Getting Proactive about the Ransomware Threat

ransomware blog

Throughout this past fall, international criminal organizations asserted their dominance over the healthcare sector through ransomware. By the end of November, more than a dozen health systems were driven into EHR downtime by ransomware attacks.

The pandemic’s financial impact, along with the cost of the record setting number of successful cyberattacks, has caused damage to the healthcare industry like never before. This trend is unlikely to change soon, and if the industry wants to stop being victimized, we need to lean into these challenges and get more proactive in addressing them.

Addressing the ransomware threat will require additional investment in cyber risk management at a time when many organizations are making tough budget decisions. It is often difficult for healthcare leaders to understand cyber risk and weigh these investments appropriately against others that will have a more immediate positive impact on the bottom line. Cybersecurity professionals need to do a better job of explaining the likelihood and impact of cyber events so that healthcare leaders can make better-informed decisions.

To do this, we need to understand the actual risk to our organizations. Risk includes understanding our IT systems’ scope, the reasonably anticipated threats to those systems, the vulnerabilities that exist within them, and the existing safeguards in place to protect them. We also need to understand the likelihood of a breach to each of our systems and the business impact to our organization if that were to occur. With this information, we can properly inform the leadership team on the existing risk, the investment needed to reduce that risk, and where to apply it.

When considering how to invest in reducing the risk of a successful ransomware attack, organizations need to consider safeguards to:

  • Reduce the risk of an initial infection
  • Catch the infection before the ransomware deploys
  • Successfully recover from an attack with minimal downtime

There is no silver bullet or single solution that will address each of these needs effectively. Instead, what is needed is a combination of administrative, technical, and physical controls implemented correctly, operating as intended, and monitored to ensure continued effectiveness.

For example, when considering safeguards that will prevent initial infection, an excellent place to start is workforce training and, in particular, phishing awareness programs and education on best practices for password management. People are often the weakest link, and all it takes is one person to click the wrong link or download the wrong file inadvertently and the attackers are in our network.

Also, organizations should complete an inventory of their Internet-facing services, ensuring they are necessary and shutting down those that are not. If attackers don’t get in through phishing, they will likely gain access through a vulnerable publicly available service. Shutting down unnecessary services reduces the attack surface and, in so doing, reduces the risk.

Early in the evolution of ransomware, attackers would deploy the ransomware almost immediately upon infection. Organizations that had adequate backup procedures in place were then often able to quickly restore their systems. The attackers learned from this and now linger, allowing the infection to spread to the backups. Usually, there are 3-5 days between infection and deployment. During this golden window, an organization with good network monitoring capabilities may identify signs of an infection, initiate threat hunting, and begin remediation activity before the ransomware deploys and the damage is done.

Network segmentation can make it difficult for an attacker to move laterally through an organization’s IT infrastructure. Using segmentation, engineers divide the network into smaller sections, each with its own access and security controls. In this way, network engineers can limit or even stop data flow between segments. If an attacker gains access, these restrictions make it difficult for them to breach other segments and gain access to the resources on those segments.

As mentioned above, attackers are getting more sophisticated in their abilities to infect system backups. Best practice calls for following the 3-2-1 rule. This rule represents three copies, across two different media types, with one copy offsite and preferably offline. When designing the backup, consider the use of immutable storage that can’t be changed or deleted.

These are only examples of some of the safeguards an organization may put in place to minimize ransomware risk to their organization. Implementation of each of these safeguards comes with its own costs and complexity. Balancing that cost and complexity with the corresponding risk reduction is generally not a trivial task. Nevertheless, this is the type of thinking and conversations healthcare organizations need to have now before they too become a victim.

Clearwater has experts who can assist with risk analysis, threat hunting, and business continuity planning if needs arise in these areas. Reach out to us with your questions and concerns at info@clearwatercompliance.com.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Assumed Breach Simulation: Lateral Movement Explained

Assumed Breach Simulation: Lateral Movement Explained

A cyberattack doesn’t always start with an exposed perimeter. Sometimes, all it takes is a single compromised workstation — compromised through social engineering attacks, use of weak access management. To help clients gauge the potential for a breach to occur through these attack vectors, I and my colleagues on Clearwater’s Technical Testing team perform what is called assumed breach testing – a cybersecurity assessment that evaluates an organization’s ability detect, respond to, and recover from a breach.
RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

The cybersecurity world descended on San Francisco last week for RSA Conference 2025, and Clearwater was proud to be there alongside our Redspin colleagues. From AI to identity, from innovation to infrastructure, this year’s RSA reflected both the rapid evolution of cybersecurity technology, and the mounting pressure on organizations to stay ahead of new threats. Here’s what stood out to our team on the ground.
Clearwater at RSA 2025: Spotlighting Healthcare Cybersecurity and Critical Infrastructure

Clearwater at RSA 2025: Spotlighting Healthcare Cybersecurity and Critical Infrastructure

Clearwater is heading to RSA this year, and we couldn't be more excited to join the global cybersecurity community from April 28–May 1 in San Francisco. With an impressive lineup of speakers, innovative sessions, and timely conversations about the future of cyber regulation, we’re looking forward to digging into what matters most to the healthcare sector—paying special attention to sessions on protecting our nation’s critical infrastructure.
No results found.

Connect
With Us