- Healthcare ransomware has quickly become one of the top cybersecurity concerns for both covered entities and business associates. Without proper training and a thorough backup plan, organizations could find themselves in trouble should an attack take place.
Ransomware has changed quite a bit in the last several years, and has especially inundated the healthcare industry as of late, according to Robert Anderson, former executive assistant director of the FBI.
Anderson currently runs the global information security practice at Navigant, and said that the company has been working with numerous types of healthcare organizations to help them prepare for potential ransomware attacks.
“Ransomware attacks two or three years ago, coming out of different countries weren’t attacks against people or 10,000 computers at once,” Anderson explained. “It would be on a very individual level, trying to unlock a computer to get the information.”
Non-traditional ransomware attacks are becoming more common the country now, he added.
“They take their time to hack into a healthcare institute or hospital and then they move around that environment laterally, up and down and all through it to gather credentials so they can get into more and more of the IT infrastructure,” Anderson stated.
When cyber criminals launch an attack now, they could potentially lock up a hospital’s entire infrastructure, rather than just locking up one or two computers, he pointed out. If there is a hospital system, the entire chain of hospitals could possibly be affected by an attack.
“In the healthcare industry, that in some ways can be very critical to their daily operations,” Anderson noted. “People can’t get dialysis, people can’t get surgeries. And then the financial side from a business aspect is very devastating.”
Focusing on employee education, proactive planning
There are two key areas that healthcare organizations need to prioritize, Anderson argued. Covered entities need to have employees at all levels thoroughly educated on ransomware and how they need to react should an incident happen. There must also be a proactive plan in place for what should occur in the wake of a ransomware attack.
“The heads of the hospitals and the boards need to be educated on the different types of threats that face them in today’s IT and cyber environment,” said Anderson “Most hospitals concentrate on being a hospital and taking care of people. But I think that in today’s world, if you’re running one of those institutions, you need to be very educated into exactly what the threats could be and have a proactive plan of what’s going to happen if you do get attacked.”
Not all healthcare systems that are attacked have a plan in place, but when paired with regular training, organizations will have taken two very important steps forward.
Outdated IT architectures can also be particularly harmful, he added. A failure to put in necessary patches to protect those systems makes it easier for cyber criminals to get in.
In terms of paying the requested ransom, Anderson said that it depends and he can see both sides of the argument.
“When I was in the FBI, I absolutely would not have recommended anyone to pay ransom,” Anderson insisted, adding that this was especially the case if organizations are not familiar with the groups behind the attack.
In the private sector though, Anderson explained that companies do not always have their data backed up, which makes it more critical to potentially pay the ransom.
“What I’ve seen since I’ve been in the private sector is most companies tend to pay the ransom and try to get their data back,” he stated. “I don’t think most people understand that just because you pay the ransom, it doesn’t mean you’re going to get your data back.”
He added that if the information is returned, it could be one day, one week, or even longer. There is often the false impression that once the money is paid, the data will be returned within the house. However, that is not how it works, he said.
End-user training was also highlighted as a key area for healthcare organizations to cover in a recent HealthITSecurity.com article by Bill Kleyman. If users are clicking on malicious links or bringing in unsecured devices, the organization may have a culture and IT issue, he explained.
“Training your users is critical to ensure they know security best practices as it applies to them,” Kleyman wrote. “Finally, have a good end-point management policy and ensure you lock down peripherals, USB ports, and even how users interact with shares on the network.”
He also added that a response is necessary, and healthcare organizations need to have a recovery plan in place. Working with local and federal authorities is essential. Entities should try to rebuild their data, check their backups, and work toward data recovery.
However, Kleyman advised against paying the ransom demand.
“Submitting to ransom demands absolutely bolsters the attackers and they will definitely go after more targets,” he wrote. “The only way to stop ransomware is to have preventive measures in place to completely mitigate the impacts of the attack.”