Throughout this past fall, international criminal organizations asserted their dominance over the healthcare sector through ransomware. By the end of November, more than a dozen health systems were driven into EHR downtime by ransomware attacks.
The pandemic’s financial impact, along with the cost of the record setting number of successful cyberattacks, has caused damage to the healthcare industry like never before. This trend is unlikely to change soon, and if the industry wants to stop being victimized, we need to lean into these challenges and get more proactive in addressing them.
Addressing the ransomware threat will require additional investment in cyber risk management at a time when many organizations are making tough budget decisions. It is often difficult for healthcare leaders to understand cyber risk and weigh these investments appropriately against others that will have a more immediate positive impact on the bottom line. Cybersecurity professionals need to do a better job of explaining the likelihood and impact of cyber events so that healthcare leaders can make better-informed decisions.
To do this, we need to understand the actual risk to our organizations. Risk includes understanding our IT systems’ scope, the reasonably anticipated threats to those systems, the vulnerabilities that exist within them, and the existing safeguards in place to protect them. We also need to understand the likelihood of a breach to each of our systems and the business impact to our organization if that were to occur. With this information, we can properly inform the leadership team on the existing risk, the investment needed to reduce that risk, and where to apply it.
When considering how to invest in reducing the risk of a successful ransomware attack, organizations need to consider safeguards to:
- Reduce the risk of an initial infection
- Catch the infection before the ransomware deploys
- Successfully recover from an attack with minimal downtime
There is no silver bullet or single solution that will address each of these needs effectively. Instead, what is needed is a combination of administrative, technical, and physical controls implemented correctly, operating as intended, and monitored to ensure continued effectiveness.
For example, when considering safeguards that will prevent initial infection, an excellent place to start is workforce training and, in particular, phishing awareness programs and education on best practices for password management. People are often the weakest link, and all it takes is one person to click the wrong link or download the wrong file inadvertently and the attackers are in our network.
Also, organizations should complete an inventory of their Internet-facing services, ensuring they are necessary and shutting down those that are not. If attackers don’t get in through phishing, they will likely gain access through a vulnerable publicly available service. Shutting down unnecessary services reduces the attack surface and, in so doing, reduces the risk.
Early in the evolution of ransomware, attackers would deploy the ransomware almost immediately upon infection. Organizations that had adequate backup procedures in place were then often able to quickly restore their systems. The attackers learned from this and now linger, allowing the infection to spread to the backups. Usually, there are 3-5 days between infection and deployment. During this golden window, an organization with good network monitoring capabilities may identify signs of an infection, initiate threat hunting, and begin remediation activity before the ransomware deploys and the damage is done.
Network segmentation can make it difficult for an attacker to move laterally through an organization’s IT infrastructure. Using segmentation, engineers divide the network into smaller sections, each with its own access and security controls. In this way, network engineers can limit or even stop data flow between segments. If an attacker gains access, these restrictions make it difficult for them to breach other segments and gain access to the resources on those segments.
As mentioned above, attackers are getting more sophisticated in their abilities to infect system backups. Best practice calls for following the 3-2-1 rule. This rule represents three copies, across two different media types, with one copy offsite and preferably offline. When designing the backup, consider the use of immutable storage that can’t be changed or deleted.
These are only examples of some of the safeguards an organization may put in place to minimize ransomware risk to their organization. Implementation of each of these safeguards comes with its own costs and complexity. Balancing that cost and complexity with the corresponding risk reduction is generally not a trivial task. Nevertheless, this is the type of thinking and conversations healthcare organizations need to have now before they too become a victim.
Clearwater has experts who can assist with risk analysis, threat hunting, and business continuity planning if needs arise in these areas. Reach out to us with your questions and concerns at info@clearwatercompliance.com.