How Healthcare Organizations Can Prepare For Upcoming Ransomware Attacks

In response to the recent joint ransomware advisory published by the FBI, Health and Human Services, and the Cybersecurity & Infrastructure Security Agency, Ascent recommends that healthcare organizations immediately take the following steps to prepare for the coming ransomware attacks.

Working together, IT and cybersecurity teams should consider this their top priority, as we do not want to see another tragic situation as happened in Germany earlier this year, where a patient was turned away from a hospital affected by ransomware. The patient died hours later.

  • Print hard copies of your organization’s incident response plan and disaster recovery plan, and distribute them to key staff with the understanding those documents should be taken home today
  • Verify that you have up-to-date contact information for your organization’s cyber insurance provider and your general counsel
  • Call your cyber insurance provider and ask for a list of preferred DFIR (Data Forensics Incident Response) providers and provide that list to counsel
  • Document the decision for who at your organization has authority to involve an external DFIR provider, and if that is initiated via legal, insurance, or self-funding
  • Consider curtailing IT and cybersecurity staff holidays for the next couple of weeks and confirm that your on-call rotation schedule is up to date
  • Verify that your backup strategy follows the 3-2-1 rule: three copies of critical data retained on two different types of media with one of them stored offline
  • Have your IT team confirm you have up-to-date gold images for servers and workstations, and that offline copies of these are stored on at least two types of media
  • Confirm that your IT patching system is deploying critical and important patches to your systems based on system criticality and known exploits, including servers, endpoints, and infrastructure such as perimeter security devices
  • Implement risk-based multifactor authentication for privileged users to mitigate the risks of credential stuffing attacks and lateral movement
  • Use network filtering to block access to domains registered in the past week
  • Confirm that your Security Information and Event Management (SIEM) system has adequate storage capacity and that your analysts have well-defined triage procedures for events
  • Verify that your netflow data includes outbound internet traffic that could identify any sudden increases in data (indicating potential exfiltration of PHI)
  • Use the indicators of compromise published by CISA to automate threat hunting in your network environment

While extensive, this is not a complete list of actions organizations should be taking. Our initial set of recommendations will help to mitigate the immediate risks of a ransomware attack. Continuous planning based on risks will help to support long-term cybersecurity resiliency despite these sustained and evolving adversarial threats to the well-being of our communities. And if this seems like an insurmountable burden at the end of a stressful and difficult year, know that we can help. From on-the-spot incident response to strategic resiliency planning, we can help firms reduce business risk and bolster their overall security posture. Contact us to get started.

By Kayne McGladrey

Security Architect / Strategy and GRC Practice Lead