As we reach the end of the year, it’s good to reflect on the past year and develop plans for the next. For healthcare information technology and security leaders, this year has turned out to be all too similar to 2020 with the continued impact of the COVID-19 pandemic and the rise in ransomware threats and other forms of cybercrime.
Recovering from ransomware attacks proves difficult for healthcare
According to The Institute for Security and Technology (IST), the average downtime due to ransomware attacks is 21 days and the average time to fully recover is 287 days. Healthcare is especially impacted by a constant barrage of ransomware attacks. The IST regularly updates its Ransomware Task Force Report on Combatting Ransomware, which provides “a strategic framework for a systemic, global approach to mitigating the ransomware problem.” The report states:
Ransomware is not just financial extortion; it is a crime that transcends business, government, academic, and geographic boundaries. It has disproportionately impacted the healthcare industry during the COVID pandemic, and has shut down schools, hospitals, police stations, city governments, and U.S. military facilities. It is also a crime that funnels both private funds and tax dollars toward global criminal organizations. The proceeds stolen from victims may be financing illicit activities ranging from human trafficking to the development and proliferation of weapons of mass destruction.
As we look back on the year, on May 20, 2021 the FBI released a Flash Report with the warning: “Conti Ransomware Attacks Impact Healthcare and First Responder Networks.” The report read:
The FBI identified at least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year.
These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.
A week earlier, the BBC reported the Irish health system had suffered a Conti ransomware attack, they shut down their IT systems for protection, and Ireland’s Health Minister Stephen Donnelly said it was having “a severe impact on [the] health and social care services.”
Four months later, reports continued to reveal the far-reaching effects of ransomware attacks such as these. On September 5 the BBC reported the Irish health system was still recovering from the Conti attack and the lingering effects are consistent with the findings in the Ransomware Task Force Report on Combatting Ransomware.
Survey results affirm the impact of ransomware on healthcare
Close to 600 information technology and IT security professionals associated with healthcare delivery organizations participated in the September 2021 study conducted by the Ponemon institute (sponsored by Censinet). The findings documented in The Impact of Ransomware on Healthcare During COVID-19 and Beyond affirmed the impact that ransomware has on healthcare organizations and patient care, because 43% of respondents had experienced a ransomware attack with their organization.
When the survey asked those who had experienced a ransomware attack about the impact it had on patient care, they results indicated:
- 71% reported longer length of stay
- 70% reported delays in procedures and tests have resulted in poor outcomes
- 65% reported increase in patients transferred or diverted to other facilities
- 36% reported increase in complications from medical procedures
- 22% reported increase in mortality rate
First steps: Raise awareness about the risk of ransomware
A final warning from the survey findings: 61% of the respondents were not confident they could mitigate the risk of ransomware.
If given a survey today, how confident are you that your healthcare organization would be able to adequately mitigate the risk of ransomware? How educated is your organization around the threat of ransomware and cybersecurity attacks?
One of the first steps to mitigating the risk of ransomware attacks is to raise awareness with your leadership teams and boards around the risk your organization faces, and determine if the level of risk justifies additional investment in cybersecurity technology and services.
7 cybersecurity safeguards to mitigate ransomware risks
Where should you begin when evaluating ransomware risks? Below are seven key areas to address first — my short list of cybersecurity safeguards that will help reduce ransomware risks:
1. Threat and Vulnerability Management
- Establish effective patch management processes.
- Perform vulnerability scans, review results, prioritize, and remediate.
- Produce reports to measure and manage the effectiveness of overall threat and vulnerability management.
Once you have evaluated your organization’s current ability in this area, consider if this level of risk justifies a higher spend on your threat and vulnerability management program. Determine if improved vulnerability management or patch management technology or services would help reduce risks.
2. Identity and Access Management
- Deploy multi-factor authentication (MFA) for all remote access including VPN, webmail and any externally accessible systems with access to sensitive data.
- Protect privileged accounts with MFA.
- Protect internal systems with sensitive data with MFA.
3. Email Protection and Phishing Simulation
- Implement phishing training including guidance on how to identify and report phishing incidents.
- Conduct educational phishing exercises with training for those who fail the exercise.
- See the CISA Ransomware Guide for additional recommendations.
4. Supply Chain Risk Management (Third Parties and Managed Service Providers)
- Identify and assess the cyber hygiene practices of your third parties with access to your systems and data. Hold them accountable to maintain an adequate security program.
- Review how they access your systems and ensure access levels are least privilege and access is revoked for individuals who no longer need it. Audit third party access.
5. Monitoring and Incident Response
- Implement effective detection capabilities including Network and Endpoint Detection and Response (XDR)
- Develop effective monitoring and response capabilities.
- Develop an Incident Response Plan (IRP) and playbooks for common security incidents.
- Use the Mitre Att&ck framework to understand attack tactics and techniques. If you can detect and respond to the early stages of an attack, you may be able to stop the attack before it reaches its greatest level of impact.
- Develop a relationship with the FBI and retain an experienced incident response firm.
6. Backup and Recovery
- Follow CISA recommendations for offline, encrypted backups.
- Consider improving backup and recovery tools if they do not follow best practices.
- See the CISA Ransomware Guide for additional recommendations.
7. Disaster Recovery and Business Continuity
- Develop and test your Disaster Recovery Plan (DRP) and Business Continuity Plan (BRP) using a ransomware scenario. A ransomware scenario will require activating your DRP, BCP and IRP. Test your coordination between the three plans.
- Conduct a penetration test with a ransomware focus.
The time is now to evaluate your cybersecurity program
I’m convinced that we can do better. The current state of cybersecurity in healthcare organizations needs to be a call to action. As IT and security leaders, we should not accept a situation where our organizations face such a high risk. Although many of us are not confident that we can adequately defend our organizations, we must actively prepare for these known cybersecurity threats.
As we think about the next year and our priorities, let’s take the time to review our cybersecurity program and compare our practices to the best practice recommendations in the NIST Cybersecurity Framework, CISA’s Ransomware Guide and other cybersecurity best practice guides available. I’m convinced that if we assess and improve our security programs in these areas we can reduce risk.
