The U.S. Department of Justice announced on July 19 that it recently recovered two ransom payments totaling approximately $500,000 made by U.S. healthcare organizations in response to Maui ransomware attacks. The FBI and CISA highly discourage healthcare organizations from paying ransoms, as doing so doesn’t guarantee that files and records will be recovered.
However, there are several steps healthcare organizations can take to mitigate the impact of an attack and protect patient data and critical infrastructure.
Mitigation Tactics to Protect Healthcare Data from Maui Ransomware
According to the joint advisory, healthcare organizations should:
- Deploy public key infrastructure and digital certificates to authenticate connections with their network, Internet of Medical Things devices and the EHR to limit malicious actors’ access to data
- Use standard user accounts rather than administrative accounts on internal systems because administrative accounts allow for overarching system privileges and don’t ensure least privilege
- Turn off network device management interfaces for WANs; when enabled, they should be secured with strong passwords and encryption
- Secure personal identifiable information and patient health information when collected and then encrypt the data, both at rest and in transit; PII and PHI should only be stored on internal systems protected by firewalls, and extensive backups should be made
- Secure the collection, storage and processing practices for PII and PHI in compliance with HIPAA to avoid introducing malware
- Implement and enforce multilayer network segmentation with the most critical communications and data resting on the most secure and reliable layer
- Use monitoring tools to observe whether IoMT devices are behaving erratically due to a compromise
- Create and regularly review internal policies that regulate the collection, storage, access and monitoring of patient data
In addition to updating software, using strong passwords and training staff, healthcare organizations also can prepare for ransomware threats by maintaining offline data backups; regularly testing backup and restoration capabilities; ensuring all backup data is encrypted and immutable, and encompasses the organization’s data infrastructure; and creating, maintaining and exercising a basic cyber incident response and communication plan that includes response procedures for a ransomware incident.