Healthcare organizations should plan ahead for a cyberattack instead of trying to react to one when it occurs, BOK Financial’s top information security officer said.
The New York Times recently reported that hundreds of American hospitals are under fire from Russian hackers.
These cyberattacks, commonly known as ransomware, are a modern-day version of digital extortion. The perpetrators typically evade cybersecurity tools by blending in with legitimate network traffic.
Paul Tucker, BOK Financial’s chief information security officer, cited a ransomware called Ryuk as one of the most prominent security threats for all industries, especially healthcare.
The attacks are becoming increasingly sophisticated and highly targeted, advancing from merely encrypting an organization’s data to exfiltrating, or copying, transferring or retrieving, that data. A scary proposition for any business, U.S. healthcare providers are particularly vulnerable today as coronavirus cases continue to escalate across the country.
“We are advising our clients to take proactive, rather than reactive, steps,” Tucker said. To plan ahead, he offered these tips for before, during and after an attack:
Before a ransomware attack
- Perform a risk assessment of your company’s exposure to a ransomware attack.
- Ensure proper awareness about ransomware and the techniques that are used to trick your employees with phishing attacks.
- Develop a resiliency strategy that prevents ransomware from encrypting your backups. Maintain offline, protected backups of data.
- Segment core areas of the network to protect your high-value assets.
- Develop an incident response plan to minimize the damage.
- Minimize the attack surface. Don’t allow users to have administrative rights on their computers, utilize multi-factor authentication, deploy strong endpoint detection and response capabilities, and change passwords on a frequent basis.
- Patch operating and application systems from vulnerabilities.
- Inspect and protect all incoming and outgoing emails.
- Explore cyber insurance options.
During a ransomware attack
- Initiate your crisis management plan.
- Notify the proper authorities of the extortion attempt, i.e., the local FBI office or the Internet Crime Complaint Center. Note: They will not help with the remediation or extraction of the ransomware.
- Identify the data backups that need to be restored for the encrypted files. Make sure they are not encrypted also.
- Contact a forensics company for assistance.
- Isolate infected systems to save others.
- Check insurance policies.
- Consult legal advisors on the ransomware payment considerations. Law enforcement recommends not paying, as you may not get your files back.
If your organization is a victim of ransomware, you may want to use the Ransomware Response Checklist located in CISA and MS-ISAC's Joint Ransomware Guide, which contains steps for detection and analysis as well as containment and eradication.
After a ransomware attack
- Identify if any data privacy issues exist.
- Develop an after-action report of the incident activities.
- Enhance the plans to mitigate gaps around the company’s protections.
- Continue to collect forensic data from the attack.
“While these steps aren’t comprehensive, they will go a long way to securing your company’s and your clients’ data,” added Tucker. “Remember, an ounce of prevention is worth a pound of cure. That is especially true when it comes to cybersecurity.”