IT Focus Area: healthcare
October 14, 2021
The Anatomy of a Ransom Attack: 7 Steps to Prepare and Protect
The average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021. The average ransom paid after an attack is now $170,404, but only 8% of organizations managed to get back all their data after paying a ransom, with 29% getting back no more than half of it.*
Healthcare systems are frenetically trying to outpace malicious actors, but the complexity of healthcare environments gives attackers a leg up.
With patient care in the crossfire of these attacks, the industry has hit a tipping-point that can only be described as tumultuous at best.
Healthcare systems are perfect ransomware targets
Healthcare organizations are easy targets for ransomware attacks because they cannot afford to lose access to patient records, and while the primary goal of avoiding downtime is critical, the expense of modernizing environments to have comprehensive security controls is prohibitive.
While healthcare organizations always have a traditional business continuity and disaster recovery plan in place, these plans frequently neglect critical details to address the endpoint, network and server components that are routinely the target of ransomware attacks.
Recent incidents at United States-based healthcare systems have shown that from the initial attack—specifically the compelling event that takes an advanced persistent attack and turns it into a set of destructive actions—there is a potential that electronic health systems may not be available for more than thirty days.
While official studies are still underway to evaluate the correlation between ransomware attacks on health systems and their direct impacts on patient care, a survey conducted by Ponemon Research of nearly 600 healthcare providers indicates a significant increase in mortality rates and poor patient outcomes. Metrics for ransomware related mortality and morbidity substantiate the proposition of risk for systems that govern the ability to have continuity of care for patients.
Recent attacks against healthcare systems show that complete disruption of care is a trending outcome. The systems that are a consistently targeted as primary mechanisms to disrupt operations from a clinical care perspective are backup systems, directory services, and network transports.
7 Steps to prepare and protect your organization
The best protection against ransomware is to prepare for the worst-case scenario: major disruption across the full scope of your IT infrastructure.
Here are seven steps you can take to help plan for and respond to ransomware attacks:
1. Perform a business impact analysis to predict the consequences of ransomware disruption and gather information to develop recovery strategies.
2. Create multiple backups to restore critical systems if the criminals destroy your files—as this sometimes occurs even after the ransom is paid—and ensure one set of backups is offline and inaccessible from your organization’s network.
3. Contact your financial institution if you are impacted by ransomware or any malware so they can be on high alert for any anomalous activity.
4. Contact law enforcement including the FBI’s Internet Crime Complaint Center.
5. Provide training and education for employees on how to identify and respond to suspicious emails and conduct phishing exercises.
6. Contact your financial institution before attempting to pay a ransom to determine whether the financial institution can facilitate the ransom payment.
7. Consider purchasing a cyber insurance policy—designed to mitigate risk exposure—that covers ransomware.
Stop an attack in its tracks
Working with a technology partner can help your organization promote a continuity-of-care model with a strong plan of action in the even of a ransomware attack. Being ready for an event through prepared incident response mechanisms is the only way to ensure successful prevention and recovery should a cyberattack occur. Ensuring a robust set of protections that limit the impact when an event strikes your environment is the best practice.
*Sophos, “The State of Ransomware 2021 Report”, https://secure2.sophos.com/en-us/content/state-of-ransomware.aspx.