Ransomware attacks against healthcare systems surged by 94% in 2021. Meanwhile, a recent survey of medical professionals found that more than half (57%) of healthcare organizations were targeted by ransomware at least once in the past three years. Some even had to halt operations entirely, leaving medical professionals and patients alike at acute risk for deteriorating privacy, financial wellness and health. Simply put, ransomware poses a significant risk to critical wellness facilities’ short- and long-term operations.
Numerous trends have contributed to the recent rise in ransomware, including new threats like ransomware as a service gig economy and bad actors like the Hive syndicate. Healthcare providers must focus on implementing protective ransomware strategies to combat these risk vectors as soon as possible. Doing so is critical to safeguarding vital data like patient records and preventing system outages.
Luckily, building a solid campaign against ransomware is not impossible.
Unpacking the threat ransomware poses to healthcare
To begin the ransomware protection process, providers should review the threat landscape and assess their vulnerabilities. No two healthcare facilities are the same, just as no two ransomware attacks are the same. As such, strategies for prevention and response will vary widely. However, there are common threats that providers can proactively address.
One recent and “exceptionally aggressive” example of ransomware comes via the Hive Group, a group of hackers that often target the healthcare industry, according to the Department of Health and Human Services (HHS). Hive and its contemporaries employ highly sophisticated ransomware. In many recent cases, Hive has stolen valuable data and a facility’s immutable backups to up the ante for a ransom payment. Hence, 3-2-1 backup plans for data — in which a client creates a primary backup alongside two copies of data — are now at risk.
Even more concerning are modern ransomware actors like Hive who frequently encrypt data during a breach, rendering critical systems temporarily unusable. In 2021, 61% of attacks on the healthcare industry resulted in encryption, a process by which data becomes unreadable to a host organization. Encryption is an incredibly dangerous tactic that can result in extended service delays and, in worst-case scenarios, total data loss.
The Hive syndicate has claimed responsibility for numerous large-scale healthcare attacks, including the CommonSpirit breach of October 2022. CommonSpirit Health, the merger between Dignity Health and Catholic Health Initiatives (CHI), exemplifies the danger of vast data systems in the context of a ransomware breach. When the disparate organizations merged, so did their data, exposing numerous vulnerabilities to the joint network. As a result, several CHI facilities faced weeks-long outages and data loss, and healthcare services and patients suffered.
Even organizations without mergers or acquisitions on the radar should consider the CommonSpirit Health breach as a cautionary tale. Healthcare professionals are expanding their reliance on big data, further connecting their internal networks in the process. These developments contribute to elevated levels of service for patients, including personalized medication offerings and telehealth visits. But as big data expands — especially without the proper protections in place — the risk of breach follows.
The key is to remain vigilant by activating a balanced ransomware strategy.
How to craft a balanced response and prevention strategy
Given the steep rise in data capabilities and ransomware sophistication, it may seem daunting to begin forming a defense blueprint. Providers who proactively seek information about ransomware protection can make more informed decisions about their system’s defense plan.
Nearly half (46%) of business leaders focus their cyber defense efforts on restorative as opposed to preventative measures, according to industry research. In this vein, many healthcare organizations opt to adopt a cyber insurance policy that covers the financial burden of ransomware. Although cyber insurance may be a necessary failsafe, it’s not enough in most cases. After all, losses associated with ransomware breaches go far beyond economic implications.
Instead, healthcare providers must consider a holistic response strategy that minimizes the time between breach and resolution (or “downtime”). A particularly robust data recovery method relies on protected backups, especially mission-critical data and systems. Backups should ideally remain off-site to avoid damage during a breach. The most robust data protection method is encryption, which reduces the likelihood that attackers will be able to process data, even in the event of a breach. System administrators can reboot critical operations and minimize downtime when data is copied, encrypted and stored off-site.
But what constitutes mission-critical data? In larger organizations juggling vast data needs, valuable data is not always intuitive. It may be wise to contract a managed services provider (MSP) who can map out a restoration strategy based on the institutional knowledge of threats in the industry. The value of working with an MSP can also extend to disaster recovery and prevention. For example, Ransomware Protection as a Service (RPaaS) vendors can vet an enterprise, monitor the network for disruptions and quickly address breaches with complete remediation recommendations within hours or even minutes.
Whether ransomware protection is orchestrated by a vendor or internal team, healthcare providers must also consider preventative ransomware measures. Detection and protection strategies ensure that most attacks end unsuccessfully. At its most basic, prevention should involve multi-factor authentication (MFA) protocols that protect employees and patients from accidentally exposing the organization to a breach. MFA requires system participants to verify their identity in various ways, decreasing the likelihood of a vulnerability. System firewalls should also be tough and frequently updated, with administrators or third-party partners running penetration tests as often as possible.
Stay calm, but act fast
Should a healthcare organization pay for cyber insurance? Should they prioritize a preventative or restorative ransomware strategy? And is it best to rely on the expertise of an MSP or internal cybersecurity team? The questions associated with protecting healthcare systems may be overwhelming and the consequences of an attack significant.
But ransomware protection is an entirely attainable goal. A holistic, proactive approach to cyber defense and a full understanding of which data constitutes mission-critical will provide ample protection when an attack eventually occurs. The only incorrect course of action is to delay protections. Ransomware is evolving, so healthcare protections must naturally grow in kind — sooner rather than later.
About the Author
Allen Jenkins is the Chief Information Security Officer and VP of Cybersecurity Consulting at InterVision, a leading IT strategic service provider and Premier Consulting Partner in the Amazon Web Services (AWS) Partner Network (APN).