If systems are scrambled and backups are not working, organizations will need to think about whether to pay a ransom. Cyber insurance providers can help with this decision, Weiss says.
“Unfortunately, I think it comes down to a business decision at that point, if you’re left with no choice, and it comes down to the fact that we need to get these systems back up and running because we’ve got patient lives at stake,” he says. “Ultimately, there may be a reason to pay a ransom and get things back up and running.”
If organizations can restore complete backups on their own, then paying a ransom is unnecessary, Weiss says.
When backups are not being done or they are incomplete, healthcare organizations face a business decision about whether to pay the ransom to restore systems. Organizations should consider the business cost, such as how long a backup will take and when the last backup was captured, he says.
The key goal during a cyberattack is to “stop the bleeding,” Morris says. However, unplugging essential services is often an overreaction during this time, he adds.
SUGGESTED READING: Lessons learned from a hospital’s closure due to a ransomware attack.
“If you’re a mature IT ops and cybersecurity organization, it rarely goes to that level where you’re unplugging everything,” Morris says. “You don’t cut off an entire arm just because the fingernail got smashed.”
Stone also warns against unplugging systems so that you will have resources to investigate after an attack.
“What we should never recommend is turning the power off to a system, because once you do that, you lose almost all if not all of the forensic capability,” he explains. “So, let a system run, isolate them to the extent you can. Use virtual networking rules, physically pull cables, but try not to turn them off.”
When people panic and turn off all systems during an attack, “that’s not resiliency,” Morris says, “because you’re not operating at all at that point.”
Cyber Resilience After a Cyberattack
Stone warns that backup is too slow to use to recover after an attack. He recommends a strategy of “tiered resiliency.” The first two tiers consist of snapshots, which are fast to recover. The second snapshot tier is used for forensic review, and the third tier involves backup, according to Stone. “That backup tier is for long-term data retention and data compliance and possibly the recovery of an application that you can be without for a very long period of time.”
“I’d recommend three to seven days of our Safe Mode snapshots on the primary arrays,” he says. “From there, you put a middle tier of lower cost storage in place. You copy those snapshots off the primary tier, and you keep them as long as you can afford, preferably six to 12 months, because you will use those for forensic purposes down the road.”
READ MORE: Zero trust offers a foundation for authentication and access in healthcare.
He says that organizations should take a look at patch management, vulnerability scanning and identity management. Many breaches occur due to stolen credentials and unpatched vulnerabilities, Morris notes.
As far as identity management, Stone recommends that organizations vault credentials. “You have to go and check out admin credentials, use them for a period of time, and then they get checked back in and those credentials get rotated,” Stone says.
The time following an attack is useful to figure out what happened. However, avoid finger pointing during this time, Morris advises.
“After a cyberattack is when you’re going to learn the most about your tools, people and processes,” Morris says. “You want to take advantage of that time, because there's no time like that as far as opportunities.”