Basic recommendations to defend against ransomware
A ransomware attack can be cause any organisation to feel powerless. In the case of Healthcare, a successful cybercrime operation can result not only in thousands or millions of pounds in ransom demands but also the loss of human lives. All public and private healthcare organisations, from research labs to small clinics to large hospitals, are lucrative targets for cybercriminals. The value of human life over systems and money paid in ransom puts upper management and technical administration teams under pressure to ensure necessary controls and technologies exist and are being implemented correctly. While there can be no guarantee of ‘absolute security’, nonetheless there are several things to keep in mind to minimise the impact of an incident, should it occur.
- Conduct comprehensive and rigorous end-user awareness training on phishing and social engineering techniques. Not every member of the organisation will have the technical background to understand the implications of a malicious email, but everybody should understand that they are sharing a common cyber risk.
- Maintain regular backups of your files and configurations from a verified ‘safe’ state and ensure the backups are stored offline. It is crucial to ensure the integrity of these backups otherwise the threat will not be properly eradicated.
- Leverage centralised log systems, such as a Security Information and Event Management (SIEM) system, to increase log retention and availability during an incident analysis.
- Identify assets that store sensitive organisational and patient data and implement strong access controls along with proper network segmentation. The latter proves to be a challenge as the introduction of IoT medical devices forces network administrators to reconfigure firewalls and zones with strict policies, thus limiting their interconnecting functionality.
- Implement strict identity policies regarding internet facing and remote services by using multi-factor authentication (MFA) for all remote access that’s internet accessible
Best practice guide for Healthcare C-Level & Middle Management
Cybersecurity should start being regarded as a shared responsibility between all individuals of the organisation, regardless of roles, responsibilities or technical background. It is important that middle management communicates to upper management the risks of handling sensitive patient data or adopting new IoT devices, to address the risk factors and propose mitigation strategies. At the same time, C-level management should aim for a concrete cybersecurity plan inside the organisation with emphasis not only on prevention but also response:
- Implement an incident report process with a transparent policy. It is important to engage all individuals to share responsibility of keeping the organisation safe without fear of repercussions. An effective process can lead to fast incident detection and analysis without spreading to the entire facility networks.
- Develop a thorough Incident Response plan with well-defined roles and responsibilities giving emphasis on the interoperability of departments to effectively contain and recover from an incident. Based on the impact analysis of critical medical devices and patient storage databases, prioritise the restoration of your assets in case of a ransomware attack.
- It is important to understand threat actors are likely to pose a threat to healthcare organisations by reviewing or conducting cyber threat intelligence. Equally important is the establishment of information sharing channels between other stakeholders of healthcare by sharing Indicators of Compromise (IoCs) of cyber attacks faced. It is very likely that these will help others strengthen their cyber security posture to effectively defend against the same threat.
- Regularly publish internal communications to educate employees on ransomware and security awareness and remind them the incident report process.