The Rise of Ransomware: How Healthcare Organizations Can Prepare and Respond

During the past several years, ransomware has evolved from an opportunistic attack to a targeted threat, with health care being among its favored victims. This especially virulent style of encryption for extortion has implications in a health care organization that run the gamut from patient safety to continuity of operations. As someone deeply entrenched in the information security field, I’ve seen firsthand how these attacks can devastate organizations. The good news is that with the right strategies, healthcare providers can defend against ransomware and respond effectively if an attack occurs.

Why Healthcare is in the Crosshairs

There is a set of reasons why ransomware finds more fertile ground in healthcare organizations. First and foremost, patient data is one of the most valued types of information on the black market. EHRs offer a bounty of sensitive data, including medical history, insurance information and Social Security numbers, among others.

• Operational Disruption: The attack of ransomware can lead to delay of surgeries, stoppage of diagnostic procedures, and even loss of lives.

• Legacy Systems: Many organizations still rely on outdated technology, making them easy targets for exploitation.

• Resource Constraints: Limited IT budgets and staffing gaps foster vulnerabilities and allow them to stick around longer than they should in a mature, well-staffed program.

These factors create pressure to pay ransoms quickly, often without considering the consequences.

Lessons from Notable Incidents

To put this ransomware problem into perspective, let's take a closer look at some high-profile ransomware cases in recent years. The 2017 "WannaCry" incident crippled the UK's National Health Service, forcing hospitals to cancel thousands of appointments and divert emergency cases. This attack revealed major vulnerabilities, including unpatched systems, poor response planning, and terrible to non-existent backup & recovery plans.

In 2020, the "Ryuk" ransomware group executed a coordinated attack on several U.S. hospitals in unison. Events like these caused major outages and significant delays in patient care, emphasizing how one single strain of ransomware from only one of the many malicious groups could have a significant impact. In another incident, a ransomware attack resulted in service disruption and exposed sensitive patient information to the public at Eskenazi Health.

• Key Takeaway: Reactive strategies will not work. Attackers are getting smart; hence, the need for proactive strategies and planning.

Building a Stronger Defense

In my view, the best defense against ransomware calls for a layered approach integrating technology, policies, and people. Here at Sentinel InfoSec, we help healthcare organizations build those layers through services designed to find vulnerabilities before they can be exploited.

Strengthen Technological Defenses

The technological aspects are indeed the backbone of any cybersecurity strategy. The most critical of these areas are:
Advanced endpoint protection tools, which have the capabilities of detecting and blocking ransomware attacks before they begin to proliferate.

Network segmentation, a practice which restricts the lateral movement of ransomware across systems. For example, isolation of medical devices from user or administrative networks helps to protect critical devices if a compromise occurs, which most often stems from a lower level high-traffic user network with many users. The fewer systems these segments have access to, the less ransomware can spread if an incident occurs.
Patch management procedures, which ensure systems are kept up to date with the latest patches and upgrades. Oftentimes, the reason a piece of software is updated by the vendor is to fix vulnerabilities that may have been uncovered, or to establish a short-term workaround until a full fix can be developed. Having a robust and all-encompassing patch management plan (alongside a detailed and current system & software inventory) is a critical practice, and should be properly built and maintained.

• How Sentinel Helps: Sentinel's penetration testing services identify these weaknesses-providing actionable recommendations to effectively prioritize and address vulnerabilities.

Train Your Workforce

One of the most overlooked areas in cybersecurity is employee awareness training. Most ransomware attacks begin as phishing emails-seemingly innocuous messages that trick employees into clicking malicious links or downloading infected attachments. Regular awareness training can empower staff to recognize these threats and act with caution, and reporting suspicious messages.

• How Sentinel Helps: We run tabletop exercises on ransomware attacks, starting from the beginning of the breach to the (hopefully) full system recovery, giving staff hands-on experience in managing incidents, identifying gaps in your response plan, and reinforcing best practices.

Prepare for the Worst

No organization is fully safe from ransomware, no matter the quality of the defenses. That's why it's necessary to have an incident response plan that explains precisely what a company would do when it falls under attack: which systems need to be isolated, stakeholders informed, and involvement of cybersecurity specialists who should perform a forensic investigation.

Other key elements in ransomware preparedness include data backups. Backups should be frequent, secure, and stored in a ransomware-non-accessible location. Immutable backups, which cannot be modified or deleted, are especially valuable. Regularly test your backups to ensure they can be restored quickly and effectively in an emergency.

• How Sentinel Helps: We work with organizations to develop and test disaster recovery and backup strategies that ensure data restoration is quick and sure.

The Ethics of Paying a Ransom

One of the toughest decisions an organization has to make when under ransomware attack is whether to pay or not. Paying may seem like the fastest way out, but it is not devoid of ethical and practical issues. Paying the ransom, in fact, does not guarantee that the attacker will keep his promise and decrypt the data. On the other hand, it incites further attacks on your organization and others.

Having been a consultant who has guided clients in making this decision, I always support the consideration of every alternative before the payment option. With a properly developed information security program, including a strong incident response, disaster recovery, and backup plan, a ransom should never have to be paid, as the organization will be resilient against even a skilled ransomware group.

• Key Consideration: Paying the ransom may also lead to regulatory scrutiny and reputational damage. Organizations must weigh short-term gains against long-term consequences.

Recovery and Beyond

Recovery after a ransomware attack is often as tasking as the attack itself: systems have to be restored, trust rebuilt, and all sorts of compliance requirements met-and all these may take weeks, if not months. And that's where a good, clearly laid-out disaster recovery plan comes into its own. The quicker you get back to normal, the less lasting damage your organization will take.

Recovery from a ransomware attack is best done by preventing the next one. That post-incident review was needed to understand where defenses were weak and fix those weaknesses. Sentinel InfoSec fortifies this with continuous penetration testing, policy development, and risk management so that organizations stay resilient against newly emerging threats.

• Continuous Improvement: This area comes with regular audits, updated training programs, and furthering strategies that will keep them ahead of the attackers.

Call to Action

Ransomware is more than an IT problem; it's a patient safety issue. It's high time for healthcare organizations to wake up and truly value the important role cybersecurity plays in quality care. We have the opportunity to turn the tide on ransomware if we are proactive, create a culture of security, and invest in appropriate technologies and training.

At Sentinel InfoSec, we specialize in helping healthcare organizations develop comprehensive strategies to defend against ransomware and other cyber threats. From penetration testing and policy development to risk assessments and incident simulation exercises, our team is committed to equipping your organization with the tools and knowledge needed to stay secure. Take your systems to the next level in cybersecurity, ensuring patients are kept out of harm's way. I'd love to start the conversation; let's create, together, a safer and more resilient healthcare ecosystem.