enters networks through endpoints, implementing endpoint protection can be effective. Anti-virus and antimalware tools, for example, can identify and block malware, and also prevent user behaviors that could put endpoints at risk. For example, these tools might stop employees from installing unsecured software or visiting unknown websites.
Employee training and awareness is also vital in preventing attackers from gaining access to enterprise networks. Employees should learn how to recognize phishing attempts and identify early signs of malware infection. They should know who to contact when they spot anything suspicious.
They should also learn best practices for setting robust, unique passwords, using multi-factor authentication (MFA) tools, and protecting devices from theft. Instilling these best practices in employees as part of a culture of security can play a central role in reducing risks.
Despite your best efforts at prevention, your organization might still be attacked. What are the first signs of ransomware infection?
When individual computers are infected, users might experience slow system performance, software crashes, operating system freezes, or rapidly decreasing storage space. They might also notice that their usual web browser has a new toolbar or that URLs are redirecting to odd pages. And they might have trouble logging into cloud-based apps.
At the network level, IT or security teams might initially see a spike in phishing emails across the company or numerous attempts to access network resources. Once infection has occurred, they might observe attempts to disable access directories or domain controllers. Data backup activity could also increase rapidly if the backup system tries to back up newly encrypted files.
If ransomware successfully encrypts files, users could notice that file names have strange new extensions. They might be unable to open or use those files. In some cases, they might even be unable to find them at all if attackers have moved them.
If attackers are using locker ransomware, users might encounter locked screens upon startup. Or they might find that their passwords for enterprise or cloud-based apps no longer work. If attackers are using crypto ransomware, users could similarly have difficulty accessing data or operating applications that process this data.
A ransom note is an obvious sign of a ransomware attack. When attackers use locker ransomware, they might display a note as soon as a user logs into an individual system. With crypto ransomware, administrators might discover notes among files within an infected system. Otherwise, attackers might send emails or text messages notifying victims of the attack and providing ransom payment instructions.
Is your organization prepared for an attack? Having an incident response plan in place beforehand can help you take action quickly and minimize damage.
Your first step should be to isolate infected systems so you can prevent the further spread of the malicious software. Disconnect any infected computers, mobile devices, servers, or storage systems from the network, shutting them down if necessary. Make sure that those systems are disconnected from not only your internal network but also the internet—that way ransomware cannot communicate with an external command-and-control server.
As part of your effort to isolate systems, you should also determine the extent of the infection. Is it limited to endpoints? Has the ransomware reached critical systems or sensitive patient data? Is it restricted to a particular on-premises or cloud environment? Has it affected your data backups? Understanding the scope will dictate some of your next steps.
Identify the type of ransomware that has infected your systems as early as possible. First, determine whether this is an encryptor or a locker. Then attempt to determine the particular variant—there are several free tools that can help. Pinpointing the variant will help you understand how the ransomware spreads and what you need to do to remove it.
At some point early in the attack, you’ll need to decide whether or not to pay the ransom. It’s not an easy decision. But weighing some of the pros and cons ahead of time can at least streamline the decision-making process.
There are several good reasons to refuse payment: First, paying the ransom will be expensive. In addition, paying does not guarantee that attackers will give you the decryption key or help you regain access to systems. You might also be able to refuse if you have a complete, uninfected backup of data.
Still, paying the ransom often seems to be the fastest way to get back to business. Given the severity of business disruptions and patient harm that can be caused by attacks, it’s not surprising that many healthcare organizations do wind up paying.
Many governments and law enforcement agencies discourage the payment of ransoms. The International Counter Ransomware Initiative—which includes members from 48 countries, the European Union, and Interpol—released a joint policy statement saying that governments should not pay ransomware extortion demands. The United States signed the statement. The statement does not exclude companies from paying, however, and the U.S. federal government has not banned companies from paying.
Healthcare organizations do have a legal responsibility to protect sensitive data. If attackers steal and sell patient data, for example, a healthcare organization would be subject to regulatory fines and could also face lawsuits.
Beyond legal responsibilities, there are also ethical considerations as you decide whether or not to pay. Paying the ransom rewards criminal behavior. Furthermore, as long as there are organizations that are willing to pay, there will be plenty of criminals eager to launch attacks.
Whether or not you pay the ransom, you will need a plan for removing the ransomware from your systems.
There are several decryption tools and keys available to help you regain access to your data—and some of them are free. Nevertheless, you might encounter a strain for which there is no decryptor readily available.
If you are unable to find an effective decryption tool, or are unsure about how to use one, consider working with an outside security expert to assist with the decryption process. These businesses can help you restore access to files rapidly while allowing your teams to avoid learning every step of the decryption process.
If you have a clean, complete, and up-to-date copy of the data encrypted by attackers, you can start restoring that data to clean, uninfected systems. Organizations that have redundant systems already in place can speed up the process. They can failover from the primary, infected systems to the secondary systems with little to no disruption.
In many cases, screen-locking and locker ransomware variants do not modify files. But they can make it difficult to regain access to those files.
If possible, restart an infected computer in safe mode, which allows only essential, trusted software to run. Once in safe mode, you might be able to remove the ransomware with an antivirus or anti-malware tool.
You can also use a system restore process if available with the operating system. This process returns the computer to its last-known uncompromised state. Alternatively, you might be able to reboot the computer from an external drive and repair any damage to the operating system.
If you are unable to remove the ransomware, and would rather not reinstall the operating system, you can try specialized removal tools or services. There are some free tools that might be able to remove the malware even if your existing security software cannot.
After isolating systems, determining the scope of the attack, removing ransomware, and restoring data, there is still more to do.
You will need to report the incident to law enforcement soon after you detect the ransomware. Working with state or federal agencies could help catch the attackers—and even potentially enable you to claw back some of the ransom. In addition, healthcare organizations that are subject to HIPAA rules and experience a breach of patient data must report the incident to the U.S. Department of Health and Human Services (HHS).
Your organization will also need to notify customers or patients whose data might have been exposed. Then you’ll need to offer identity protection services to those individuals for a time after the event.
The work of forensic analysis should begin even before you’re able to resume normal operations. You should conduct a root-cause analysis to determine how you were attacked, which endpoints were infected, what data was encrypted, whether backups were altered, which customers or patients were affected, and whether any partners were also infected. By understanding the causes and process of the attack, you can start to identify broad lessons learned and develop a strategy for closing any gaps.
By understanding the root causes and progression of the attack, you can start to address issues that might leave you vulnerable to another attack.
You might need to enhance your cybersecurity capabilities, adding ransomware solutions that can help you defend against new variants or tactics. If you have not already implemented MFA capabilities, that can be a good place to start. Requiring users to authenticate in multiple ways (under certain circumstances) can prevent attackers from accessing the network even when they have stolen usernames and passwords. Installing the latest antivirus and anti-malware software on all user systems can help identify attacks early, before they spread to the enterprise network. And using firewalls, intrusion detection systems, and behavior analytics tools can help you identify and block a wide range of threats.
Many organizations will also need to modify or strengthen processes. Rethinking disaster recovery and business continuity strategies, for example, can be helpful for streamlining the return to normal business operations after an attack. As part of those strategies, consider implementing a more robust data backup process and ensuring that backed up data is immutable (unchangeable) so you have more options when faced with ransom demands. At a granular level, establishing role-based access policies can limit the spread of attacks even if cybercriminals access part of the network by stealing employee credentials.
If employees were the inadvertent vector for a previous attack, you might need to revisit your education and training process. Many organizations need to raise awareness about the prevalence of phishing attempts and help employees better identify suspicious emails and texts. Providing best practices about everything from choosing strong passwords to adhering to security policies can help you address multiple types of threats.
You are not alone in facing the threat of ransomware. Sharing information and partnering with other organizations can help everyone reduce the damage from these attacks.
Participating in cybersecurity forums and communities can help you stay informed of emerging threats and enable you to discover best practices from other organizations. Sharing information about tools, practices, and incidents you have experienced can be beneficial for all organizations.
Many healthcare organizations benefit from partnering with external security experts or managed service providers. These third parties can help you assess risks, implement preventive measures, undertake continuous threat monitoring, devise response strategies, and recover from attacks. Working with outside experts—especially organizations with healthcare-specific experience—can help ensure you are investing your time and resources in the most important areas.
Ready to strengthen your ransomware prevention strategy? Work with a team that combines deep cybersecurity skills and healthcare-industry expertise. Contact the experts at Cloudticity for a free consultation today.