Image source: Shutterstock/supimol kumying
The Sophos Group, a British security hard/software company, has reported survey responses from 328 healthcare IT managers in 30 countries. These reveal that 34% experienced a ransomware attack in 2020. Of these, about 40% could stop the attack before data was encrypted, but 34% paid unspecified ransoms to restore only 69% of their data. The average cost to attacked facilities was $1.27 million, representing downtime, staff/device/network costs, and ransom paid.
In a recent seminar, two experts in prevention and mitigation of ransomware attacks provided practical advice to clinical laboratories on how to prevent attacks and what to do if an attack occurs.
Emily Johnson, a Chicago-based healthcare attorney specialising in data breach mitigation, discussed the components of a proactive ransomware data breach mitigation plan for clinical laboratories. Based on the foundation of a comprehensive, written information security program, it should include annual risk assessments, a detailed basic cyber incident response plan, a resiliency plan, and a plan for internal and external communications.
Labs should have confidentiality agreements for employees and vendors, and should conduct due diligence to confirm that people or companies they are doing business with also deploy breach prevention measures.
Ongoing training is essential. In addition to enhancing awareness and knowledge about security risks and to reduce the risk of accidental human error, employees need to know how to identify, report, and respond to a possible security incident.
Labs should regularly perform data privacy reviews and penetration testing. Johnson recommends the use of internal phishing missions, sending emails to employees and any other individuals or vendors who have access to lab’s operations that appear to be coming from a trusted sender, to identify who responds.
Paul Caron, senior director of incident response at Arete, a global cybersecurity consulting company, emphasised the importance of assessing emails to learn the volume of potential spam and phishing. ‘Phishing allows an attacker to distribute a weaponised payload or spoofed website to many recipients. Credentials are compromised or trojans added to establish a foothold within the environment, allowing remote access into the environment and harvesting of legitimate credentials of employees.’
Warning about remote desktops
Remote desktops available to the internet can pose major security concerns. ‘Attackers will use brute force or compromised credentials to log into the specific system that is openly available externally. After gaining access to the system, the threat will compromise further credentials or begin to move laterally throughout the IT environment.’
Endpoint detection and response (EDR) technology can facilitate the process. EDR security systems use behavioural analysis to analyse the activity of unusual behaviour attributed to individual users. They monitor and collect activity from endpoints that could be a threat, analyse this data to identify threat patterns, automatically respond to identify threats to remove or contain them, and immediately notify security personnel.
New guidance released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasises the importance of maintaining offline, current, and encrypted backups of data and regularly testing them. When internet-facing vulnerabilities and misconfigurations are identified, they need to be immediately mitigated.
Article • Cyberattacks and countermeasures
The pandemic has put a spotlight on the increasing role of cyberattacks and weaknesses in healthcare. In healthcare as in other industries, cybercrime does not stop at national borders. With this idea in mind, the US consulate general in Düsseldorf and the US embassy in Vienna recently invited interested parties to their Cybersecurity in Healthcare Briefing.
Recommendations in case of a cyberattack
When a hacking incident occurs, it is critical to identify what data has been exposed and to determine the scope of the attack. Caron recommends the following actions when a security incident is identified:
- Immediately retain digital forensics and incident response specialists, who have expertise on ransomware attacks and can expedite internal assessment.
- Leave all systems on; do not power down or reboot systems. Many ransomware variants do more damage or further encrypt systems upon reboot.
- Disconnect inbound and outbound network activity, network interface cards and internet LAN cables to prevent any connection to the Internet.
- Obtain snapshots or full disk images of critical systems and servers, and potential ‘Patient Zero’ systems to facilitate a forensic team.
- If real-time backups exist, a lab needs to determine if the amount of time to restore via backup is acceptable.
- If negotiations seem necessary to restore operations rapidly, a key element that labs need to consider is whether it would be appropriate to negotiate for specific hacked systems at a lower payment rate.
Caron suggests that demands from the hacker be carefully assessed, and that a plethora of data be acquired to aid in negotiations. He recommends that only an initial partial payment be made to determine if the ransomware attack group can show proof they can restore the encrypted data. Some can destroy more effectively than they can restore. ‘Ransomware attacks tend to occur at the end of a day, the end of a regular workweek, and on holidays. Always be vigilant.’
Attorney Emily Johnson specialises in healthcare industry issues at McDonald Hopkins, a business advisory and advocacy law firm in the USA. She has significant experience with HIPAA privacy act compliance and advising clients on proactive ransomware attack breach prevention.
Paul Caron is a senior director of incident response at Arete, a global cybersecurity consulting company. He assists clients throughout digital forensics and incident response (DIFIR) engagements, most commonly in the form of complex ransomware attacks and business email compromise.