Oct 12 2023
Security

Lessons Learned from a Hospital’s Closure Due to Ransomware Attack

Rural healthcare systems already face budgeting and staffing concerns. Cybersecurity is a major area where they need stronger support.
Mike Gregory
by

Mike Gregory is CDW's Healthcare Security Strategist and former Information Security Officer at Community Foundation of Northwest Indiana, Inc. He brings over 36 years’ experience in various information technology services, 16 years in healthcare. He has a great depth of understanding of information security and healthcare operations to drive initiatives in data protection, compliance and risk management, regulatory auditing and mature and privacy security programs.

Matt Sickles
by

Matt Sickles is an executive healthcare strategist at CDW Healthcare with over 30 years of experience in leading-edge information security- and technology-related fields.

Cybersecurity Awareness Month

 

Ransomware attacks have increased in sophistication and intensity, and healthcare organizations are feeling the effects.

One Illinois health system attributed the recent closure of one of its rural hospitals to a 2021 ransomware attack that greatly impacted its already precarious financial outlook.

Cyberattacks are especially harmful to small, rural and independent hospitals that regularly face tight budgets and workforce shortages, including in cybersecurity. “When small and rural organizations can fund a full- or partial-time employee toward cyber, it will generally be at a much lower compensation rate than other industries,” University of Vermont Health Network CISO Nate Couture told Information Security Media Group.

As ransomware attacks continue to make headlines in healthcare, the lessons learned from these events must be shared and spur industrywide action so that organizations can strengthen their defenses.

Click the banner to get the expertise you need to strengthen your ransomware protection.

Ransomware WP Ransomware WP

How Cyberattacks Against Healthcare Are Constantly Evolving

Malicious actors are seeking big paydays, and they now have more ways to receive their ransom, especially with the rise of cryptocurrency. They are motivated by organizations who are willing to pay the ransom and they monitor these organizations with intense scrutiny.

Ransomware is just one style of attack. Another is “low and slow” data exfiltration that a malicious actor can use as a bargaining chip against a healthcare organization. This puts a heavy burden on the organization to obtain proof of what data was obtained and what impact it might have to its system. Now that malicious actors know that some targets are willing to pay upfront, they’re evolving to put more pressure on healthcare organizations.

According to Sophos’s The State of Ransomware in Healthcare 2023 report, the rate of data encryption after a ransomware attack has increased over the past three years. In cases where data was encrypted, 37 percent of organizations said data was also stolen.

“This ‘double dip’ approach by adversaries is becoming more commonplace as they look to increase their ability to monetize attacks. The threat of making stolen data public can be used to extort payments and the data can also be sold,” according to Sophos researchers.

Another concern is the increasing use of artificial intelligence-powered tools, which has been a game changer for cyber protection. While organizations have added some component of AI to their defenses, malicious actors are also using AI to find ways to break through security controls. Check Point Research warns that the maturity of generative AI tools could accelerate the number of cyberattacks.

Ransomware TOC

Related Content:

Explore how to improve your ransomware recovery capability.

Learn why effective ransomware prevention and mitigation require a top-down approach.

Discover the best practices for secure backups in healthcare.

Read more about how vCISOs collaborate to defend against ransomware.

Find out how security partners work with health IT teams to fight ransomware.

Dive deep into insights from a penetration tester on improving healthcare cybersecurity.

 

Rural Healthcare Organizations Need Security Support

Healthcare access is already a challenge for rural communities across the country. The threat of a cyberattack is yet another immense weight for these independent health systems to juggle.

Many rural hospitals do not have effective cybersecurity controls in place. Implementing security controls to protect patient information is expensive, and organizations often incur even greater operating costs to properly maintain them.

Given that a great number of rural health systems are operating on tight margins, they often choose only one control or solution per fiscal year in the hopes that their selection is adequate or that they can go undetected by malicious actors. These tools may not be configured or deployed to their fullest extent. They also may not be holistic and — and may only be used to assuage the C-suite.

Along with budget issues, rural healthcare systems can also struggle with shoring up their security teams with enough personnel. Remote work has opened up access to more talent, but that also means an organization has to have adequate infrastructure to support a decentralized workforce.

A rural healthcare organization may have only one or two people to manage their entire IT system, not just security. That could mean that a generalist is filling a role that requires specialization to prevent the system from falling into the wrong hands.

EXAMINE: How rural healthcare systems can strengthen their resilience.

Are You Ready for Recovery? Why Backups Aren’t Enough

Amid an ever-evolving threat landscape, many healthcare organizations have made investments in more security personnel, modern security tools, backup systems and third-party support. But only a few have validated their entire recovery strategy, such as performing tabletop exercises for incident management or partial failovers.

Healthcare organizations can’t passively assume that their backup solutions are set. They need to be active in managing their backups and ensure that they’ll be able to restore operations correctly. Planning is one thing, but being able to execute is another.

Revisit your backup and recovery strategy, and practice performing a clean recovery, especially if your environment depends on Active Directory. If you don’t have a clean room environment, there are organizations that can help you do a full recovery to a clean environment so that you’re familiar with the experience should the need arise.

Many organizations do not collaborate regularly with their legal team or the incident responders listed under their cyber insurance panel, so they’re caught off guard during a cyber incident. They may also learn that their backup and recovery strategies proved ineffective or incomplete because the necessary tools were not fully deployed, developed or maintained. These actions are under an organization’s control.

READ MORE: How can healthcare organizations grow with smarter backup strategies?

Get familiar with the panel, understand who your incident responder is, and either advocate that your own incident responder be included on that panel or work with the current incident responder. Coordinating these efforts up front makes for a smoother incident response and recovery. The last thing you need is an incident responder arriving at your organization during a time of crisis who doesn’t know anything about your environment.

Next, make sure communication on security expectations and strategies is clear throughout the organization. That means clinical, administrative, IT and other departments are on the same page regarding the organization’s security approach.

Finally, there must be a clear budget established for cybersecurity and the technology program as a whole. That way, you clear metrics and measurements on current costs and potential year-over-year increases. An advantage to laying this out is that there’s an articulate profile on staffing and technology needs for effective security controls.

Here’s a quick checklist to remember:

  • Plan for and implement an effective business continuity plan that accounts for critical technology being offline for four weeks or longer.
  • Plan for and implement an equally rigorous recovery plan (this is not the same as the first point).
  • Partner with an experienced cybersecurity organization well versed in healthcare to help with resources and the planning, selection, implementation and development of security solutions suitable for your environment.

Why Partnerships Are Critical for Stronger Security

The healthcare system is at risk, and individual systems will continue to be at risk so long as the perception and the reality of their security maturity remains low. A more security-mature organization has a clear and articulate vision of how to understand and protect its systems.

Perform a cybersecurity maturity assessment along with a HIPAA assessment to cover security and compliance needs. These assessments should work together to support what’s needed for your security program.

Engaging with an outside partner who can provide a baseline review of your environment can help healthcare organizations to address gaps in their security as they progress in their maturity posture.

A strong partnership can provide much-needed personnel to assist in the planning, championing and implementation of security initiatives, security operations center functions and data protection strategies, such as data leakage protection and cloud security controls.

This article is part of HealthTech’s MonITor blog series.

MonITor_logo_sized.jpg

Getty Images: filo (bubble graphics, icons), bounward (icons); Streamline (icons)

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now