- It seems that a new healthcare ransomware attack is announced every week, which has created concern in the industry.
However, several experts agree that this is not a new threat, and that healthcare is just the latest victim.
Covered entities should ensure that they are taking advantage of the latest tools and frameworks when it comes to creating comprehensive data security measures, and preparing for the potential healthcare ransomware attack.
One potential tool that could help organizations is the NIST Cybersecurity Framework.
The NIST Cybersecurity Framework is a great tool for any organization, according to Tenable Strategist Cris Thomas, not just for those in the healthcare industry.
“A lot of organizations think, ‘Oh, we need to get a handle on our security posture.’ It's a really big project,” Thomas said. “There are a lot of aspects and a lot of pieces that you have to pull in together.”
The Framework can be especially beneficial as organizations may not know where to start when it comes to improving their cybersecurity. There might not be security experts, or employees may not know how to approach cybersecurity strategies.
Having a list that specifies what needs to be covered and how to apply it to your organization can be helpful.
“That's kind of what the NIST cyber security framework does,” Thomas explained. “It's not geared towards any specific industry. There's other frameworks out there, but they're usually very industry-specific.”
The NIST Framework can help organizations across numerous industries get a handle on not only what their security posture is today, but also what the next steps are that they should take. It can help facilities realize what their potential future steps should be as they move down the road.
Thomas added that the NIST Framework is all encompassing, and gives organizations a language that’s consistent. This is especially important as lapses in communication can lead to data security issues.
“If you're somebody who's new to security, being able to ‘talk the talk,’ so to speak, will help you a lot when you're talking to vendors and other practitioners to make sure you’re doing the best practices,” he explained.
Another important step forward was OCR creating a crosswalk that highlights crossover areas between HIPAA regulations and the NIST Cybersecurity Framework.
While Thomas admitted that he had not heard about the OCR crosswalk, he said that it sounds like a great idea. Many healthcare organizations are very concerned about staying HIPAA compliant, he added.
HIPAA regulations are not just about security, and are more about privacy and portability, Thomas maintained. However, the NIST Cybersecurity Framework is more about security, so having a document that explains how those two guidelines overlap could be very beneficial.
How ransomware is affecting healthcare
Ransomware is definitely not a new threat, according to Thomas. However, there have been recent evolutions, such as Bitcoin being involved as payment methods.
Healthcare is a particularly vulnerable industry, which is likely why there have been more cases of ransomware hitting those organizations.
SamSam ransomware, which is what hit MedStar Health earlier this year, is a perfect example.
“It specifically looks for vulnerable JBoss installations, which medical facilities seem to have a large installation of JBoss servers,” Thomas said. “And if they find a vulnerable one, and maybe that's their mode of operation, that’s where they tend to hit.”
Healthcare organizations also tend to have a history of actually paying the ransom, he explained. The people behind ransomware attacks want to be paid, so they will try and pick people or organizations that will be more likely to pay.
Manatt, Phelps & Phillips Partner Jill Thorpe agreed that ransomware is not a new threat, saying that ransomware perpetrators have become more sophisticated. Not only has technology evolved, but the “business models” have also evolved.
“Ransomware using encryption or system lock-outs is just the latest design for this type of malware,” Thorpe explained in an email to HealthITSecurity.com.
While some people were surprised that Hollywood Presbyterian was only held for $17,000 in ransom, it makes sense because the criminals were essentially testing what “pricing” the market will pay with the least resistance.
“They are employing the same behavioral science observations used by online marketers of legitimate businesses to figure out what the market will bear,” she said. “What’s scary is that sophisticated cybercriminals are now leasing out their capabilities to other criminals, using something resembling a ransomware-as-a-service business model. It widens the net of potential cybercriminals that can carry out nefarious attacks.”
Healthcare is definitely a soft target compared to other industries, Thorpe added. Healthcare organizations are likely to have more financial resources to pay a ransom than individuals, and providers as a whole are not as mature in their cybersecurity.
Furthermore, being locked out of critical health information, such as what is stored in EHRs, can have life-threatening consequences. This could be more incentive for an organization to pay a ransom.
Cyber criminals typically ask for modest sums of money when it comes to ransomware, according to Fortinet Vice President and Managing Director of Healthcare Industry Practice Ryan Witt.
“It’s a very quick turnaround from a financial gain standpoint, so it’s been very popular,” Witt said.
He also called to the Bitcoin prevalence as another factor that changed the cybersecurity landscape. Bitcoins are more of a common currency, with no nation owning them, and it’s a way to receive money quicker and for criminals to ask for larger sums of money.
Preparing for potential healthcare ransomware attacks
The level of exposure is intense with healthcare ransomware attacks, according to Witt, and there is a heightened level of exposure when these types of attacks take place.
“It’s one thing if you can’t shop on Amazon for a couple days or if you can’t go to your grocery store for a couple days,” Witt said. “We get inconvenienced, but we could all cope with that. If you are in a critical care situation and you need to get access to your care provider and you can’t, that quickly mushrooms into a very serious event.”
Training is one of the most important tools that a healthcare organization can use to prevent potential ransomware attacks, he explained.
An employee clicking on a link in an email they shouldn’t click on is typically one of the main ways a network is breached, Witt added.
Timely system updates is also critical, ensuring that a healthcare organization is utilizing the latest technological tools to keep information secure.
Thomas stated that ransomware preparation also comes down to prior planning.
“If you wait until you're attacked or infected with ransomware, and then if you expect to recover quickly, that's not going to work,” he said.
Basically, the traditional defense-in-depth model is broken. Organizations need to have a proper disaster recovery plan in place, along with proper backups. This includes not just backing information up, but ensuring that there is a restoration option from backups.
“The IT people who are on the ground and responding to incidents need to know how to identify ransomware attacks when it first hits what steps they should take when they first see that attack.”
Having the necessary recovery tools in place ahead of time, and actually being ready to deploy them will go a long way in minimizing the time needed to reconstitute a network after an attack, Thomas urged.
“If you wait until you're attacked to try to do stuff, and think you're just going to apply security after the fact, then you're going to end up in a bad situation.”
A comprehensive backup plan, with recovery tools, will also help an organization if a ransom is in play. An organization wouldn’t necessarily have to decrypt files, they could just delete the infected files and restore them.
“If you have a proper backup plan in place, and you get infected with ransomware, one possible option, depending on the case and a lot of variables, you can just erase it and restore from backup of an uninfected copy.”
Thomas added though that a key factor is knowing what the initial infection vector was, because if an organization simply restores, the attackers could just regain entry and reinfect the network.
The recent healthcare ransomware attacks are hopefully a wakeup call to the industry, Thomas said.
“One of the things that I've run into a lot, and not just in healthcare, is people still have this mentality of, ‘Oh, I'm not a target. No one would ever want to attack me. Why do I have to worry about security? It’s not really that big of a deal.’”
Attacks like this though will hopefully show healthcare organizations that they are a target, and do need to be more proactive in their security posture.
One key thing for healthcare organizations to understand is that a ransomware attack that interferes with a HIPAA covered entity’s access to system operations suggests that PHI may have been compromised. Because of this, the organization needs to manage the situation as if PHI was accessed or disclosed impermissibly.
“The breach notification requirements provide a roadmap for managing these risks: investigate the breach, figure out its root cause, determine what protected health information may have been involved, develop steps to mitigate risks and prevent future breaches,” Thorpe said. “Notification also allows you to bring in law enforcement for support.”
Moreover, providing reasonably transparent communications that don’t interfere with a criminal investigation is the best way of helping patients retain their trust in an organization.
“One of the key challenges for any organization’s information security apparatus is having real-time situational awareness, aggregating their monitoring of emerging threats on a common dashboard, and having the ability to prioritize responses based on the potential impact of cyberattack vulnerabilities on specific systems and operations.”