The healthcare sector has become a deliberate target for malicious intent. Many malware groups have targeted healthcare in recent years, with over a hundred organizations suffering disruption in 2020, according to the CrowdStrike 2021 Global Threat Report.

Most recently, the FBI and U.S. Treasury Department are warning of attacks since the spring of 2021 by North Korean state-sponsored hackers. Specifically, these attackers are using the Maui ransomware to target healthcare and public health organizations across the United States.

The healthcare industry is a business that cannot go out of business, and its people are once again on the front lines.

According to a recent report from Statista, the top three leading causes of ransomware infection are:

  • Spam or phishing emails (54%)
  • Poor user practices or gullibility (27%) 
  • Lack of cybersecurity training (26%)

These three leading causes, as well as the use of weak passwords and even the cultural challenge of lack of funding and executive buy-in, can all be addressed with a focus on user training and awareness.

Healthcare security teams and employees need to understand and monitor the typical steps involved in a ransomware attack, from how the threat targets enterprise networks to when employees should begin incident response protocols.

Healthcare organizations should ensure they have the various playbooks necessary to act should a ransomware attack be detected. Many of these playbooks will span across many (if not all) levels of IT/OT and the organization. A “short list” of examples for playbooks that should be created, distributed to the team, tested, updated and protected are listed below:

Determine the scale of incident response

At what business, treatment disruption, or patient impact level is the ransomware infection? What level does the impact to reach to include executive notification and action? What constitutes a need for public disclosure and notification?

Who to contact in an emergency

At the various levels of impact, what is the list of responders required to mitigate and recover the systems? This definition of crucial people is an essential step, as many organizations define the IT resources but do not account for OT and other support necessary when healthcare systems are breached.

Internal and external communications

Who talks to whom and when in the various levels of incident impact? When should employees flag suspicious activity, and to whom do they report?

Incident response checklist

Have a planned, repeatable response process with a decision-making matrix to ensure options are thought through before an event. It is crucial to think through 80% of the questions that need answers during an event while providing starting point options for the remaining 20% that may arise.

The above playbooks are, by no means, an exhaustive list and should be treated as the “bare minimum.” The more pre-planning for areas of risk, the better.

To lessen the blow of a ransomware attack, it is essential that all organizations follow a few key tips.

  • Always assume your organization can be a victim. Any business or healthcare provider (or supply chain company) can be a target. 
  • One tool or technology won’t help organizations protect against all cyber threats. Security is not technology, and technology is not security. It is a concert between people, processes and technology.
  • Test the backups often, but also keep offline copies. Corruption of the backup is a poison pill for any organization. Don’t be too quick to assume the backup is functional without proper testing.
  • Never apply decryption keys to the only copy of data. Sometimes, the decryption key may not work or further corrupt the target system.
  • Keep paper or offline response plans. Keeping the plans “only online” can mean the plans themselves can be rendered inaccessible.

To protect against ransomware, healthcare organizations should maintain a defense-in-depth security program; consider advanced protection technologies; implement and maintain a comprehensive asset/risk/vulnerability management program and technologies; patch regularly; perform frequent backups of critical data; consider table-top and cyber range exercises; and, above all, educate employees about the risks of social engineering. By following these steps, healthcare security leaders can reduce their facilities’ cyber risk.