Jan 06 2022

What to Know About Ransomware Crisis Planning

In the event that a ransomware attack hits a healthcare organization, leaders need to have a defined strategy already prepared.

Healthcare providers continue to find themselves in ransomware’s crosshairs.

An analysis of ransomware attacks during the first half of 2021 found that more attacks occurred during the first half of that year than during all of 2020, according to software company Cognyte. That’s an alarming statistic alone, but it’s even more disturbing to learn that 70 of those attacks targeted the healthcare industry.

Building a strong cybersecurity program can help protect organizations against ransomware, but no controls are foolproof. The risk remains that an attack will slip through even the best-designed defenses and bring a healthcare provider to its digital knees.

Organizations must take steps today to prepare for a ransomware crisis, including considerations for payment and partnering with an incident response firm. 

Click the banner below to dig deeper into security and incident response with planning guidance from CDW.

Develop a Payment Strategy in Case of a Ransomware Attack

The primary question facing any hospital experiencing a ransomware attack is whether they should pay the ransom. This is an extremely difficult decision, and it’s best to think it through before an incident occurs, rather than in the heat of the moment. 

On one hand, paying the ransom offers the possibility of a quick and easy resolution of the emergency. On the other, ransom payments present legal, ethical and operational issues that organizations must consider.

As hospitals wrestle with the question, they should seek legal guidance to ensure that they don’t run afoul of any laws or regulations. For example, the U.S. Treasury’s Office of Foreign Asset Control recently published guidance declaring that some ransomware payments may violate federal law. Navigating these regulations can be quite tricky, and legal expertise is definitely required.

READ MORE: Learn how to create a strong security culture at your healthcare organization.

From an ethical perspective, paying a ransom rewards wrongdoing and encourages future attacks. Healthcare administrators must weigh this generalized concern against the very real and imminent risk to patient safety during a ransomware attack.

Finally, there’s no guarantee that the attacker will deliver the decryption key required to end the attack after receiving the ransom payment. Most attackers do deliver the key, but organizations considering any payment should research the past habits of their attacker to the extent possible. Consulting threat intelligence reports may provide valuable insight.

Engage an Incident Response Firm

Ransomware attacks may be technically sophisticated, and organizations that quickly engage subject matter experts will likely experience better outcomes. These experts can provide information about similar attacks against other organizations, identify whether attempting to reverse the infection is feasible, and guide the hospital through the incident response process. The hospital and IT team may be experiencing their first ransomware incident, but these subject matter experts handle them every day.

It’s important to build a relationship with an incident response vendor before an attack occurs. Negotiating an agreement, completing the paperwork and arranging payment is time-consuming and will slow the deployment of expert assistance. Many incident response firms are willing to enter no-cost or low-cost retainers that get that paperwork out of the way before an incident occurs and then guarantee a rapid response when activated.

READ MORE: Find out why layered security is essential to incident response planning.

Purchase Cybersecurity Insurance to Protect Your Organization

Cybersecurity insurance policies were once exotic options used by only a handful of organizations. Now, they’re a common element of every large organization’s cybersecurity risk management strategy.

These policies primarily insure against the financial impact of ransomware and other cybersecurity threats, but they also provide access to expertise in incident response.  

Once a policy is purchased, the insurance carrier’s interests are aligned with those of the hospital. Neither organization wants the hospital to experience a disruptive and costly cybersecurity incident, and both want to act as quickly as possible to contain the damage. For this reason, cybersecurity insurance providers may dispatch technical experts to help minimize the damage caused by any ransomware attack. In fact, having an incident response team on retainer may be a requirement of coverage for a cybersecurity insurance policy.

RELATED: Discover why partnerships are important to healthcare security.

Insurance carriers recognize the significant financial risk posed by cybersecurity attacks and they aren’t willing to just issue policies without conducting their own due diligence. Hospitals considering purchasing a policy should expect the carrier to conduct a cybersecurity assessment prior to issuing the policy. It’s likely they will identify deficiencies and require that the organization remediate any serious issues before granting coverage.

Source: cognyte.com, “Ransomware Attack Statistics 2021 – Growth & Analysis,” Aug. 8, 2021

Develop an Incident Response Communication Strategy

Ransomware attacks may be commonplace, but they’re also of great public interest, particularly when they occur at a high-profile organization like a hospital. Once the media catches wind of an incident, reporters will begin calling any number they can find and attempt to interview employees as they enter and exit the hospital. It’s imperative to get everyone on the same page from a communication perspective and control the flow of information to the media.

In addition to managing these public relations concerns, the hospital may find itself under legal and regulatory obligation to disclose the incident to government authorities and affected individuals. This is another area where consultation with legal counsel is imperative. Attorneys can help the hospital navigate the disclosure requirements imposed by the HIPAA/HITECH Breach Notification Rule and any state laws that may apply.

Ransomware poses a significant threat to hospitals and other healthcare organizations, but the threat is not insurmountable. Providers should bring together their leadership, legal counsel, cybersecurity and IT teams before an incident takes place to develop a clear action plan that will guide future response efforts.

Michael Austin/Theispot

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.