When a ransomware attack occurs, a healthcare organization’s focus should be on limiting damage and minimizing recovery time and costs. Find out if you’re ready.
As healthcare organizations increasingly collect and use patient data for a wide array of purposes, cybersecurity is a top priority. This is with good reason, as next to business (with 571 breaches), the medical/healthcare industry had the most recorded breaches (363) in 2018. While the good news is that these numbers were down from 2017, the number of records involved went up; so, cybersecurity issues continue to be a concern and a real threat. At LeadingAge Ohio last month, John DiMaggio, CEO of BlueOrange Compliance, offered key insights on “Cyberattack – Are You Ready? An Organizational Ransomware Tabletop Exercise.”
Threat Assessment: Where Are the Breaches?
In 2018, the majority of data breaches in the healthcare industry came from hacking and unauthorized access, followed by employee error (negligence, improper disposal, and lost devices). Too often, DiMaggio observed, people think that they are removed or immune from such issues. They believe, among other things, that their network is secure, their organization (and/or the senior living industry) is too small to be targeted, they’ve been unaffected so far, and/or they have cyber-insurance. Everyone is at risk, however, and the cost of having a false sense of security can be high.
In fact, DiMaggio observed, cyberattacks can result in:
- Downtime/business disruption
- HIPAA violations that result in investigations, fines/penalties, and corrective action plans
- Civil litigation
- Reputation damage
- Individual notification/credit monitoring costs
- Legal expenses
The Trail of the Cyberattack
Just like a professional criminal doesn’t impulsively burglarize your house, DiMaggio noted, professional hackers are increasingly sophisticated and plan the attack in advance. They may start by perusing your website, SEC filings, LinkedIn pages, and Google accounts. They gain access through some means such as phishing emails, then they maintain access by creating a back door or user. It takes time to realize you have been hit. In fact, said DiMaggio, an average 197 days pass before most organizations detect a breach; therefore, by the time the problem is detected, a great deal of damage can be done.
Ravages of Ransomware
In recent years, ransomware attacks, using a type of malicious software designed to block system access until a sum of money is paid, have made the headlines. DiMaggio highlighted a few stories, including an incident where a ransomware attack cost the city of Baltimore over $18 million.
There are two basic types of ransomware. Crypto ransomware aims to encrypt personal data and files; and locker ransomware is designed to lock the system, preventing victims from using it or accessing data. DiMaggio noted that there is a growing number of ransomware strains, including Apocalypse, Cerber, CryptoWall, TeslaCrypt, Locky, TorrentLocker, and Unlock92. If necessary, he said, the FBI can help identify the specific strain involved if your organization is attacked.
“There are all kinds of ways into your system,” DiMaggio said. The ransomware can enter through network configurations, unpatched software, a malicious website, a phishing email link or attachment, a USB drive, or weak passwords.
The Test of the Tabletop
A tabletop exercise, while not a full test, takes only about two hours and should be done at least annually. It will serve one of two purposes, DiMaggio observed. “It will either prove to your company that you are not prepared for a ransomware attack or that you have a solid plan that will work.”
To start, you should have some type of playbook detailing how you would respond to a ransomware attack and then employ this in the exercise. Several key team members should be involved, including any IT security team members, risk management, appropriate executives, and a recorder to document what happens.
Then you can test a scenario. For instance, between 10:32 and 10:45 am, the help desk gets ransomware calls. Then someone in HR reports opening an email, reportedly from the clinical staff at your new campus two hours away. Neither the help desk nor HR can access any files or get the message to close.
At this point, DiMaggio noted, you have several questions to address, including:
- How much is the ransom?
- Can we completely recover from backup if we don’t pay the ransom?
- How long will it take to recover?
- How much data would we lose?
- Who do we call for help?
- Is this covered by cyber insurance?
You will need to determine, once you receive the ransomware note, what you will do. Will you shut down the system and revert to paper? Will you pay the ransom? Who will be responsible for contacting the cyber insurance company, law enforcement, and legal counsel? What information should they be prepared to provide to each?
A tabletop exercise enables you to walk through these questions, determine if you have answers, and identify and address gaps in planning, preparation, protection, procedures, and communications.
Of course, the emphasis should be on preventing a ransomware attack before it occurs; and the tabletop exercise can help determine if your preventive measures are sufficient. Toward this end, DiMaggio suggested a few steps:
- Make sure networks are configured correctly.
- Implement a “least privileged” approach to ensure users have the minimum access and rights necessary to do their jobs.
- Limit file shares to only users that require the information.
- Make sure systems are patched (run regular internal and external vulnerability scans).
- Make sure backups are not online or accessible from user accounts.
- Constantly educate your staff.
- Know your backup recover times and recovery points; your cyber insurance policy and related information; your local FI/law enforcement contacts; and your cyber expertise legal counsel.
- Have logs stored and managed, cyber incident/ransomware plans in place and practiced, ransomware identification tools available (to identify the strain), and a detailed playbook.
- Research how to pay a ransom (via bitcoin).
- Perform tabletop exercises.
- Have strong public relations/messaging in place for employees, the public, and other stakeholders.
When a ransomware attack occurs, said DiMaggio, the focus should be on handling the situation in a way that limits damage and minimizes recovery time and costs. Further, HIPAA requires documentation that several activities occurred, including the pre-existing presence of policies and procedures to handle an attack, adequate training on cybersecurity, and testing (such as tabletop exercises).
In responding to an attack, said DiMaggio, start by implementing your plan. Contact law enforcement and communicate to all stakeholders. If recovered from backup, enter data generated or modified since your last backup recovery point. Perform a HIPAA breach risk assessment and check the integrity of the data.
“Hackers are increasingly sophisticated, and these attacks can be very, very scary,” said DiMaggio. The tabletop exercise can help give your organization and teams peace of mind that they are prepared to prevent a ransomware attack and, if one does happen, minimize the damage.