As we reach the end of the year, it’s good to reflect on the past year and develop plans for the next. For healthcare information technology and security leaders, this year has turned out to be all too similar to 2020 with the continued impact of the COVID-19 pandemic and the rise in ransomware threats and other forms of cybercrime.
Recovering from ransomware attacks proves difficult for healthcare
According to The Institute for Security and Technology (IST), the average downtime due to ransomware attacks is 21 days and the average time to fully recover is 287 days. Healthcare is especially impacted by a constant barrage of ransomware attacks. The IST regularly updates its Ransomware Task Force Report on Combatting Ransomware, which provides “a strategic framework for a systemic, global approach to mitigating the ransomware problem.” The report states:
Ransomware is not just financial extortion; it is a crime that transcends business, government, academic, and geographic boundaries. It has disproportionately impacted the healthcare industry during the COVID pandemic, and has shut down schools, hospitals, police stations, city governments, and U.S. military facilities. It is also a crime that funnels both private funds and tax dollars toward global criminal organizations. The proceeds stolen from victims may be financing illicit activities ranging from human trafficking to the development and proliferation of weapons of mass destruction.
As we look back on the year, on May 20, 2021 the FBI released a Flash Report with the warning: “Conti Ransomware Attacks Impact Healthcare and First Responder Networks.” The report read:
The FBI identified at least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year.
These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.
A week earlier, the BBC reported the Irish health system had suffered a Conti ransomware attack, they shut down their IT systems for protection, and Ireland’s Health Minister Stephen Donnelly said it was having “a severe impact on [the] health and social care services.”
Four months later, reports continued to reveal the far-reaching effects of ransomware attacks such as these. On September 5 the BBC reported the Irish health system was still recovering from the Conti attack and the lingering effects are consistent with the findings in the Ransomware Task Force Report on Combatting Ransomware.
Survey results affirm the impact of ransomware on healthcare
Close to 600 information technology and IT security professionals associated with healthcare delivery organizations participated in the September 2021 study conducted by the Ponemon institute (sponsored by Censinet). The findings documented in The Impact of Ransomware on Healthcare During COVID-19 and Beyond affirmed the impact that ransomware has on healthcare organizations and patient care, because 43% of respondents had experienced a ransomware attack with their organization.
When the survey asked those who had experienced a ransomware attack about the impact it had on patient care, they results indicated:
First steps: Raise awareness about the risk of ransomware
A final warning from the survey findings: 61% of the respondents were not confident they could mitigate the risk of ransomware.
If given a survey today, how confident are you that your healthcare organization would be able to adequately mitigate the risk of ransomware? How educated is your organization around the threat of ransomware and cybersecurity attacks?
One of the first steps to mitigating the risk of ransomware attacks is to raise awareness with your leadership teams and boards around the risk your organization faces, and determine if the level of risk justifies additional investment in cybersecurity technology and services.
7 cybersecurity safeguards to mitigate ransomware risks
Where should you begin when evaluating ransomware risks? Below are seven key areas to address first — my short list of cybersecurity safeguards that will help reduce ransomware risks:
1. Threat and Vulnerability Management
Once you have evaluated your organization’s current ability in this area, consider if this level of risk justifies a higher spend on your threat and vulnerability management program. Determine if improved vulnerability management or patch management technology or services would help reduce risks.
2. Identity and Access Management
3. Email Protection and Phishing Simulation
4. Supply Chain Risk Management (Third Parties and Managed Service Providers)
5. Monitoring and Incident Response
6. Backup and Recovery
7. Disaster Recovery and Business Continuity
The time is now to evaluate your cybersecurity program
I’m convinced that we can do better. The current state of cybersecurity in healthcare organizations needs to be a call to action. As IT and security leaders, we should not accept a situation where our organizations face such a high risk. Although many of us are not confident that we can adequately defend our organizations, we must actively prepare for these known cybersecurity threats.
As we think about the next year and our priorities, let’s take the time to review our cybersecurity program and compare our practices to the best practice recommendations in the NIST Cybersecurity Framework, CISA’s Ransomware Guide and other cybersecurity best practice guides available. I’m convinced that if we assess and improve our security programs in these areas we can reduce risk.
CISO, Advisory Services, CereCore
CISO, Advisory Services, CereCore