Bad cybersecurity can kill people. Bold statement, I know. Sadly it’s become reality when hospitals are hit with ransomware and ERs can’t accept patients.
In the cybersecurity industry, we’ve long used the adjective “devastating” to describe a hack that took a business offline and wiped out their data or required payment of a large ransom. Data loss, ransom payments (hopefully covered by your cybersecurity insurance carrier) and reputational damage caused by getting hacked are nothing compared to the loss of human life.
Ransomware continues to be one of the most prevalent cyber threats, with new attacks occurring daily. In fact, there is a significant increase of ransomware attacks targeting healthcare providers, and the healthcare sector is the most targeted globally.
Why you need to know the indicators of compromise
A recent alert from the Cybersecurity & Infrastructure Security Agency on the threat facing hospitals and care systems provided detailed analysis of the malware involved in recent attacks. This is a great read, but be warned, it gets technical quickly. The thing I like best about this alert is that it talks about the indicators of compromise (IOCs) that security researchers have identified.
IOCs are instrumental in defending your networks against certain attacks. By understanding key characteristics of malware behavior (which are collectively referred to as IOCs) like runtime locations, naming conventions, and command and control traffic patterns, we can tune our monitoring systems and processes to identify these IOCs and have a shot at responding before the attack gets too bad.
Actions you can take to protect your healthcare organization
Understanding IOCs and having the ability to identify and interrupt ransomware attacks is critical, but there’s much we should be doing to secure our organizations and making sure we’re more resistant to malware attacks in the first place. We think of two main efforts when talking about increasing resistance to ransomware attacks.
First, you need to train your users to be skeptical of emails and be aware of the ways cybercriminals attack people in efforts to get malware installed on a network.
Second, you need to harden your network to withstand attacks attempting to gain unauthorized access to your network.
That’s easier said than done, as there are many things that need to be accomplished here. At a minimum, that includes multifactor authentication at remote access points and other practices like segmenting networks, patching systems and eliminating vulnerabilities, as well as deploying monitoring technologies that can detect and alert you to ransomware attacks.
Another aspect related to system hardening is credential management. Many healthcare providers leverage biometrics and proximity card readers to speed up the processes of logging in to systems in a clinical environment. These methods don’t replace passwords — they just put an overlay on top of the passwords. You still need to have strong passwords underpinning those cards.
As much as we want them to be, we can’t count on our resistant capabilities to be 100% effective in stopping attacks. A big part of being a resilient organization is expecting that you’ll get attacked, so you have to be prepared. You need to make sure your systems are recoverable and have a plan you know will work when you need to recover from an incident.
The importance of the recovery plan
Ensuring your systems are recoverable is a big part of what we do at Wipfli. This consists of developing a layered backup strategy that isolates and secures backups with offline copies that can’t be reached and encrypted by ransomware.
Another key part of being resilient is preparing and practicing a recovery plan. Documenting a plan is a great start, but you need to practice the plan to ensure it’s effective and make sure people know what to do during an actual attack. You’ll need to think through different scenarios that affect your hospital: What if ransomware impacted OR scheduling or medical imaging, but the full EMR was still operational? What if your EMR was offline? Anticipating these different scenarios in your plan is key to orchestrating an effective recovery.
Unfortunately, ransomware isn’t going away. Cybercriminals are getting more specific and targeted in their attacks. We’re seeing that now in healthcare — and the timing with COVID-19 cases spiking across the country couldn’t be worse. Healthcare providers need to have specific plans to deal with ransomware. These plans need to include both the preventive safeguards to be more resistant to attack as well as the recoverability processes to be recoverable in the event an attack does take root.
To learn how you can become a more resilient organization, contact Wipfli.