Dos and Don’ts of Managing Ransomware Risk in Healthcare
Right now, no one in the industry should be surprised that healthcare is the juiciest target for hackers attacking with ransomware. In short, healthcare has the most valuable data and has not fully deployed protections as robust as other industries.
Steve Winterfeld, advisory director of information security at security network and content delivery provider Akamai, is on a mission to study ransomware in detail. As a result of his research, he came up with a list of dos and don’ts for healthcare provider organizations fighting ransomware.
IT health news sat down with Winterfeld, who believes that using the cyber-kill-chain model to disrupt ransomware attacks is the best way to stop them, to discuss his dos and don’ts for the benefit of CISO and CIO from vendors and other leaders in healthcare IT and cybersecurity.
Q. You’ve created this list of dos and don’ts for organizations dealing with ransomware. The first item on your list is to NOT just pay the ransom, but to have a payment policy in place up front. Please explain why this is important for healthcare provider organizations.
A. If you find that your business is affected by ransomware, it is important to understand all the implications and options first. You must first understand the real-time impacts on operations. Next, you need to determine the regulatory and cyber insurance requirements (if you have one).
Then you need to work with the larger corporate crisis team to include public and legal relations to get their perspective. Finally, you need to understand your options for restoring operations. This may involve rebuilding systems and / or restoring data.
When you think of ransomware today, it’s often more than just encrypting systems. There could be a second phase of extortion around the exposure of the stolen data. So, when making your incident response plan, you should include treating the ransomware as a data breach until you can prove it wasn’t. Usually, the cybercriminal will let you know if they have stolen data, but you will need to confirm what was taken.
Patient safety is always the number one concern, which is why it is time to address these issues before the crisis hits. You have to determine if you are going to pay. If you are ready to pay, you need to determine if you want to use a third party to make the payment. Finally, you need to establish the roles and responsibilities for using the decryption keys. If you’re not prepared to pay, the focus is on business continuity and resumption.
Q. Next, DO safety drills with employees as part of a larger program. What are some examples of such safety drills and how are they useful?
A. There are two key aspects to a ransomware incident response plan: response and recovery.
The response focuses on detecting and stopping ransomware before it has an enterprise-wide impact. This would include your Security Operations Center (SOC) or other team responsible for monitoring the network.
You should have an exercise to make sure they have processes in place to stop the spread of malware, coordinate crisis response across all lines of business, and brief management. This can be a tabletop exercise or can include technical validation through the use of a red team using carefully controlled attacks. An effective method of setting the framework for the exercise is to use the cyber kill chain.
Recovery is determining what it would take to recover the systems that have been encrypted. If only the data was encrypted and you had good backups, the impact would be minimal. The problem is, many companies haven’t exercised to restore and use backups.
Often there are issues discovered that could prevent a fast or full restore. It is essential to complete an optional exercise to fully understand the level of effort, the time required to complete the system / data rebuild, and the amount of data that would be lost – the time between backups.
A comprehensive cyber resilience or incident response plan has a number of other parts, but these are the two areas that must first be validated through an exercise. Once you are sure these are understood by management so that they have solid expectations and processes in place for the work of IT / infosec teams, you can move on to data breach drills as many Ransomware attacks also steal data.
Q. And finally, you said NOT to react criminally. Have backup plans in place. Please talk about this aspect and why it is essential for CISOs and CIOs.
A. We covered this point above, but the key here is to have clear roles and responsibilities defined before any IT incident. Many companies have a high level crisis management plan. The CIO will have a business continuity and disaster recovery plan (BCDRP) and the CISO will have an incident response plan.
A ransomware attack will put all of these into action, so they need to be integrated. The loss of operational capacity due to the ransomware will force the business and IT teams to implement BCDRP while the infosec team will contain the malware and determine if it is acceptable to start rebuilding systems and restoring data. In a very stressful environment, this will require close teamwork and trust.
Another area to consider is when a critical vendor is affected by ransomware. You will have to do everything we talked about, but through governance based on the powers you have in your contract and the relationship you have with your supplier.
Now is the time to work with your supplier management and legal teams to change your process / playbook in the event of an external incident. This should include identifying critical vendors, mapping notification and audit rights for each and, if applicable, a discussion / exercise with them to understand roles and who to contact in a crisis.
With lives on the line for vendors and critical functions for other healthcare companies, the increase in ransomware attacks requires a rapid response, which only comes from careful preparation and integration of your teams. cyber defense processes and technical controls.
The question is not whether you will be affected, but how much you will mitigate the impact. The old adage “Preparation prevents poor performance” still holds true.