What Happens After a Ransomware Attack in the Health IT Environment?

By Jessica Davis

June 09, 2021 - When the FBi warned of the active ransomware attack wave against providers in the Fall of 2020, it heightened reporting and highlighted the need for proactive security measures to protect the healthcare environment.

But as healthcare has remained a top target for cybercriminals and as attacks become increasingly more disruptive, many providers are still struggling to understand the threat landscape and just what security measures to prioritize.

In terms of challenges and response needs, it appears providers are at a standstill. Take, for example, the recent ransomware attack against Scripps Health: hackers struck early in the morning on a weekend, when staffing was reduced, and forced the health system into EHR downtime procedures.

Communication was challenged between providers, and some patient appointments were delayed or diverted to nearby hospitals. The attack and response is nearly identical to the ransomware incident against Universal Health Services in September 2020.

In both instances, the attack caused outages at multiple care sites, disrupted business operations, impacted patient appointments, and lasted for approximately four weeks.

The ongoing attacks against health systems in Ireland, New Zealand, and the University of Florida Health demonstrate the need to better understand just what happens after ransomware is deployed -- and how some providers fare better than others.

For Ido Geffen, vice president of customer experience at CyberMDX, all healthcare providers need to plan as if a breach is inevitable, as these attacks can happen at any time, to any entity, And no enterprise is 100 percent impenetrable, regardless of these preemptive measures.

Must-Have Security Policies, Plans, Tech

Since the influx of attacks began in healthcare in 2016 and 2017, it’s become increasingly clear that there is no silver bullet technology to completely protect a healthcare organization. Providers must instead prioritize proactive policies and plans to better defend their networks.

Clearly, the main goal is to avoid being breached altogether. The root of those plans should be to train medical staff in simple, yet crucial, cybersecurity practices, explained Geffen. For example, computers should never be logged in where others can access it.

As the workforce is often the easiest and certainly the biggest entry point for the majority of these attacks, training staff to identify possible breaches and how to avoid elementary mistakes can greatly reduce the likelihood of a breach, he added.

But equally important are running drills to prepare teams on how to execute the response plan in the event of an attack. Geffen stressed that this is the key to proper preparation and best handling ransomware attacks.

“The muscle memory from the drills will help increase the speed of your response significantly and this speed could be the difference between one infected device and a total shutdown,” he explained.

“Hospitals without a comprehensive incident response plan tend to shut everything down in an effort to contain the breach as they have no other plan in place,” he continued. “While that does prevent the spread of the ransomware, it also prevents the medical professionals from accessing the connected medical devices they need to deliver patient care.”

Visibility is also crucial from the policy side, which includes having a full view of all connected devices, including both connected medical devices and IoT. Geffen explained that even the best security tools can protect items hiding from view, and it also means a breach may be discovered too late.

“Cybersecurity is a war of attrition between the defenders and the attackers."

Further, as other security leaders have pressed this year: zero trust is the ideal security model for healthcare providers. It’s the idea that users may only be given access to systems and functions required to do their jobs.

Far too often, staff members are allowed access to databases outside of their job function, such as an accountant having access to the EHR or patient medical records. Those without need for these access points, should be banned from having access.

By moving to a zero trust model, Geffen explained that a provider can create barriers within its network that helps contain possible damage when a system or device is compromised.

The final piece to best practice healthcare security is segmentation, which allows entities to isolate infected devices when a breach occurs.

“If your architecture is not configured in a way that allows for that efficiency it will be much more difficult to contain the breach,” said Geffen. “With the size of medical networks, it’s impossible to monitor every device and access point for hackers.”

“Hackers are growing in their skills, but even the most skilled hack leaves a trace and AI anomaly detection could help identify suspicious activity before they access the rest of the network,” he added.

Providers should instead invest in security solutions designed to automate the identification, assessment, and protection of connected medical and IoT devices, Geffen recommended.

He also recommended the use of an email protection system to better safeguard the workforce from attacks like spear phishing.

An Intruder is Detected: Now What?

As seen in a number of recent breach notifications, often investigations into security incidents find the attackers have been on the network for weeks or months before the ransomware was deployed.

The investigation into the Scripps Health attack found that the hackers exfiltrated troves of data from more than 130,000 patients at least one month before the health system went down from a ransomware infection.

Having those preemptive plans in place can speed up detection and allow for quicker response times. Geffen said his team always recommends providers not only have incident response protocols but that staff is fully trained, which allows them to be ready during a real event.

To accomplish this, the security team must implement organizational response protocols, including educating all workforce members on how and when to contact the IT and security departments when a potential security event occurs.

Although medical professionals aren’t expected to be cybersecurity experts, Geffen stressed that they should, at the very least, be able to identify suspicious activity on the network.

Once an event is detected, providers must execute the initial response stages:

Confirm the breach

Gather evidence

Prepare the breach timeline to understand the timing and location

Identify the ransomware variant

“Once you have this information, you must work to contain the breach ASAP by quarantining the infected devices and systems,” said Geffen. “To do this, security teams must identify the entry point (i.e. phishing) and understand how the impacted devices connect to the network and how the malware can spread laterally.”

“Working fast is critical during these stages as the goal of many ransomware attacks is not the specific device they’ve accessed, but to move laterally within the network to locate more lucrative data,” he added.

Further, isolating the impacted device or workstation could help prevent the occurence of a much larger event. Once the security incident is contained and the potential spread mitigated, the security team should notify management, employees, and relevant authorities of the incident.

The last step is for the IT security team to deploy endpoint and network technologies able to alert the SIEM or SOC team, when any similar, suspected activities are observed, which can help to proactively prevent a future incident, Geffen explained.

Reducing the Attack Impact

For some health systems, system outages caused by a cyberattack or ransomware can last for just a few days, such as the Fall cyberattack against Sky Lakes Medical Center. But in the vast majority of healthcare incidents, two- to four-week outages are much more common.

It begs the critical question: Why does it take some providers so long to bring services back online?

To Geffen, the answer lies in the ability to properly identify that an attack has occurred.

“One of the reasons hospitals experience extended shutdowns is that in the event of an attack, it can take a few days, or longer, to even confirm the organization is under attack, and then longer to investigate the extent of the breach forensically,” he explained.

Once an attack is identified, the challenge then becomes understanding just what systems or devices are affected. Geffen explained that then providers must quarantine the impacted devices, “removing them from the network and blocking access to any known Remote Access Tools (RATs) to prevent communication with command and control servers.”

The trouble is that more often than not, security leaders can’t precisely discern which devices are compromised.

As a result, healthcare organizations instead opt for a complete system shutdown to ensure the attackers can’t use the impacted devices to move laterally across the network to reach other connected systems, he said.

“Don’t be one of the easy targets. Act now."

It’s that uncertainty that lengthens the timeframe of the system outage and further challenges healthcare entities in bringing their systems back online.

“Did you eliminate the threat completely from the devices and your network? Security teams must ensure the threat has been mitigated completely before they can turn systems back on,” said Geffen. “If not, they risk re-exposing their network to the same issue they just encountered.”

“For this reason, security teams often opt to turn the systems on one at a time, testing them for signs of the breach. This is a laborious process and means that certain systems will remain down longer, but also ensures the ransomware is out of the system,” he added.

The Harm in Falling to Act Now

As the critical infrastructure attacks and subsequent widespread system disruptions in recent weeks have proved, no entity is hidden from targeted attacks and even a small breach can have widespread impacts.

The attack on Ireland Health Service Executive fully demonstrates the impact of ongoing outages -- and the need for transparency with patients in the event of an incident.

In spite of these risks and the costs, many providers are still struggling to take those next steps to bolster their security posture.

“The biggest possible impact from failing to protect your healthcare network and medical devices would be the threat to patient safety,” said Geffen. “So far that hasn’t happened directly, but any hack that could alter the function or prevent medical professionals from utilizing their network or devices could have life threatening consequences.”

“The reputation of the hospital and medical network is [also] at stake,” Healthcare has been heavily targeted over the past year given the relatively low security standards in the field. With the amount of connected devices growing rapidly, it’s not an unknown threat.”

As such, those providers who fail to take security seriously will suffer at the hands of hackers, regulators, and negative media attention, particularly in the event of a notable system or data breach, explained Geffen.

Attack prevention is far simpler than recovery, he stressed. An attack forces security teams and workforce members to work against the clock, under enormous pressure. What’s worse, hackers know this and are banking on that pressure to obtain their financial payout.

And as Geffen sees it, many providers are an easy target for hackers.

“Cybersecurity is a war of attrition between the defenders and the attackers. Hackers are largely opportunistic enterprises looking for an easy pay day and don’t want to spend extended amounts of time circumventing complex cybersecurity protocols or executing difficult attacks that may not even succeed,” said Geffen.

“The key message is don’t be one of [the easy targets],” he concluded. “Act now. Hospitals must work quickly to raise their baseline level of cybersecurity. When the time comes, make sure the hackers recognize that yours will not be a simple job and instead move on to an easier target.”

Cybersecurity News