By now it should come as no surprise to anyone in the industry that healthcare is the juiciest target for hackers attacking with ransomware. In a nutshell, healthcare has the most valuable data and has not fully deployed protections as robust as those in other industries.
Steve Winterfeld, advisory chief information security officer at security and content delivery network vendor Akamai, makes it his job to study ransomware in great detail. As a result of his research, he has assembled a list of dos and don’ts for healthcare provider organizations fighting ransomware.
Healthcare IT News sat down with Winterfeld, who believes using the cyber-kill-chain model to disrupt ransomware attacks is the best way to stop them, to discuss his dos and don’ts for the benefit of provider CISOs and CIOs and other health IT and cybersecurity leaders.
Q. You’ve created this list of dos and don’ts for organizations dealing with ransomware. The first element of your list is DON’T just pay the ransom, but DO have a policy on paying in place beforehand. Please elaborate on why this is important to healthcare provider organizations.
A. If you find your company is impacted by ransomware, it is important to first understand all the implications and options. First you need to understand the real-time impacts to operations. Next you need to determine any regulatory agencies and cyber insurance (if you have this) requirements.
Then you need to work with the broader company crisis team to include public relations and legal to get their perspective. Finally, you need to understand your options to restore operations. This could be rebuilding systems and/or restoring data.
When thinking about ransomware today, it often is more than just encryption of systems. There could be a second phase of extortion around exposing stolen data. So as you make your incident response plan you should include treating the ransomware as a data breach until you can prove it was not. Typically the cybercriminal will let you know if they have stolen data, but you will need to confirm what was taken.
Patient safety always is the driving concern, so the time to work through these issues is before the crisis. You should establish if you will pay. If you are willing to pay, you need to determine if you want to use a third party to broker the payment. Finally, you should establish roles and responsibilities to use the decryption keys. If you are not willing to pay, then the focus is on business continuity and recovery.
Q. Next up is, DO security exercises with employees as part of a larger program. What are a couple examples of such security exercises and how do they help?
A. There are two key aspects of an incident response plan for ransomware – response and recovery.
Response is focused on detecting and stopping the ransomware before it has an enterprise-wide impact. This would include your security operations center (SOC) or other team in charge of monitoring the network.
You should have an exercise focused on making sure they have processes to stop the spread of malware, coordinate crisis response across all lines of business and notify leadership. This can be a tabletop drill or can include technical validation through use of a red team using carefully controlled attacks. One strong method to establish the exercise framework is using the cyber kill chain.
Recovery is determining what it would take to recover systems that were encrypted. If just the data was encrypted, and you have good backups then the impact would be minimal. The problem is many companies have not actually done an exercise to restore and use the backups.
There often are issues discovered that could prevent either a timely or full restoration. It is critical to conduct an optional exercise to have a clear understanding of the level of effort, time to complete rebuilding of the systems/data and how much data would be lost – time between backups.
There are a number of other parts to a comprehensive cyber resiliency or incident response plan, but these are the two areas that need to be validated with an exercise first. Once you are sure these are understood by leadership so they have solid expectations and processes in place for the IT/infosec teams’ work, then you can move to data breach exercises, as many ransomware attacks are stealing data as well.
Q. And finally, you’ve said DON’T be reactive to the criminal. DO have backup plans in place. Please talk about this aspect and why it’s key for CISOs and CIOs.
A. We touched on this above, but really the key here is to have clear roles and responsibilities defined before any cyber incident. Many companies have a top-level crisis management plan. The CIO will have a business continuity and disaster recovery plan (BCDRP) and the CISO will have an incident response plan.
A ransomware attack will call all of these into action, so they need to be integrated. Loss of operational capabilities due to ransomware will require the business and IT teams to implement the BCDRP while the infosec team will be containing the malware and determining if it is OK to start rebuilding systems and restoring data. In a high-stress environment, this will require close teamwork and trust.
Another area to consider is when a critical vendor is hit with ransomware. You will need to do everything we have talked about, but through governance based on what authorities you have in your contract and the relationship you have with your vendor.
Now is the time to work with your vendor management and legal teams to modify your process/playbook for an external incident. This should include identifying which vendors are critical, mapping the notification and audit rights for each, and where appropriate have a discussion/exercise with them to understand roles and who to contact in case of a crisis.
With lives on the line for providers and critical functions for other healthcare companies, the rise of ransomware attacks requires rapid response, which only comes from careful preparation and integration of both your processes and technical cyber-defensive controls.
The question is not if you will be hit, but how well you will mitigate the impact. The old saying, “Preparation prevents poor performance,” is still true.