Three Essential Defenses for Combating Ransomware

The number of successful ransomware attacks has doubled in the last 4 years. But there are concrete steps a healthcare organization can take to avoid costly — and potentially deadly — downtime and better protect themselves against an attack.

1. Move from on-premises servers and backups to the cloud.

Doing so outsources availability, uptime, and security to the SaaS vendor and also facilitates better backup and recovery if something does happen. It’s just a question of resources. There’s no “easy button” to make it happen quickly. But one big benefit of moving to the cloud is that it makes restoration a faster and less error-prone process.

If you’re attacked, you don’t have to worry about a 16-petabyte data store, recovery process or decryption process. There will be some disruption, but EHR data will still be accessible. The difference is time. There are certain facilities within a healthcare organization — think the NICU, oncology, radiology — where a lack of EHR data can lead to not-great patient outcomes in less than 24 hours because you have very complex treatments that are necessary.

2. Work with a managed detection and response firm.

Ransomware attackers gain remote access to a victim’s network and typically linger, studying the network and gaining greater access, before deploying crypto-locking malware. Thus, it’s imperative to spot those activities before files start getting encrypted. Most groups now will also want to steal large amounts of data before they launch the ransomware, and then they’ll actually plan out how they’re going to deploy the ransomware

In a study earlier this year, more than 80% of ransomware incidents exhibited classic, “noisy” signs of an attack. An attacker’s average dwell time — before unleashing ransomware — was about 11 days. Working with a detection and response firm can allow your organization to use that time to prevent ransomware and a larger overall breach.

3. Have an incident response plan…in hardcopy

Even the most well-prepared organization can fall victim to ransomware. But what happens next matters. Whether you’re a small, rural, 15-bed hospital or you’re a major regional system with thousands of beds.

Incident response plans shouldn’t just be for the IT department, but rather to coordinate the entire organization’s response and ensure continuity. Answering questions like: “How do we move to a paper-based system? Especially when all of the medical students graduating these days have never written a paper prescription? What would happen if all our servers got encrypted today, and we had to rebuild everything? How long would it take to get a department new laptops?”

Running tabletop exercises to simulate how an organization should respond and who inside the organization should be involved for a range of scenarios such as a ransomware attack. Then apply these exercises to refine their incident response plans.

Devoting time to practicing this sort of fallback in advance can have a direct impact on continuity in the event of a system outage. It should go without saying that this plan needs to be accessible via hardcopy because, in a ransomware incident, all of your digital assets may be inaccessible.

If you have questions about ransomware, IT security, and healthcare implications, call ITPAC today.