Ransomware Mitigation: 3 Ways to Stabilize Your Hospital Network
Here’s how to help that inevitable sinking feeling during a ransomware attack –and how to focus on your incident response.
Managing your hospital’s IT and security infrastructure isn’t an easy job, but it’s unique and presents you with different challenges every day. As you settle into your office one morning, you review any critical issues, and a few staff members mention the network is slow – much slower than normal.
After some investigating, you realize there is an EMR outage, and your worst nightmare has come true.
You’ve been hit with a ransomware attack.
As reality sets in, you need to make decisions fast. What are you going to do? Your options are limited, and in the immediate term you take the bold step of shutting down the hospital’s entire network to contain the malware and mitigate any further damage.
For most businesses, a network shutdown is a financial disaster, but for a hospital, it’s not only that. It means both preventative and critical care cannot be delivered to those that need them.
Unfortunately, shutting down the network, fully restoring it, or paying the ransomware, is how many hospitals must respond to a ransomware attack. In lieu of having a real plan that includes methods to identify, remediate, and mitigate the threat, many hospitals resort to what the bad actors force them to do.
From a security incident response perspective, it should give you a sinking feeling. There must be a better way…right?
1. Remediation Should Not Be a Deep Ocean: Decide Which Path to Take
In the 24x7x365 environment hospitals function in, network shutdown is more than just revenue shutdown. Access to critical patient data and life-saving equipment could be impacted, affecting the care and treatment of patients.
In an extended stoppage, hospitals are at risk for reputational damage, fines for non-compliance, and patient lawsuits.
Remediation is equally difficult – do you pay the ransom or attempt to restore IT services?
Paying the ransom is no guarantee of recovery. One study demonstrated that 80% of surveyed hospitals that paid a ransom experienced another attack with nearly half of them believing the follow-on attack was committed by the original perpetrator.
Restoring IT services likely involves replacing some (or all) of the following, and doing it in days:
- Web, email, proxy, and database servers
- Your employees’ laptops and PCs
- The applications you use
That’s a highly costly option – both in terms of money and time.
It’s been said that a failure to plan is a plan to fail – history shows this to be true. So, don’t fail to plan.
2. Take a Lesson From Crisis Management
On April 15, 1912, the sinking of the RMS Titanic occurred, resulting in significant human casualties with over 1,500 lives lost.
Having never planned for such a disaster, the captain and crew had no established process to deal with the aftermath. The ship was equipped with only enough lifeboats to save half of the people on board, even though it could carry enough to save everyone. As a result, decisions had to be made on the fly, and the lack of lifeboats, inequity in passenger treatment and the tragic loss of life was met with shock and outrage.
In nearly every crisis, time is of the essence – you must react quickly to contain the potential damage, or risk longer-lasting effects. The pressure of mitigating and resolving the threat leads to situations where people are hesitant to admit mistakes and accept blame, prolonging ultimate resolution of the problem.
A recent wave of cyber attacks against hospitals demonstrates that they are ill prepared to deal with the aftermath of a breach. The Conti ransomware attacks in Ireland resulted in complete shutdown of all hospital IT systems and networks to contain the spread with staff relying on manual processes to continue operations over six weeks after that breach, with weeks of disruption and a projected cost of $100 million.
Go deeper. Learn how to master healthcare segmentation with the Director of Cybersecurity at ECU Health and experts from Forescout.
3: Act Now. Don’t Put This Off.
The National Institute of Standards and Technology (NIST) has created a four-step methodology for incident response for hospitals to follow.
In other words – this is how you make your incident response plan and how NOT to sink your ship.
Attackers often use ignored, unpatched or end of life assets to infiltrate. See how we demonstrated a proof-of-concept attack (R4IoT) that starts with an IP camera (IoT), moves to a workstation (IT) and disables PLCs (OT) in this video.
Step #1 Is Preparation
Being prepared ahead of time allows for a quick response to an incident. Preparing involves having an inventory of all your assets, managed or unmanaged. This includes connected medical and IoT devices.
This is also the time to prepare a communication plan of who should be contacted when the incident takes place, and roles and responsibilities of each.
Step #2 Is Detection and Analysis
Gather all the information you can about the breach. Determine where they are open ports of entry (RDP or SMB ports, websites, IoT devices) and if there are worm-able vulnerabilities.
Having a security tool that serves as a single source of truth – oversight of all your devices – is helpful and can help you detect and analyze the incident quicker.
Step #3 Is Containment, Eradication and Recovery
Make sure all public facing services (e.g., VPN, web servers, etc.) and devices have the latest patches installed, and you have antivirus software installed on all endpoints. Also, inspect East / West network traffic to detect any malicious activity or deviations from your baseline.
Connected medical devices will require specialized tools to protect, as traditional vulnerability scanners will not be able to detect any anomalies on these assets.
Consider quarantining or isolating the compromised assets only, rather than completely shutting down everything. This allows the hospital to remain somewhat operational, while ensuring no further damage can be caused by the breach.
Step #4 Is Post-incident Activity
Apply the lessons learned from the incident to improve and close any gaps in your security posture. This is an ongoing process that also involves updating related processes and your communications plan.
In the end, understand that no process is perfect, and you may not be prepared for all incidents. The evolution of threats is such that we should expect a breach at some point, so keeping your incident response plan up-to-date and relevant requires constant attention.
Related Resources
The Current State of Ransomware Risk
You’re Not Hallucinating: AI-Assisted Cyberattacks Are Coming to Healthcare, Too