US Healthcare at risk Strengthening resiliency against ransomware attacks

pThe healthcare sector faces a rapidly increasing range of cybersecurity threats with ransomware attacks emerging as one of the most significant A combination of valuable patient data interconnected medical devices and small ITcybersecurity operations staff which spreads resources thin can make healthcare organizations prime targets for threat actors As healthcare operations become increasingly digitizedranging from electronic health records EHR to telemedicine platforms and networked medical devicesthe attack surface of hospitals grows more complex further heightening their vulnerability to attacksppThe following sections provide an overview of the current cybersecurity landscape in healthcare highlighting the industrys status as a major target the growing frequency of ransomware attacks and the severe financial and patient care consequences these threats are imposingppA video discussion led by Sherrod DeGrippo Director of Threat Intelligence Strategy for Microsoft further explores these critical issues offering insights from experts on threat actors recovery strategies and healthcare vulnerabilitiesppRansomwares ripple Disruptions at unaffected hospitals Increases include Emergency medical services EMS arrivals 352 patient volume 151 waiting room time 476 stroke code activations 746 confirmed strokes 1136 cardiac arrest cases 81 Outofhospital cardiac arrests with favorable neurological outcomes decreased by 8875 Image shows a worried older man seated in a waiting room with others in the backgroundppThe American healthcare sector presents an attractive target for financially motivated cybercriminals due to its broad attack surface legacy systems and inconsistent security protocols The combination of healthcares reliance on digital technologies its sensitive data and the resource constraints many organizations faceoften due to razorthin marginscan limit their ability to invest fully in cybersecurity making them especially vulnerable Additionally healthcare organizations prioritize patient care at all costs which can lead to a willingness to pay ransoms to avoid disruptionspp2024 Healthcare Sector Ransomware Payments 53 of organizations paid ransoms with an average payment of 44 million Based on a survey of 402 healthcare organizationsppHealthcare organizations also transmit vast amounts of data According to data from the Office of the National Coordinator for Health IT more than 88 of hospitals report electronically sending and obtaining patient health information and more than 60 report integrating that information into their electronic health records EHRs15ppA cybercriminals attack process typically follows a twostep approach gaining initial access to the network often through phishing or exploiting vulnerabilities followed by the deployment of ransomware to encrypt critical systems and data The evolution of these tactics including the use of legitimate tools and the proliferation of RaaS has made attacks more accessible and frequentppCampaigns directed at healthcare organizations frequently use highly specific lures Mott highlights for example how threat actors craft emails with healthcarespecific jargon such as references to autopsy reports to increase their credibility and successfully deceive healthcare professionals ppMott also notes that attackers are becoming increasingly sophisticated in their methods often using real names legitimate services and tools commonly used in IT departments eg remote management tools to evade detection These tactics make it challenging for security systems to differentiate between malicious and legitimate activity ppMicrosoft Threat Intelligence data also shows that attackers are often exploiting known vulnerabilities in the organizations software or systems that have been identified in the past These Common Vulnerabilities and Exposures CVEs are welldocumented have patches or fixes available and attackers often target these older vulnerabilities because they know that many organizations have not yet addressed these weaknesses18 ppAfter gaining initial access attackers often conduct network reconnaissance which can be identified by indicators such as unusual scanning activity These actions help threat actors map out the network identify critical systems and prepare for the next phase of the attack the deployment of ransomwareppMott further elaborates on how RaaS operates stating These platforms often include a comprehensive suite of tools including encryption software payment processing and even customer service for negotiating ransom payments This turnkey approach enables a wider range of threat actors to execute ransomware campaigns leading to an uptick in the number and severity of attacksppAdditionally Mott highlights the coordinated nature of these attacks emphasizing that Once ransomware is deployed attackers typically move quickly to encrypt critical systems and data often within a matter of hours They target essential infrastructure such as patient records diagnostic systems and even billing operations to maximize the impact and pressure on healthcare organizations to pay the ransomppIn the face of increasingly sophisticated ransomware attacks healthcare organizations must adopt a multifaceted approach to cybersecurity They must be prepared to withstand respond to and recover from cyber incidents while maintaining the continuity of patient careppThe following guidance provides a comprehensive framework to enhance resilience ensure swift recovery foster a securityfirst workforce and promote collaboration across the healthcare sectorppEffective governance in healthcare cybersecurity is essential for preparing for and responding to ransomware attacks Dameff and Tully from the UC San Diego Center for Healthcare Cybersecurity recommend establishing a robust governance framework with clear roles regular training and crossdisciplinary collaboration This helps healthcare organizations enhance their resilience against ransomware attacks and ensure the continuity of patient care even in the face of significant disruptions A key aspect of this framework involves breaking down silos between clinical staff IT security teams and emergency management professionals to develop cohesive incident response plans This crossdepartment collaboration is vital for maintaining patient safety and care quality when technology systems are compromised Dameff and Tully also highlight the necessity of having a dedicated governance body or council that regularly meets to review and update incident response plans They recommend empowering these governance bodies to test response plans through realistic simulations and drills ensuring all staff including younger clinicians who may not be familiar with paper records are prepared to operate effectively without digital tools Furthermore Dameff and Tully stress the importance of external collaboration They advocate for regional and national frameworks that allow hospitals to support one another during largescale incidents echoing the need for a strategic national stockpile of technology that can temporarily replace compromised systemsppAdopting a defenseindepth strategy is critical in creating a layered security posture that can effectively thwart ransomware attacks This strategy involves securing every layer of the healthcare infrastructurefrom the network to the endpoints to the cloud By ensuring that multiple layers of defense are in place healthcare organizations can reduce the risk of a successful ransomware attack As part of this layered approach for Microsoft customers Microsoft Threat Intelligence teams actively monitor for adversary behavior When such activity is detected a direct notification is provided This is not a paid or tiered servicebusinesses of all sizes receive the same attention The aim is to promptly provide an alert when potential threats including ransomware are detected and assist in taking steps to protect the organization In addition to implementing these defense layers it is crucial to have an effective incident response and detection plan Having a plan is not enough healthcare organizations must be prepared to execute it efficiently during an actual attack to minimize damage and ensure a quick recovery Finally continuous monitoring and realtime detection capabilities are essential components of a robust incident response framework ensuring that potential threats can be identified and addressed promptly For further information on cyber resiliency in healthcare the Department of Health and Human Services HHS published voluntary healthcare specific Cybersecurity Performance Goals CPGs to help healthcare organizations prioritize implementation of highimpact cybersecurity practices Created through a collaborative publicprivate partnership process using common industry cybersecurity frameworks guidelines best practices and strategies the CPGs comprise a subset of cybersecurity practices healthcare organizations can use to strengthen cyber preparedness improve cyber resiliency and protect patient health information and safetyppSteps for restoring operations and strengthening security postattack assess impact restore from backups rebuild systems reinforce security controls and conduct postincident review Each step is accompanied by an iconppCreating a securityfirst workforce requires ongoing collaboration across disciplines Its important to break down silos between IT security teams emergency managers and clinical staff to develop cohesive incident response plans Without this collaboration the rest of the hospital may not be adequately prepared to respond effectively during a cyber incidentppDameff and Tully underscore the importance of uniting internal teams such as doctors emergency managers and IT security staff who often work in isolation Bringing these groups together to design and implement comprehensive incident response plans can prevent operational chaos during attacksppAt the regional level healthcare organizations should forge partnerships that allow healthcare facilities to share capacity and resources ensuring that patient care continues even when some hospitals are affected by ransomware This form of collective defense can also help manage patient overflow and distribute the burden across healthcare providersppBeyond regional collaboration national and global informationsharing networks are pivotal ISACs Information Sharing and Analysis Centers such as HealthISAC serve as platforms for healthcare organizations to exchange vital threat intelligence Errol Weiss Chief Security Officer at HealthISAC compares these organizations to virtual neighborhood watch programs where member organizations can quickly share details about attacks and proven mitigation techniques This intelligencesharing helps others prepare for or eliminate similar threats strengthening collective defense on a larger scalep