Ransomware Preparedness in Healthcare – Are you Doing the Basics?

The following is a guest article by Chad Peterson, Managing Director at NetSPI

As ransomware attacks become more sophisticated, healthcare organizations have become desirable targets due to the valuable data shared across medical records and the constant need for service availability. In fact, a recent JAMA Health Forum report indicates that from 2016 to 2021, the annual number of ransomware attacks on the healthcare sector more than doubled. 

With the rise in these attacks, healthcare organizations must have an in-depth understanding of their security posture, including how breaches may occur and how to take an offensive approach to defend against them. As such, IT administrators must ensure they are addressing basic security needs. They can achieve this by taking the following three foundational steps.

Implement Standard Security Protocols

The first step for IT leaders to ensure ransomware preparedness is to implement security protocols that help prevent attacks before they occur. This includes checking for vulnerabilities and misconfigurations through vulnerability scanning and continuously patching systems when weaknesses are identified. Penetration testing should also be routinely conducted to proactively identify and verify exploitable vulnerabilities in IT systems. Continuous pentesting, which often takes the form of attack surface management, helps identify and protect assets exposed externally.

Awareness of an organization’s potential entry points is especially critical with the increased usage of connected medical devices and telehealth services. Furthermore, the transition to electronic health records (EHRs) has reinforced the need for tightened identity and access management processes. IT administrators should consistently remove user accounts that are no longer needed, implement multi-factor authentication (MFA), and utilize methods of least privilege or role-based access to ensure only appropriate users can access patient data. 

Prepare to Address Breaches If and When They Occur

An organization’s most significant security mistake is its failure to respond correctly when a breach occurs. Every organization should have an incident response plan, which includes instructions for communicating to internal and external stakeholders when a breach has occurred, and how to respond accordingly. An incident response plan is essential to provide impacted parties with a clear understanding of the protected health information (PHI) and/or electronically protected health information (ePHI) that was compromised, when the incident occurred, and what action is being taken by the organization.  

A contingency plan is also necessary for organizations to efficiently switch to manual systems if a breach occurs for tasks such as patient intake, lab orders, billing, charting, etc. Additionally, this plan should outline, for example, whether to divert patients to another working facility or reschedule appointments. System backups should also be kept offline and up to date in the case of a breach. Many ransomware attackers look for and destroy backups if found, so having a gold image (a clone) of systems can shorten the time needed to rebuild them. To ensure the success of these plans, organizations must also continuously test them. 

Create a Security Awareness Program

An organization’s security measures can only be truly effective if they are widely understood and enforced. By creating a security awareness program, IT administrators can prioritize continued education and training on the importance of information security and handling patient data.

Security awareness should be implemented as part of an organization’s onboarding and annual training program. Phishing attacks are one of the top ways to access environments, so all staff must have a basic understanding of how to identify and prevent them. For critical areas, periodic testing against phishing campaigns may also be necessary. Additionally, training should include education on the regulatory requirements of managing PHI and ePHI. Broader security training is also necessary, such as how to lock workstations and the importance of protecting both personal and work devices while traveling or in public areas.

With the rise of ransomware attacks across the healthcare sector, IT administrators must ensure there are no gaps in the foundation of their organization’s security program, which often stem from a lack of addressing basic security needs. Continuously scanning for threats, implementing protocols for when a breach occurs, and creating cybersecurity awareness among staff are fundamental to a successful security program. Failure to implement these best practices will leave organizations more susceptible to future attacks and scrambling to respond.

About Chad Peterson

Chad Peterson is Managing Director at NetSPI. He is responsible for security program strategy, cybersecurity operations, security assessment and audit, and regulatory compliance. In his 25+ years working in cybersecurity, the majority of his career was spent in the healthcare industry, where he held roles such as HIPAA security officer, information security manager, health information technology director, and security auditor for several large health systems. He has his Masters in Information Security and holds CCISSP, CISA, CHC, CRISC, and ITIL-F certifications.

   

Categories