Prevent and Treat Ransomware Attacks on Healthcare Systems
Healthcare enterprises manage incredible amounts of sensitive data about their employees, patients, processes and medical devices. At the same time, information technology (IT) is not at the core of what they do – caring for patients is. This makes healthcare providers, hospital systems and other medical facilities especially vulnerable to cyberattacks.
During the pandemic, that susceptibility became more pronounced as bad actors took advantage of heightened stress and demand on the healthcare industry. In October 2020 the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint alert warning of “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” It’s critical for hospital and healthcare leaders to be educated about the security threat and how you can prepare for and respond to potential attacks.
- Healthcare companies are the focus of heightened cybercriminal activity.
- Be aware of the common types of intrusions or breaches.
- Educate employees about risks and how to keep systems secure.
- Have a plan and backup systems in place in case of a ransomware attack.
Understanding the Risk to Your Health System
The IT environment in healthcare companies, hospital systems, and large practices or specialized facilities is getting more complicated, and complexity leads to potential vulnerability. Large healthcare providers may be managing multiple systems for patient care and administration, a plethora of network-enabled devices with proprietary software, and hundreds of employees. In addition, the pandemic has created new issues – including managing remote workers on the administration side and more significant communication needs on the patient side.
Ransomware is a technique that is used by hacker groups with the result of compromising a system or network, encrypting the files so users don’t have access, and demanding payment usually in the form of cryptocurrencies to have the files unlocked. Ransomware usually happens at the end of the compromise. The breach occurs days, weeks or even months beforehand, allowing hackers to get in and see what they can access. The initial access can be a phishing email including a malicious link or a login through a remote desktop.
“During COVID-19, cybercriminals see an opportunity to maximize their payoff because hospitals have critical care they need to provide,” said Pete Wheeler, Senior Vice President, Head of Healthcare and Insurance Payments, KeyBank. “They believe there’s a high likelihood that facilities will pay the ransomware.”
Why are Healthcare Companies Being Targeted?
Healthcare companies have unique characteristics that make them attractive to organized cybercriminals, according to cybersecurity consultants TrustedSec.
- Value of the actual organization: If a hospital has to close or divert patients because its system is locked down, it has life and safety repercussions.
- Type of data: For many people, personal health records are the most private data they have, and healthcare firms are heavily regulated to protect patients’ privacy.
- System complexity: Due to mergers and acquisitions in the healthcare space, systems have also had to merge tech networks and processes creating complexity and potential security lapses.
- Critical medical devices that run on legacy operating systems: The operating systems may no longer be supported with security patches or require custom software, adding vulnerabilities.
- Disparate work groups: Specialty areas or providers within a healthcare network or hospital system have freedom to purchase equipment or software outside of the usual processes and that IT may not support.
- The growth of telehealth: The use of telehealth, which was accelerated by the pandemic and will continue to grow, adds additional access vectors that need to be secured.
The combination of these factors may make a hospital or healthcare organization both more susceptible to breaches and more likely to pay the ransom to regain file access – a boon for cybercriminals.
Preparation is Prevention
Key’s experts agreed: Preventing an attack starts with having a plan. To begin, educate your employees on protocols such as how to identify suspicious links, set up multifactor authentication, create stronger passwords, and how to select software and vet it for security. Advise them not to give user information, passwords, or financial data over the phone or on unsecured sites.
Make sure you have an updated inventory of the data and devices on your network. Identify legacy equipment, and if it can’t be updated or replaced, put compensating controls around it.
“Be proactive rather than reactive. Ask: What are our gaps? What does our defense and depth look like?” said Alex Hamerstone, practice lead, Governance, Risk, Compliance, TrustedSec. “Develop a shared mindset from executives to engineers that we’re working toward a common goal to identify internal gaps and external threats as we put in more robust security measures.”
Establish a layered approach to security. Since email is a typical initial entry point for ransomware, add security to that layer such as spam filters, third-party monitoring, and disabling macros. Conduct phishing tests to demonstrate to employees how breaches can happen. Make sure devices on the system have up-to-date security patches.
Add network segmentation. Isolate your essential systems and data, which makes it harder for hackers to get to key data if you’re impacted by malware. Create special controls around and back up healthcare critical functions, as well as valuable administrative side functions such as human resources/payroll, accounts receivable and payable, and vendor management.
Secure the banking environment. Limit the number of employees who can access online banking systems and establish permissions and checks, such as requiring dual approval on outgoing ACH (automated clearinghouse) or wire payments.
Track behavior and conduct mock incidents. Know what systems and users are supposed to be doing at what times and establish patterns that make it easier for an internal tech support team or a third-party monitoring company to identify anomalous actions. Make technological breaches part of your business continuity or disaster planning.
What to Do in Case of a Breach
Despite your enterprise’s best efforts, your company may experience a ransomware attack – hackers are organized networks of criminals that are well-resourced and sophisticated. Wheeler recommends reaching out to the local FBI field office or IC3.gov early. While law enforcement can’t mitigate an attack, they may provide useful context about ransomware attacks that have been identified before you bring in a remediation company.
When a remediation company is brought in, Justin Vaicaro, senior incident response consultant, TrustedSec, says they’ll see what backups are available and triage and investigate the incident while getting necessary systems running. Recommendations for affected companies are:
- Don't power down impacted systems. You may lose critical memory. However, you can disconnect them from the network.
- Understand the notification requirements if you carry cyber insurance. Reporting too late can lead to reduced payments.
- Activate your internal and external communications plan. Understand the notification requirements if health record or financial data (including employee, patient or vendor) is exposed.
- Contact your financial institution to make them aware of the situation and determine next steps.
Conclusion: Responding to the Ransomware Threat
With cybercriminals increasingly targeting healthcare providers and hospitals, now is the time to make sure your systems have the right prevention measures in place. Ensure you’re tracking alerts from government entities, technology vendors and the Health Information Sharing and Analysis Center. Keep employees informed of threats and add security layers.
KeyBank is committed to helping you protect your business and your treasury management system from ransomware attacks. For more insights into cybersecurity and fraud, visit Key.com/cybersecurity.