Jul 29 2021

How Security Training Can Combat the Threat of Ransomware

Preparedness, security tools and a recovery plan are key to helping healthcare organizations overcome cybersecurity attacks.

In 2020, the healthcare industry was the target of 20 percent of data security incidents identified in a recent BakerHostetler report. The rise in ransomware attacks on healthcare organizations specially led the Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services to issue a joint cybersecurity advisory in October of that year describing “the tactics, techniques and procedures used by cybercriminals against targets in the Healthcare and Public Health Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.”

Cybercrime is more organized than ever before, with Ransomware as a Service offerings on the market enabling bad actors to use existing ransomware toolkits to carry out attacks. Ransomware also is becoming more sophisticated. In the past year, ransomware attacks have relied less on human involvement, as many of the propagation techniques have been automated. For example, some ransomware toolkits have capabilities that make them more wormlike, allowing them to spread.

Many health systems and individual clinics are aware of this threat. However, as they adapt their tactics to protect against ransomware, cybercriminals also are changing their approaches to take advantage of new vulnerabilities. CDW has new guidance on how healthcare organizations can bolster their defenses against ransomware and how to respond to an attack.

What Makes Healthcare Vulnerable to Ransomware Attacks?

Patient data is valuable. It’s more difficult to change personally identifiable information than it is to change a credit card number. This makes healthcare systems prime targets for attackers, who could sell the information or use it to commit fraud. Because of the sensitive nature of patient data and the risk to patients if critical infrastructure is impacted, healthcare organizations may be more willing to pay the ransom.

Many vulnerabilities are created through human error or end users’ lack of security awareness or education. End users are the last line of defense. Great security tools and methods can be implemented, but if a threat makes it past those defenses and into an end user’s email, it comes down to them not clicking a link or opening an attachment.

Legacy tools represent another common vulnerability in that they don’t provide proper visibility or control to monitor against sophisticated ransomware attacks.

DIVE DEEPER: The threat of ransomware still looms large over healthcare.

New Guidance on How to Respond to a Ransomware Attack

If a healthcare organization functions under the mindset that it will always be at risk of a ransomware attack, then it will be better off in the long run. The first step to defending against an attack is to be prepared with an incident response plan. Security education and training for all staff is an important foundation for preparedness and prevention.

Having the right prevention and detection tools in place, such as strong email security platforms, managed detect and response tools, and multifactor authentication (especially with remote access), can go a long way toward preventing attacks and damage.

Many healthcare organizations don’t have the staff or expertise to provide the level of service needed. In that case, they can benefit from having a partner that offers a managed service around incident response, including monitoring and increased visibility. When choosing a partner, healthcare organizations should seek out 24/7 coverage, since bad actors aren’t always going to attack a hospital’s IT systems at 2 p.m. on a Tuesday. An attack could come at midnight on Christmas Eve.

CDW is one such incident response partner that offers incident response retainer contracts at no cost, as well as paid retainers to guarantee service-level agreements. CDW also offers an incident response preparedness workshop.

READ MORE: Learn how to minimize risk amid rise in ransomware attacks on healthcare organizations.

Healthcare organizations should have an incident response partner, someone on retainer and a playbook with instructions on what to do in the event of an attack. The plan would likely involve reaching out to the incident response partner so it can figure out what’s happened, conduct any forensic work needed and get systems back online.

The final piece to incident response is having a recovery plan and backups that are readily available. Data should reside in three places: where it’s created, in a backup location and in another backup location offsite.

In the event of an attack, an incident response partner would take an infected system offline to airgap it from the rest of an organization’s network to prevent ransomware propagation or damage. A partner can help a healthcare provider through the entire recovery process.

After systems are back online, an organization should hold a session with key stakeholders, IT leadership and the incident response partner to go over lessons learned. While cybersecurity incidents are unfortunate, they can provide useful information to identify areas of weakness in the IT environment. Knowing this information can lead to changes in an organization’s cybersecurity priority list to create a stronger security process in the long run.

This article is part of HealthTech’s MonITor blog series. Please join the discussion on Twitter by using #WellnessIT.


WhataWin/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT