What Makes Healthcare Vulnerable to Ransomware Attacks?
Patient data is valuable. It’s more difficult to change personally identifiable information than it is to change a credit card number. This makes healthcare systems prime targets for attackers, who could sell the information or use it to commit fraud. Because of the sensitive nature of patient data and the risk to patients if critical infrastructure is impacted, healthcare organizations may be more willing to pay the ransom.
Many vulnerabilities are created through human error or end users’ lack of security awareness or education. End users are the last line of defense. Great security tools and methods can be implemented, but if a threat makes it past those defenses and into an end user’s email, it comes down to them not clicking a link or opening an attachment.
Legacy tools represent another common vulnerability in that they don’t provide proper visibility or control to monitor against sophisticated ransomware attacks.
New Guidance on How to Respond to a Ransomware Attack
If a healthcare organization functions under the mindset that it will always be at risk of a ransomware attack, then it will be better off in the long run. The first step to defending against an attack is to be prepared with an incident response plan. Security education and training for all staff is an important foundation for preparedness and prevention.
Having the right prevention and detection tools in place, such as strong email security platforms, managed detect and response tools, and multifactor authentication (especially with remote access), can go a long way toward preventing attacks and damage.
Many healthcare organizations don’t have the staff or expertise to provide the level of service needed. In that case, they can benefit from having a partner that offers a managed service around incident response, including monitoring and increased visibility. When choosing a partner, healthcare organizations should seek out 24/7 coverage, since bad actors aren’t always going to attack a hospital’s IT systems at 2 p.m. on a Tuesday. An attack could come at midnight on Christmas Eve.
CDW is one such incident response partner that offers incident response retainer contracts at no cost, as well as paid retainers to guarantee service-level agreements. CDW also offers an incident response preparedness workshop.
Healthcare organizations should have an incident response partner, someone on retainer and a playbook with instructions on what to do in the event of an attack. The plan would likely involve reaching out to the incident response partner so it can figure out what’s happened, conduct any forensic work needed and get systems back online.
The final piece to incident response is having a recovery plan and backups that are readily available. Data should reside in three places: where it’s created, in a backup location and in another backup location offsite.
In the event of an attack, an incident response partner would take an infected system offline to airgap it from the rest of an organization’s network to prevent ransomware propagation or damage. A partner can help a healthcare provider through the entire recovery process.
After systems are back online, an organization should hold a session with key stakeholders, IT leadership and the incident response partner to go over lessons learned. While cybersecurity incidents are unfortunate, they can provide useful information to identify areas of weakness in the IT environment. Knowing this information can lead to changes in an organization’s cybersecurity priority list to create a stronger security process in the long run.