In our previous blog post, we looked at some of the effects of ransomware attacks. Due to the nature of healthcare, not only can ransomware destroy files, but it can stop vital patient care services. Also, requirements for reporting ePHI breaches and leaks are more stringent than for many other industries. Healthcare companies, especially smaller ones, often have smaller budgets for the indirect protection of patient data and services. Added to this is the leverage an attacker can wield, knowing that healthcare is critical and the victims are more interested in getting those services up and running quickly.
How can organizations better protect themselves?
Protecting Ourselves From the Damage of Ransomware
We all have a favorite quote about plans. Mike Tyson said, “Everyone has a plan until they get punched in the mouth.” J.R.R. Tolkien wrote, “It does not do to leave a live dragon out of your calculations, if you live near him.” Or how about Peter Drucker – “Unless commitment is made, there are only promises and hopes; but no plans.”
Your organization’s response to a disaster is of paramount importance. Whether you make your Business Continuity Plan (BCP), Incident Response Plan (IRP), and Disaster Recovery Plan (DRP) one large document or separate documents is peripheral. What’s important is that you take into consideration the risks and threats that your business faces (e.g., building fire, ransomware) and write down what you’ll do about them.
Below is a sample roadmap for SMB Healthcare organizations (more like a checklist since it’s not necessarily in order):
- Hire or upskill current staff
- Inventory all of your technical assets (servers, workstations, other devices that hold data or provide services)
- Apply antimalware to your inventory, and update as many items as possible
- Close all ports that don’t need to be open (e.g., TCP and UDP port 3389 is often negligently left open publicly)
- Determine where the “crown jewels,” or ePHI and other confidential data, are and protect them accordingly.
- Cover your org with P&P (policies and procedures)
- Your level of involvement will differ with policymaking. If you don’t have any direct influence, do what you can to look through your policies to see if there’s something you can suggest adding (e.g., do the policies include clean/secure desk, locking workstations, and physical safeguard policies for wherever ePHI is stored? These are all required by HIPAA).
- One of the most important P&Ps to complete first is your Incident Response Plan. There are many more incident types for businesses, so this covers much more than just cyberattacks. It is essentially your 911 plan for all damaging events.
- Go through this list (link below) to ensure that you’re covered for HIPAA’s Security requirements, which include Administrative, Physical, and Technical safeguards:
- Get familiar with the HIPAA Privacy Rules. ITEGRITI has two great blogs on Understanding and Achieving HIPAA compliance which is a great place to start.
- Perform a Gap Analysis to find out how to get from where you are to where you need to be.
- The “Security Risk Assessment Tool” at heatlhit.gov is a GREAT tool. Just download and install, then get to filling out the pages.
- Yes, it’s quite lengthy, so be ready to spend a good bit of time on it.
- Be honest and open during the assessment
- Work with your colleagues
- Share your findings with management
- The “Security Risk Assessment Tool” at heatlhit.gov is a GREAT tool. Just download and install, then get to filling out the pages.
- Institute corporate security awareness training
- Not all ransomware is caused by people in your company clicking on something they shouldn’t. There’s plenty of ransomware (e.g., SamSam) that will happily use technical vulnerabilities. But clicking on a bad email or pop-up is a major factor.
- If you’re already strapped for money (meaning: you have little to no budget for training), then Cofense has free modules.
- https://cofense.com/cbfree/
- It requires your own in-house LMS or a hosted LMS. If you need an on-prem LMS for free, this link provides some options:
For smaller organizations, while there are lots of resources, it also requires self-directed learning. Remember: ransomware protection is also about staff upskilling!
This process may seem daunting, but remember that patients, doctors, and staff are all depending upon a healthcare organization to protect their own data, especially ePHI.
Other Resources for Defense
One way to limit ransomware attacks is MDBR. Malicious Domain Blocking and Reporting (MDBR) is a service provided by CIS and Akamai at no cost to hospitals, both public and private. This service allows hospitals to point their DNS requests to Akamai’s DNS server, and each DNS lookup is checked against known malicious domains. More information here: https://www.cisecurity.org/hospitals/
A great resource for tabletop exercises is Tabletop Scenarios (@badthingsdaily on Twitter).
Responding to Ransomware Attacks
What does a company do when ransomware hits?
Report it to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/
Also, you can use this site (created by CISA) to report ransomware: https://www.cisa.gov/stopransomware
This page presents a link to a PDF that has great vendor-neutral advice for both preventing and responding to ransomware: https://www.cisa.gov/stopransomware/ransomware-guide
Every company is different, so there’s no all-purpose plan. There are numerous mindmaps and workflows available that give response overviews- from a few points to lengthy directions. Here’s a sample and simple list:
After validating that it was a real attack:
- Gather the Team
- Determine the Scope
- Analyze the Incident
- Contain the Attack
- Investigate the Details
- Eradicate the Threat
- Contact legal authorities
- Post-Incident Actions
- Restore the Files (Preferred)
- Decrypt the Data
- Accept the Loss
- Pay the Ransom (Least preferred)
- If this option is chosen, plan to permanently lose an average of 1/3 of your files (criminals don’t tell the truth about restoring files).
- If paid, it will likely happen again – the gang knows it’s a vulnerable customer.
- Document Lessons Learned
There’s not a true linear approach here. Many of these actions should take place at the same time or in quick succession.
There’s always help available, though sometimes it takes some digging. While an organization will have talented people on staff. it’s always helpful to work with a trusted advisor who can help with all the various (especially missing or deficient) areas of information security needs– compliance expertise, risk management, or even managed services such as a vCISO. You can find out how healthcare organizations benefit from a vCISO in my recent article.
Stay Safe!