Working toward a cross-functional solution to protect against the ransomware threat.
The key operational challenge with a ransomware attack at a hospital is that system downtime is basically a guarantee. Whether the ransomware itself cripples one or more applications or IT brings down the network as a response measure, the organization is left dealing with unplanned downtime that is likely to last from several hours to several days or more. At best, IT and Information Security will need several hours to gather basic forensics, determine when malware entered the network, and restore from backups predating the attack. As a result, preparing for a ransomware attack is an increasingly important part of the overall preparedness picture for hospitals and health systems. And, effectively doing so requires that hospitals take a cross-functional approach to preparedness by collaborating between Information Security, IT Disaster Recovery, and Business Continuity. The Emergency Preparedness or HICS program is also a contributor, since ransomware attacks can impact all aspects of a hospitals operations.
Here’s how the responsibilities of each function break down:
- Provide overall guidance and direction during disruptive incidents.
- Address patient-care implications, ensuring that patients are not adversely impacted during a ransomware event.
- Coordinate between different response stakeholders and executive management, including partner hospitals, suppliers, technology vendors, etc.
- Ensure that the organization delivers timely communications to internal and external stakeholders.
- Proactively implement controls to reduce the likelihood of an attack, including training and awareness for hospital employees.
- Manage the operational-level response to the incident, leveraging the organization’s Security Incident Response procedures.
- Liaise with law enforcement and external security partners/firms as needed.
- Proactively work with hospital departments to develop and test downtime procedures, ensuring that patient-facing and time-sensitive activities can continue during a ransomware attack.
- Participate in the response effort, providing input on how affected resources impact hospital operations; ensure that the organization prioritizes patient care and other time-sensitive functions throughout the incident.
IT Disaster Recovery:
- Partner with Information Security to proactively implement backup and recovery capabilities that specifically address the ransomware threat.
- Support response efforts, ensuring that forensics are captured and systems/data are restored without reintroducing malware.
- In advance of an attack, collaborate with the business and business continuity stakeholders to identify and implement alternate (isolated) systems and data that can be used as alternatives, during an attack, to sustain critical operations.
The question of if hospitals will face a ransomware attack, or some other cyber-attack, is irrelevant at this point. If we look just at ransomware, attacks increased over 90%1 in 2017, costing organizations billions of dollars. For example, here are three widely publicized ransomware attacks on hospitals:
1. Hollywood Presbyterian Medical Center2: A cyber-attack took place in February of 2016. The attacker used a ransomware called Locky to shut down the medical center’s network. Medical records, network communication, x-rays, and medical tests were unavailable. The hospital system was asked to pay the equivalent of $17,000 in bitcoins. The hospital obliged, and 10 days later the hospital’s systems were fully restored. However, before the systems were running normally, staff moved patients to various, nearby hospitals, documented procedures and visits manually, and were able to function with close-to-normal speeds and effectiveness without major impacts to the organization and its patients.
2. MedStar3: MedStar, a large not-for-profit healthcare organization, was affected by a ransomware attack in March of 2016. This $6 billion organization was asked to pay the equivalent of $19,000 in bitcoins. The hospital did not pay the ransom and said that operations were running safely throughout the disruption. However, during this disruption several nurses within the MedStar system disclosed that operations were not running at normal levels. A number of patients reported delays and cancellations in appointments and surgeries. The hospital’s director of emergency preparedness, following the event, warned that hospitals need to prepare to utilize “pen and paper” effectively, along with being able to explain the impacts of a disruption to a patient at the time on an event. He also emphasized that disruptions can happen to any hospital and that it is crucial to be prepared.
3. WannaCry4: Another well-known example of ransomware, is known as WannaCry. The WannaCry virus attacked over 200,000 systems in May 2017 costing companies billions of dollars. With this, nearly 50 United Kingdom-based hospital locations were impacted leading to large downtimes. This led to several weeks of restoration to allow return to normal procedures to occur. Additionally, Bayer Imaging systems were targeted at two United States-based hospitals.
These cases illustrate the need for an effective strategy to address the threat through cross-functional planning. Hospitals and health systems need to implement controls now to ensure they are prepared for unplanned downtime due to a cyber-attack. From our experience across hospitals, the best way to address this threat is using a cross-functional approach that proactively seeks to reduce the likelihood of downtime while also putting a coordinated response strategy in place and building robust downtime procedures.
Avalution takes a strategic, pragmatic, and holistic approach to Information Security, IT Disaster Recovery, and Business Continuity. We welcome the opportunity to connect and discuss how we can help protect your organization from a cyber threat using a cross-functional approach.
3 https://www.washingtonpost.com/local/medstar-health-turns-away-patients-one-day-after-cyberattack-on-its-computers/2016/03/29/252626ae-f5bc-11e5-a3ce-f06b5ba21f33_story.html?utm_term=.616fa277ee42 & https://www.bizjournals.com/washington/news/2016/07/06/medstar-official-on-ransomware-attack-we-chose-by.html