Blog October 3, 2019

What if it Happens Again?

Could Your Business Afford a Second Ransomware Attack?

There’s an old saying that lightning never strikes the same place twice. Experts say that isn’t true, and some places (like tall buildings) are natural lightning rods. Nevertheless, we continue to use this old adage to reassure ourselves that whatever bad (or good) happens to us, it can’t possibly happen again.

But, that’s not the case when it comes to ransomware. In fact, the healthcare industry seems to be a natural ransomware lightning rod. Cybersecurity Ventures predicts ransomware attacks on healthcare providers will quadruple between 2017 and 2020. Judging from the number of examples reported in the news, the industry is well on its way to hitting that ominous target.

For example, in April of this year, the Park DuValle Community Health Center in Louisville, KY suffered a ransomware attack. They managed to rebuild their systems from scratch using backups, but they were down for three weeks.

Then, just two months later, they suffered a second ransomware attack. This time, they decided to pay the ransom, claiming that they were unable to rebuild their systems. Speculating here, but it’s possible that they still hadn’t fully recovered from the first attack. And, who could blame them if they didn’t want to go through the process of a rebuild if paying the $70,000 ransom could get them back online faster. (Infosecurity Magazine estimated that almost a quarter (23%) of healthcare organizations remit some form of payment to the attackers.)

5 Additional Lessons from the Latest Attacks on Healthcare

The lessons we can learn from examples like this go deeper than assuming that our first ransomware attack will be our last. Here are just a few:

1/ Healthcare organizations are a target. Ransomware criminals are targeting the types of organizations most likely to pay out of desperation. In healthcare, there may actually be lives on the line. Just a few days ago, Campbell County Health in Gillette, Wyoming reported a ransomware attack had disabled critical systems. According to the hospital’s spokespersons, all systems were affected, and only the maternity department, emergency, and walk-in clinics remained open. Patients who need greater care were being transferred to other facilities.

2/ The total cost of being unprepared is worse than the ransom. The health center paid the $70,000 ransom, but as reported in the HIPAA Journal, so far, the attack has cost the organization over $1 million. While the authorities need to focus on catching these criminals, putting your focus on the cost of the ransom can distract you from the real issue.

3/ Backups aren’t enough. It’s great that the health center had backups they could restore, but a lot of businesses couldn’t recover from three weeks of downtime and who knows how much data loss. According to one study, in 75% of ransomware incidents, backups were encrypted as well. Cloud-based disaster recovery can dramatically speed recovery, without breaking the bank, and in some cases, provide additional protections.

4/ Encryption is vital. In 2016, HHS issued guidelines making it clear that ransomware is considered a reportable incident even if no data has been exposed. While data theft isn’t always the primary intent of a ransomware attack, it is sometimes a secondary objective. In addition, unencrypted data is always considered exposed when unauthorized individuals, in this case the ransomware attackers, take possession or control of the information in an impermissible way.

Data can be encrypted in hyperscale cloud environments like AWS and Azure, but misconfigurations are common. In a recent analysis, McAfee found that 99% of misconfigurations go unnoticed – a substantial issue in healthcare because each of these constitutes a potential HIPAA violation. Finally, if you’re leveraging cloud-based resources, be sure to encrypt data in transit as well, especially during your migration to the cloud.

For full details on HIPAA/HITECH guidelines on reporting ransomware, download the HHS fact sheet.

5/ You need an incident-response plan. Once your systems are attacked by ransomware, the clock starts ticking. A well-thought out incident-response (IR) plan can help you address the issue faster. One key component of the IR is nullifying the immediate threat and then determining the threat vector, e.g., malicious emails, so you can strengthen those defenses.

The Best Defense is a Good Offense

A ransomware attack can leave an organization floundering like a wounded animal. Systems are a mess, and everyone is focused on getting back online as quickly as possible. While the company tries to heal its wounds after the first attack, another attacker (or the same one) can slip past the lowered defenses. Creating an IR is essential, but it’s far better to prevent the attack from happening in the first place. Contact us for a complimentary session with one of IT security advisors to discuss strengthening your ransomware defenses.

Related Resources

 
Burnout in Technology Leadership (and what to do about it)
For all the ways in which technology dominates business news and business blogs, it’s surprising that people are not talking more about a very pervasive…
 
It’s Time to Add Social Media to Your HIPAA Compliance Checklist
Whether they’re not-for-profits or more commercially focused operations, healthcare providers are in the business of healthcare. That means they care about developing relationships with their…
 
Know Your Audit Reports! More Advice on Vetting Cloud Providers
In a recent post, we discussed four ways to vet a cloud provider before trusting them with your mission-critical workloads. If you missed that post,…