Ransomware has risen to “worst nightmare” status for many organizations, particularly in the healthcare industry. While it has been lurking for many years, recently ransomware has emerged as one of the most virulent cybersecurity risks, affecting public and private sectors alike. Ransomware attacks have become more focused, sophisticated, costly, and numerous. Threat actors have shifted their tactics and techniques to include the destabilizing combination of encryption (sometimes including backups), data exfiltration, and company-shaming to attempt to, and sometimes successfully, extract sizable payments from their victims.
A recent New York Times article, “How Ransomware Puts Your Hospital at Risk,” notes that: “Even before the pandemic, hospitals were an increasingly popular target for ransomware and other types of cyberattacks, because they need to be able to operate constantly, providing patient care 24 hours a day. Any interruption to their networks must be resolved as quickly as possible, making them ideal targets for ransomware, in which attackers promise to restore their systems immediately in exchange for cryptocurrency payments.”
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and HHS recently coauthored a joint cybersecurity advisory, “Ransomware Activity Targeting the Healthcare and Public Health Sector,” which describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with ransomware for financial gain. CISA, FBI, and HHS announced that they have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.
Facing a ransomware event can be very disruptive and pose significant risks, so organizations must be prepared. That means considering hard questions in advance of any attack, such as whether to endorse a “no pay” policy or to be prepared to pay if necessary. There are no easy answers to the difficult question of whether to pay. Our recent Client Alert, “Ransomware: To Pay or Not to Pay” discusses how organizations must balance the potential near-term benefit of decrypting data, which is not always guaranteed, against the risk of legal exposure for making a payment to a prohibited person or entity – not to mention the risk of increased targeting by threat actors once a payment has been made. Waiting until “right-of-boom” to assess these issues only will complicate the situation. Organizations should have a plan in place before an attack occurs.
In addition to planning whether and how to pay, organizations should update their incident response plans (IRPs) to address other unique decision points implicated by a ransomware attack. Often such IRP updates take the form of a ransomware addendum. And to truly understand how that ransomware plan works, organizations should tabletop realistic ransomware scenarios. As this Cybersecurity Law Report article on “Tips and New Benchmarks for Creating Effective Tabletop Exercises” points out, these exercises ensure company leaders can communicate safely and securely and are able to interact in an organized way to make critical decisions. Companies have been introducing realistic cybercrime scenarios, such as ransomware and ransomed denial of service (RDOS) attacks, in their exercises both to test the ability to respond, and to raise awareness within the organization about how to deal with them.
Although there is no fool-proof solution yet, preparedness is the key. Hospitals should plan and discuss how these attacks will be handled, and what measures the hospitals can take to ensure continued operations in the meantime.