So you've been hit with a ransomware attack. What now?

With criminals taking advantage of the COVID-19 crisis, security experts show how health systems can respond to a cyber crisis at the same time.
By Kat Jercich
01:14 PM
Security team in server room

The COVID-19 crisis has represented an enormous opportunity for cybercriminals. 

Rapid IT deployments, newly launched telehealth programs, sophisticated and fear-based phishing techniques, untested platforms and employees shifting to a work-from-home model have combined to make healthcare systems especially juicy targets for bad actors.

Most recently, Universal Health Services, a Pennsylvania-based system operating about 400 facilities, was hit with a massive cyberattack. The security incident, which NBC news referred to as "potentially [the] largest in U.S. history," has led to a multi-day offline IT network across UHS facilities throughout the country.

Although the company did not elaborate on the nature of the attack, sources told NBC that it "looks and smells like ransomware," which security experts predicted in May would continue to be an issue in years to come

Of course, there are a number of ways health systems can protect themselves against ransomware attacks

But what should hospitals and other companies do if cybercriminals do hold their data hostage?

"The most important thing organizations can do is ensure employees are well positioned to recognize a ransomware attack, know what to do, and act quickly," said Anthony Chadd, senior vice president of security business development at Neustar. "There should be a cyber crisis response plan in place that all employees have been trained on.

"Think of it like CPR for the network," Chadd advised. "When employees know what to do and can act quickly, it can buy IT and security administrators enough time to avert a major catastrophe."

The first move for an employee, said Chadd, is to record details of the ransom note, which may contain important information for security teams, before disconnecting their machine from the network entirely.

That disconnection is key, security experts told Healthcare IT News, as it may prevent early-stage ransomware from finding backups and from spreading to the rest of the network. However, if possible, only disconnect from the network, rather than shut down the machine. Security teams may need the data to conduct a forensic analysis.

Next, they said, find the source. Many bad actors use malicious emails, malspam and social engineering to make their way into the network, while some rely on exploiting vulnerabilities on Internet-facing devices. 

If a system has privileged access management in place, they can defend against such access abuse, especially in combination with zero trust, said Torsten George, cybersecurity evangelist at Centrify.

In addition to enabling an organization to isolate its network infrastructure from compromised remote access laptops and workstations, zero trust and privileged access management can allow a system to zone off access and enforce multifactor authentication, vault shared local accounts and apply the concept of latest privilege to control admin user access.

"Without the ability to install files or at least elevate privilege when installation is necessary, ransomware cannot spread undeterred through a network," George said.

"If you have backups, secure them and immediately take them offline until you are able to confirm the depth and scope of the compromise," advised Neal Dennis, threat intelligence specialist at Cyware.

And depending on the scale of the compromise, experts suggest contacting federal or state law enforcement. 

Experts differed as to whether organizations should consider paying the ransom. "Absent appropriate backups to restore data from, many healthcare industries find themselves, unfortunately, having to pay in order to reopen their facilities in a timely fashion," said Dennis. 

However, doing so is almost never advised. In some cases, especially with critical research data that could help in the COVID-19 fight, an argument might be made. UC San Francisco made headlines this summer, for instance, after paying hackers $1.14 million to decrypt data that was "important to some of the academic work we pursue as a university serving the public good," according to officials.

But in most cases, cybersecurity experts – along with the U.S. Department of Health and Human Services, the FBI and other enforcement officials – say it's not a good idea.

"There are documented incidents where large corporations pay and were compromised again days later by the same threat actors, or were further extorted for more money, because they knew that their victims would pay," said Dennis. "Additionally, there is no 100% guarantee you will receive the recovery key nor be able to decrypt all your files should the threat actors divulge one," said Dennis.

At the same time, acknowledged Chadd, "While paying the ransom only exacerbates the challenge and incentivizes further ransomware attacks, in the healthcare industry a ransomware attack could be a matter of life and death. If patients’ lives are hanging in the balance, it may not be in anyone’s best interests to play hardball with the attackers."

Such concerns have merit: In what has been said to be the first fatality linked to a ransomware attack, a German woman died earlier this month after an attack necessitated a move between hospitals.

"You could always try to appeal to the threat actor's desires to not be tied to any accidental deaths caused by their actions," suggested Dennis.

Of course, experts noted, prevention and preparation will enable the best response to ransomware. "Modern response efforts should consist of appropriate backup storage procedures, planning for a when, not if, you were to get compromised," said Dennis.

"Healthcare organizations can best protect themselves from ransomware attacks by maintaining active defenses against an infection. Organizations can deploy email content filtering to look for emails that attempt to trick an employee in to visiting a malicious website or opening an infected email attachment – common vectors for deploying malware and ransomware," said Robert Capps, vice president of marketplace innovation at NuData Security.

Chadd advised companies to use recursive domain name servers, which can prevent ransomware attacks by blocking the request to activate them. "The best thing healthcare organizations can do is take the proper steps in advance to prioritize cybersecurity hygiene, ensure network security best practices [are] followed to the letter and prepare themselves for scenarios like this," said Chadd. 

"While there is no way to totally prevent the threat of ransomware, organizations can stop ransomware attempts from impacting their business by implementing a multilayered security approach to thwart future threats," he continued.

"This includes having a thorough, planned approach to software patch updates and fixes, carrying out frequent vulnerability and penetration testing, as well as ensuring regular updates to data backup systems are made," said Chadd.

"Once these basics are in place, enterprises should also implement reliable distributed denial of service network protection, along with phishing prevention."


Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

More regional news

(Photo courtesy ChristianaCare)

Pain management therapy demonstration, Airrosti low-code EHR

Pain management therapy demonstration at Airrosti. (Credit: Airrosti)

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.