If ransomware is not a topic of conversation around any healthcare organization’s boardroom table, directors and senior executives may be exposing the organization (and themselves) to considerable risk. Here’s a guide to ransomware trends for 2022 and steps healthcare leaders can take to help protect their organizations.
Ransomware trends in 2022
The risk of a ransomware attack in 2022 is substantial, with gangs specializing in targeting the healthcare sector. Last year saw dozens of ransomware attacks on hospitals and healthcare institutions for a total of 1,203 individual sites affected. This year, ransomware groups are targeting mid-sized victims to reduce government scrutiny, so no healthcare system should consider itself too small to worry.
While the incident rate is down over 2020, disturbing new trends are expected to increase in 2022. Ransomware attacks are on the rise against business associates that, in turn, affect healthcare organizations. And ransomware attackers are diversifying their approaches to extorting money after they’ve encrypted victim networks. They threaten to (1) release sensitive information that was stolen prior to encryption, (2) disrupt internet access or (3) inform partners, stakeholders and suppliers about the incident — demanding ransom at each step.
Ransomware attacks can cost tens if not hundreds of millions of dollars, even if no ransom is paid. Network resources including EHRs, scheduling systems, and email can be offline for days or weeks. Care can be compromised, exposing the organization to legal action. Revenue is lost when surgery procedures or other healthcare visits can’t occur, and reputational consequences may be significant.
Mitigating ransomware risk
Directors and senior executives are used to reviewing financial, legal, and operational risks and assessing mitigations. IT security may be viewed as a cost center that’s always after a bigger budget. In reality, adequately funded and effectively run IT security operations mitigate the risk of ransomware attacks and data breaches.
Part of the protective effort is having enough budget to keep up with the basics of patching and user education. However, there are another reason Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) ask for additional security funding. Ransomware gangs and cybercriminals change tactics frequently, requiring ever stronger defenses and new security measures like Zero Trust Networks and Multi-Factor Authentication.
Mitigating risk starts with understanding the current environment. Healthcare leaders don’t have to become cybersecurity expert to gain a core understanding of an organization’s security posture and level of ransomware risk. Cybersecurity is everyone’s responsibility, from the front lines of healthcare delivery to the boardroom. Here are five questions to ask a CISO or CIO to get started with assessing protections and mitigations that are in place.
1. Who is responsible for your organization’s cybersecurity? Is it all handled in-house?
There is no right or wrong answer to this question. Some organizations handle cybersecurity completely in-house. Others, particularly smaller IT operations, supplement their in-house resources with managed security services. Find out if the responsible parties are taking both strategic and tactical approaches to layered security and if standards from bodies such as the International Standards Organization (ISO) and the National Institute of Standards and Technology (NIST) are being met as well as rules and regulations affecting your operations, such as HIPAA for data privacy and PCI DSS for credit card payments.
2. How are endpoints protected, including devices used by employees working remotely and contractors?
When it comes to preventing ransomware attacks, there are no silver bullets. But there is power in understanding how endpoints — PCs, laptops, tablets, and mobile devices — are protected. Ransomware is most frequently introduced via endpoints, and through them gaining access to your network and systems.
Today’s cyberattacks can be multi-pronged, and the firewalls and anti-virus software that offered protection yesterday are no longer adequate. Make sure any and all endpoints, both on- and off-premises (for example contractors or employees working from home), are properly protected.
Good answers to this question should touch on solutions that use advanced technologies like AI or machine learning to constantly scan for and detect anomalies in user behavior. These technologies automatically stop apparent attacks and pass filtered, critical indicators of threats up the “security stack.”
3. Does your organization have detection and response capabilities to rapidly shut down ransomware, data breaches, and other cyber threats? How are alerts managed and by whom? Do you have a 24/7 Security Operations Center (SOC) staffed by cybersecurity experts to handle your alerts?
Hackers use lateral movement to infiltrate an organization’s network. Find out what tools the security operations team uses to monitor infrastructure and stop threats before the damage is done. Best practices will include some form of detection and response that looks at all the security alerts coming in (and there are thousands of them), then filters and analyzes that data using AI and machine learning technologies. The challenge is to identify the real threats and issue alerts.
4. What is the recovery plan for your facility in the event of a ransomware attack?
Assume a successful ransomware attack. Now, what do you do? Do you pay up? How is your data protected? What will your staff and patients experience? How long will operations be disrupted? One of the most noteworthy attacks in 2021 was a ransomware attack on San Diego-based Scripps Health, which resulted in system outages for nearly a month and $112.7 million in costs. Can your healthcare operations survive that?
The IT security team should have a ransomware response plan in place that documents specific actions to be taken and assigns responsibilities to specific team members. The first steps should include identifying the malware, stopping its spread across the network and systems, and removing it from infected devices. Only then should the plan move to the recovery phase.
Having a rock-solid data backup and recovery plan that includes immutable backups is at the heart of any ransomware recovery plan. Any health care organization should be able to restore a very recent, clean version of its data in minutes, protecting against having to pay a ransom to get the data back.
5. Does IT security have an anti-phishing training program for all the people in the organization? Does the program include drills and test emails to help them recognize phishing?
Employee anti-phishing training and simulated phishing tests are an increasingly important security layer that any healthcare organization should have in place. Phishing is how hackers target human vulnerabilities. Some phishing attacks are laughably crude, but others are very sophisticated. The goal of training is to help employees recognize phishing emails and prevent malware attacks by not clicking on those malicious links or opening suspicious attachments.
Act now to understand your organization’s ransomware risk
Addressing these critical questions with IT leadership could very well protect an organization from paying up in the long run and exposing patients’ personal and health information to theft. Cybercriminals pay well for that information when ransomware attackers put it up for sale on the dark web. The resulting loss of reputation and trust in the organization may be the highest price paid.
Security maturity is a journey, and your organization may have some or all of these capabilities in place. To properly secure the sensitive and valuable information entrusted to any organization, healthcare leaders must identify any weak points. For a deeper dive into what ransomware protection requires, consult these mitigation guidelines from the multi-national Cybersecurity & Infrastructure Security Agency.
Get started by working with IT leadership to conduct a vulnerability or risk assessment of your organization’s IT infrastructure, ideally conducted by a neutral third party. When it’s completed, the findings should clearly illustrate the risk level so the Board of Directors or senior executives can understand the level of investment required for cybersecurity risk mitigation.
About Aaron Biehl
Aaron Biehl, the SVP for Meriplex, has been in the technology industry for over 25 years helping healthcare organizations and banks develop a solid foundation for their IT and security. Aaron is passionate about exploring innovative options and solutions for companies and enjoys helping businesses utilize new methods to grow and prosper.