3 Ways to Avoid Repeat Healthcare Ransomware Attacks

November 08, 2022 - Healthcare ransomware attacks can result in EHR downtime, data encryption, ambulance diversions, and other disruptions. With patient safety on the line, it is imperative that healthcare organizations work quickly to get systems up and running and resume critical operations in the aftermath of an attack.

However, even with a comprehensive incident response plan, organizations may be prone to overlooking key considerations during the rapid response and recovery process that could make them vulnerable to future attacks.

Additionally, 2022 research from Cybereason suggested that organizations that pay the ransom are more likely to be victimized again. More than 65 percent of surveyed cybersecurity professionals from multiple sectors (including healthcare) whose organizations paid the ransom were hit again in less than a month for a higher ransom.  

Although it is impossible to eliminate risk, organizations can decrease their chances of becoming repeat healthcare ransomware attack victims by remediating properly the first time around, ensuring that they have a thorough vulnerability management process, and learning from fellow healthcare organizations.

Ensuring Proper Remediation

In an August 2022 report, Sophos researchers observed an uptick in the number of organizations (in a variety of sectors) that were attacked multiple times within a few hours, days, weeks, or months. Sophos attributed most of these instances to a failure to address exploitable vulnerabilities, and a failure to address misconfigurations left behind by earlier threat actors. 

“If you get hit, make sure you fully remediate,” Erick Galinkin, principal researcher at Rapid7, said in an interview with HealthITSecurity.

“Getting back to working order is all well and good, but if you are already having downtime because of a successful attack, adding a couple of minutes or hours to that downtime to make sure it doesn't happen again is a worthwhile investment.”

Galinkin compared the scenario to the experience of visiting the emergency department at a hospital. After leaving the hospital, doctors would likely advise you to follow up with your primary care physician and take steps to ensure that you stay healthy.

Although a follow-up visit may seem tedious, preventive measures and regular check-ups are crucial to avoiding another trip to the emergency department.

The HHS 405(d) Program and Task Group recommends that organizations “restore data from offline, encrypted backups based on prioritization of critical services” when recovering from ransomware.

In addition, the task group recommends that organizations issue password resets for impacted systems and users, follow technical guidance from MS-ISAC and the Cybersecurity and Infrastructure Security Agency (CISA), and work with key stakeholders to clean and rebuild systems. It is also crucial that organizations “take care not to reinfect clean systems during recovery,” the 405(d) guidance states.

Locking Down Vulnerability, Patch Management Processes

Regular patching and vulnerability management are key preventive measures that organizations must take to mitigate cyberattack risks and make it harder for threat actors to succeed. In the aftermath of a ransomware attack, organizations may want to revisit their vulnerability management processes to ensure that they are keeping an eye on all potential attack vectors.

Threat actors have been known to repeatedly leverage unpatched cybersecurity vulnerabilities. In one instance, Sophos observed both the Conti and Karma ransomware groups targeting the same Canadian healthcare organization within a matter of hours. Both groups exploited an unpatched Microsoft Exchange Server and used ProxyShell to gain access.

“With these ransomware groups, there is a ton of overlap in their techniques – the way that they move laterally, the way that they gain initial access, the way that they escalate privileges. There's an overlap in their tactics, techniques, and procedures,” Galinkin noted.

“If you can mitigate one threat actor group, a lot of that will have a larger blast radius.”

Having a thorough and reliable vulnerability management program is critical to avoiding ransomware. Vulnerability management is a broad area that captures the process of identifying, addressing, and remediating a security risk.

Patch management is a major component of an organization’s overall vulnerability management strategy. Patch management focuses more narrowly on fixing bugs and addressing software issues, while vulnerability management refers to the process of identifying, prioritizing, and remediating any type of security risk.

The HHS 405(d) Program and Task Group has targeted guidance for small, medium, and healthcare large organizations when it comes to implementing patching.

For example, for large organizations, the task group recommends creating a routine process for patching medical devices, developing metrics to monitor patch status, and using centralized systems to automatically discover and determine which software updates should be implemented.

“Each patch modifies a software application, rendering it more difficult for hackers to maintain programs that are aligned with the most current version of that software application,” the guidance states.

Learning From the Healthcare Community

“Looking at case studies can give you a real guidebook for how ransomware can happen to you and how to stop it from happening,” Galinkin noted.

HHS 405(d) specifically recommends that all organizations document lessons learned from a ransomware attack and bake those lessons into future policies and response plans accordingly.

In some cases, organizations may publish post-incident reviews to share with the healthcare community. These case studies can be especially helpful for organizations looking to learn more about response and recovery efforts from organizations that have already been through similar events.

For example, the Ireland Health Service Executive (HSE) issued a detailed post-incident review after a May 2021 ransomware attack executed by the notorious Conti ransomware group. In this case, the HSE had no specific function or owner for cybersecurity within their organization and lost crucial time during their ransomware response due to an apparent lack of preparedness.

The case study underscored the importance of a comprehensive incident response plan and the need for strong cybersecurity governance and leadership.

“It is really important to tell those stories and encourage information sharing,” Galinkin said. “The more transparency we have, the more effective organizations can be at knowing what the exact threats are and how they can take action to prevent it.”