A Ransomware Readiness Checklist: Ways to Amp Up Detection and Response Plans

Ransomware threats and other forms of cybercrime are a top of mind business risk for healthcare and security leaders. While the Covid-19 pandemic drove substantial innovation and improvements in digital healthcare, including rapid adoption of telehealth and virtual visits, escalating cybersecurity threats have driven many healthcare organizations to increase focus and investment in cybersecurity technology, staff and effective operations. 

Recovering from ransomware attacks proves difficult for healthcare  

Take a look at recent data related to cyberattacks. 

• 2022 research from Sophos reporting that 44% of healthcare organizations that suffered an attack in the last year took up to a week to recover from the most significant attack, and 25% took up to one month.  
• Sophos also reported that 94% of the industry members surveyed said "the most significant attack impacted their ability to operate," and 90% of private organizations reported lost business or revenue. 
• According to a report by Chief Healthcare Executive on the biggest health data breaches this year, millions of individuals were impacted. 

Each of these data breaches represent significant financial and operational impact to their respective organizations, and in some cases, especially in the case of ransomware attacks, disruption of important healthcare services to patients. 

When we look at the types of incidents occurring in healthcare organizations, Kroll research indicates that ransomware is the most frequent, followed by email compromise, unauthorized access and compromised websites and web applications.   

Kroll notes that the top initial attack vector during the time period analyzed was exploitation of vulnerabilities in remote services such as remote desktop protocol (RDP) or virtual private network (VPN) services. This underscores the importance of implementing effective security controls to mitigate vulnerabilities in remote services including vulnerability management, secure configuration, and strong authentication including multi-factor authentication.

Tactical ways to mitigate ransomware risks and protect against cyber crime 

Below are questions that can help you evaluate your current state processes, encourage conversations about your investment in cybersecurity technology and uncover possible operational improvements and education needs — all with the goal to reduce the risk of ransomware attacks for your healthcare organization.  

Evaluate threat and vulnerability management processes 

• Do you have an ongoing patch management process? How would you rate its effectiveness?  
• Do you perform vulnerability scans? What actions do you take based on the results of the scans? Take time to prioritize and remediate. 
• How often do you produce or review threat and vulnerability management reports? How would you rate the effectiveness of this reporting? 
• How long does it take to patch or otherwise remediate IT vulnerabilities, especially those that are most critical? Can you make improvements to drive down the time to remediate vulnerabilities?
• Based on analysis of processes and data in this area, are additional IT investments warranted based on the level of risk in the area of threat and vulnerability management? How would improving vulnerability management or patch management technology or services help reduce risks? 

Assess identity and access management 

Have you deployed multi-factor authentication (MFA) for the following: 

• Remote access (including VPN, webmail and any externally accessible systems with access to sensitive data)? 
• Privileged accounts? 
• Internal systems with sensitive data?
  
• Cloud solutions? 

Protect against email and phishing scams 

• Do you have ongoing education efforts focused on identifying and report phishing incidents? 
• Do you follow up with employees who may fail the phishing exercise and perform additional training? 

Understand your risk: supply chain, third parties and managed service providers 

• Have you obtained and assessed the cyber hygiene practices of any third parties with access to your systems and data? Do you have processes or agreements in place to hold them accountable to maintain an adequate security program?  
• Do you have a process that reviews how users access your systems?
• Do you have an audit process that ensures user access is granted based on the least privilege needed?
• Is access revoked for individuals on a timely basis when terminated or when changing job roles?
• Have you performed an audit of third-party access? 

Be ready to respond to an incident 

• How would you rate your ability to monitor for and detect an incident? Do you use detection capabilities such as Network and Endpoint Detection and Response? 
• Have you developed an Incident Response Plan (IRP) and playbooks for common security incidents? 
• Have you trained your IT staff on IRP?   
• Have you scheduled periodic scenario-based exercises to test your incident response plan?
  
• Have you developed a relationship with the FBI? Have you retained an experienced incident response firm should you need help?
  

Have a backup, disaster recovery and business continuity plan  

• Are you following CISA recommendations for offline, encrypted backups? 
• Do your backup and recovery tools follow best practices? Any improvements needed? 
• Have you developed and tested your Disaster Recovery Plan (DRP) and Business Continuity Plan (BRP) using a ransomware scenario?  A ransomware scenario will require activating your DRP, BCP and IRP. 
• How recently have you conduct a penetration test with a ransomware focus? Do you need to schedule additional testing with new or additional team members?  

Call to action: Prepare for cybersecurity 

The current state of cybersecurity in healthcare organizations requires a call to action. As healthcare IT and security leaders, we must not accept or ignore scenarios where our organizations fail to manage known cyber risk.     

As we think about the upcoming year and our priorities, let’s take the time to review our cybersecurity program and compare our practices to the best practice recommendations in these resources. 

• NIST Cybersecurity Framework 
• CISA’s Ransomware Guide  
• Anatomy of a Ransomware Attack: 8 Stages of Operation  
• Mitre Att&ck Framework   

Ways we can help 

CereCore has a well-earned reputation for providing excellent IT services to its growing list of healthcare customers. As you work on improving your cybersecurity program to address the risks discussed above, we stand ready to help in these areas: 

• HIPAA Compliance Assessment 
• Security Framework Maturity Assessment 
• Security Risk Assessment  
• Chief Information Security Officer (CISO) (in a variety of capacities to fit your needs) 
• Cybersecurity application and infrastructure architecture services 
• Tabletop exercises and general education 

Detection and response during early stages of an attack may help you stop the attack or limit attack impact. Together, we can actively prepare for cybersecurity threats.