Ransomware Attacking Hospitals in the US

December 18, 2023

Introduction

A recent cyberattack affected hospitals in multiple states, diverting ambulances from emergency rooms. The attack was caused by ransomware, a type of malware that encrypts files and makes costly demands. These hospitals in Texas, Oklahoma, New Jersey, and New Mexico had to divert patients to other medical providers in surrounding areas while they initiated processes to operate in a limited capacity, due to IT services being unavailable from the attack.

Ransomware has long been a problem as business has evolved to more technologically driven processes. The healthcare industry is no different. Because of this, it is also susceptible to targeted attacks. At one time it was common for ransomware groups to declare health services off limits, sometimes even providing unlock keys for healthcare entities impacting by ransomware attacks. However, in lieu of recent news and statistics, it seems that social moral seems to have fallen by the wayside.

A recent study by The Journal of the American Medical Association indicated that a trend upwards for ransomware attacks on healthcare entities is present. From 2016 to 2021, 374 healthcare entities were impacted by ransomware attacks. Of those, roughly 44% of them caused considerable disruption to critical business functions of healthcare, such as electronic record and payment systems. As seen in the most recent cyberattack, these disruptions slow healthcare providers to a pace that is not sustainable, and patients must be diverted to other providers in the area for timely care.

So, ransomware is a problem and one that will always present risk to not only healthcare industries, but most others. When preparing ourselves, business, and customers for ransomware, there are four key things, all important, to focus on:

Prevention

The first thing you can do to prepare is implement mechanisms to prevent these attacks, but the catch is, there is no solution or process that is 100 percent effective at prevention. If that was the case, there would be no need for this article. However, there are core concepts that can reduce the likelihood of an attack occurring, albeit, not removing the possibility entirely. The first thing to do is to implement a security awareness training program that incorporates common threats to your industry. This program should target all employees at the company and occur in an ongoing manner. In addition to this training, conducting testing exercises on a regular basis provides a means of identifying areas of strength and weakness, and provides input into the material used for training. Statistically speaking, humans are our biggest weaknesses and the number one avenue for ransomware attacks is through them. So, the biggest preventative focus should be them. There are many more preventative measures to research and implement, but this is always the most effective, and probably, cheapest.

Detection

As with most things, it is hard to fix or deal with things that you do not know are happening. The same holds true for ransomware. It is equally, if not more, important to invest resources in proper detection mechanisms. In the standard incident response process, the first step is detection, and without that step, you cannot proceed to any others. From a network and system perspective, you should implement solutions and processes to monitor and review critical system logs to detect anomalies. This could be done through manual processes where personnel are responsible for reviewing all logs or through automated solutions, such as a System Information and Event Manager (SIEM) that collects and correlates events from various systems to present potential issues. It is also important to document the roles and responsibilities of employees with regard to incident detection, e.g. what a typical incident looks like, when to alert, and who to alert. Detailing this information and detection-related responsibilities in your incident response plan formalizes these processes.

Response

At this stage in our security protocol, we’ve implemented robust measures to both prevent and detect potential attacks. However, the next critical phase is effectively responding to incidents when they occur. It’s imperative that employees are thoroughly trained and equipped with clear, structured processes to initiate the company’s response to any security incident. This response should ideally involve personnel who are specifically trained in incident response, possessing the skills and knowledge necessary to swiftly and efficiently contain the incident. The primary objective here is to limit the damage to assets and infrastructure by minimizing the impact of the breach. By doing so, you can ensure a rapid recovery, which is the last critical function we will detail.

Recovery

The last critical function to focus on is recovering from an incident or event. Without detailed and tested recovery procedures, it may be difficult to resume business operations during and after an event. At the core of recovery efforts is backups and that is what we will focus on here. It is vital that backups are configured for all core functions of the business. The most common approach to backing up critical systems and data is performing full backups weekly and incremental backups daily. This provides a reasonable amount of data loss that may not be damaging to the business, but that varies from business to business. It is also important to test your backups at least monthly to ensure that they are functioning correctly. With virtualization solutions being more accessible, a simulated environment to perform test restores on would suffice. Lastly, for backups, they should be securely stored to prevent tampering and be out-of-band from the business network, because the last thing you want to occur when an incident is present is your backups being affected as well.

Conclusion

There are many more processes, solutions, plans, and implementations that you could do, prevention, detection, response, and recovery are core functions to establishing mechanisms to not only defend but respond and recovery from incidents, such as ransomware. Here are resources to help you:

NIST - Ransomware Risk Management: https://csrc.nist.gov/pubs/ir/8374/final
CISA – Cyber Security Evaluation Tool (CSET): https://www.cisa.gov/downloading-and-installing-cset
NIST – 800-61R2 Computer Security Incident Handling Guide: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

Kevin Ivy, Director of Security Services

With over 19 years of experience in IT and Information Security, Kevin has been a great asset to TraceSecurity as an Information Security Analyst, Security Solutions Engineer, and now Director of Security Services. His areas of expertise include Systems Administration, IT Risk Management, Information Security Management, IT Auditing, Penetration Testing, and Network Engineering. He has performed all of our services, including risk assessments, IT audits, penetration tests, and more. As Director, he manages a team of 40+ Information Security Analysts in the development and execution of TraceSecurity services. Kevin holds his CISSP, CISM, and CRISC certifications. Additionally, he holds an associate degree in information technology from ITI Technical College.