With all the focus on the confidentiality of protected health information (PHI) in healthcare, it’s easy to forget about the looming threat of ransomware. CISA identifies healthcare as a critical infrastructure and it’s easy to see why; this sector cares for people through crisis and joy, and needs to operate 24/7 to care for everyone. A malicious actor can target this sector to achieve financial or political goals. In the future, these attacks could lead to patient harm, injury or even death as the sector continues to rely and expand its footprint in technology to support patient care operations.
In most healthcare organizations there are a multitude of threat vectors that can be exploited, it’s just a matter of finding the weakest link. Often the weakest link is people, and most healthcare systems have lots of employees. An organization can have state of the art security technologies but can still fall victim to a ransomware attack. It may only take one person to click on something to set off a chain of catastrophic events. Training staff is therefore vital to prevent these attacks from being successful. But even training is no guarantee that a healthcare system will not grind to a halt because of a ransomware attack.
As the world pivoted to a more remote workforce due to the COVID-19 pandemic, ransomware increased exponentially. Between 2018 and 2019 alone, there was a 37% increase in reported ransomware. A prime example of the far-reaching impacts of ransomware is the United Health Services (UHS) attack in September 2020.
Healthcare systems need to hope for the best and prepare for the worst. Ransomware events are essentially virtual hostage crises. They are negotiations between the hackers and the healthcare system leadership, so it is best to have plans in place that are battle tested and well communicated. Having conversations at all levels and across all departments before ransomware impacts your organization is crucial to continue your operations as smoothly and quickly as possible. You’ve probably heard the common refrain IT security professionals say - it’s not a matter of if, but when you’ll be hit by ransomware.
In other cases, the hacker may have political goals, or be state-sponsored, which means the healthcare organization has little latitude. These are the cases that healthcare organizations should be most concerned about, as there is much slimmer margin for negotiation. Having a plan in place and decision makers identified to determine (and have already made decisions) regarding how much of a ransom they would be willing to pay, to avoid split-second decisions and waste precious moments in a crisis. It’s also critical to have informed decisions made before the organization is in crisis mode, because they can have regulatory and legal consequences. As of October 2020, the U.S. Department of Treasury Office of Foreign Assets (OFAC) issued an advisory to all companies that may consider paying ransomware attackers, that they may face potential sanctions for paying the ransom. An evaluation needs to be made by leadership and legal counsel in your organization so a risk-based decision can be made. Paying the ransom in an attack could not only result in lost revenue but also government sanctions. It will be much easier to discuss this while you’re not in the midst of the crisis. The board will also be an invaluable ally to determine who has the authority to pull the plug on the organization’s IT function and when or at what point should that decision be made. In many cases it may be too late, but if you are able to detect the attack early, and have clearly defined the authority and ability, you can potentially avert a catastrophic failure.
However, in most cases, the hacker’s goal is financial. The hacker will often know how many resources it may take an organization to become fully operational and will undercut their ransom to just below the cost of becoming fully operational again. Therefore, it is vitally important to not only test disaster recovery and continuity plans, but to understand how quickly these plans can be enacted, with how many resources you need, and the costs associated with systems being down. Equipped with these numbers, you can explain the threat to leadership and the board along with the respective risks in terms they can better consume. This can perhaps drive more investment in disaster recovery and business continuity plans, as well as preventative technologies, staff and processes. Engagement outside of IT is also critical. Merely testing whether systems can be restored only scrapes the surface. It’s important to include stakeholders from facilities, clinical, public safety, and many others, so that they can understand their role in continuing operations or recovering assets and systems.
A proactive and holistic approach to ransomware and cybersecurity will help healthcare organizations immensely in the long run. A devastating ransomware attack can impact every single person in your organization, but with decisions outlined in advance and having staff well trained in your plans and strategies, you may be able to avoid the most devastating of impacts to your organization and your community members’ health.