Healthcare: Essential Defenses for Combating RansomwareMove Infrastructure to the Cloud and Hone Incident Response Plans, Experts Say
To avoid having to even consider paying a ransom, experts have long urged all organizations to put better defenses in place, and the healthcare sector is no exception.
To put that another way: Despite the number of successful attacks doubling in the past four years, healthcare systems can be protected from ransomware attacks. Bill Siegel, co-founder and CEO of ransomware incident response firm Coveware, says an ideal strategy is to move from on-premises servers and backups to the cloud. Doing so outsources availability, uptime and security to the SaaS vendor and also facilitates better backup and recovery if something does happen.
"It's just a question of resources," Siegel says, adding that there's no "easy button" to make it happen quickly. But one big benefit of moving to the cloud is that it makes restoration a faster and less error-prone process.
"If you get attacked, you don't have to worry about a 16-petabyte data store, recovery process or decryption process," he says. "You may have some disruption, but your EHR data will still be accessible. And the difference here is time, right? There are certain facilities within a healthcare organization - think the NICU, oncology, radiology - where a lack of EHR data can lead to not-great patient outcomes in less than 24 hours because you have very complex treatments that are necessary."
While you may have a perfectly viable backup for your EHR, Siegel says you may face patient care issues in the five or six days it takes to restore. "If you're migrating to the SaaS application for your EHR, worst-case scenario is people get little laptops and hot spots. They can still log in and try and piece together treatment for a critically ill individual," he says.
From a defensive standpoint, Siegel says organizations can employ a long list of tactics. Leading up to ransomware, the biggest weakness he sees is a cultural issue, centered on failing to take the risk seriously and make appropriate investments to prevent such incidents. "These are the times we live in, and it's just the cost of doing business," he says. "You have to make these investments."
Ransomware attackers gain remote access to a victim's network and typically linger, studying the network and gaining greater access, before deploying crypto-locking malware. Thus, it's imperative to spot those activities before files start getting encrypted.
"Most groups now will also want to steal large amounts of data before they launch the ransomware, and then they'll actually plan out how they're going to deploy the ransomware to all of your servers, all of your machines or whichever ones they choose," says Peter Mackenzie, director of incident response at Sophos. "That's not something that happens instantly. That can take days or weeks of preparation."
Based on incidents Sophos has investigated this year, more than 80% exhibited classic, "noisy" signs of ransomware attack - and that an attacker's average dwell time, before unleashing ransomware, was about 11 days, he says. In this race around the clock, many organizations are opting to work with managed detection and response firms to detected threat actors sooner.
If Attacks Get Through
Even the most well-prepared organization can fall victim. But what happens next is up to them.
"The most important thing is to be prepared, have a plan and have an incident response plan - whether you're a small, rural, 15-bed hospital or whether you're a major regional system with thousands of beds," says Greg Garcia, executive director of the Health Care and Public Health Sector Coordinating Council.
Incident response plans shouldn't just be for the IT department, but rather to coordinate the entire organization's response and ensure continuity. For example, Garcia says, one "gotcha" organizations face when the get hit by ransomware is: "How do we move to a paper-based system, particularly when … all of the medical students graduating these days have never written a paper prescription? It's now entirely electronic. What do you do when that goes down?" Devoting time to practicing this sort of fallback in advance can have a direct impact on continuity in the event of a system outage, he adds.
Sophos' Mackenzie says an excellent defensive strategy for all organizations is to run tabletop exercises to simulate how an organization should respond and who inside the organization should be involved for a range of scenarios such as a ransomware attack. Then apply these exercises to refine their incident response plans.
"I absolutely love anyone doing tabletop exercises," he says, adding that it can be done either in person or via Zoom. "Ask questions like: What would happen if all our servers got encrypted today, and we had to rebuild everything? How long would it take to get this department new laptops?"
While it's not a healthcare example, he says the attack on Colonial Pipeline in May 2021 offers multiple lessons, not least because the organization opted to pay a bitcoin ransom worth $5 million for a decryptor.
"They made the decision to do that, I think within the first day, and it wasn't because they didn't have backups," Mackenzie says. "It was because they hadn't considered an attack of this scale, where the backups are all stored in one physical location, but the machines that they would need to recover were across distances of hundreds of miles, and it's going to take them weeks or longer to actually restore those backups."
Another best practice: Ensure hard copies of the incident response plans are always kept at the ready, because if systems get crypto-locked, digital copies of the plan are likely to be inaccessible.
Over 5,000 health data breaches since 2009 have affected the personal information of 370 million people. Ransomware gangs and hackers are targeting healthcare providers, insurance firms and partners at an alarming rate. Targeting Healthcare explores these trends and how the industry can respond.