The server has been infected with ransomware -- now what?
The server has been infected with ransomware — now what?
February 13, 2023
by John R. Fischer, Senior Reporter
Working with international partners, the FBI made headlines in January when it seized control of servers that had been taken hostage by the Hive ransomware group, which has extorted over $100 million from over 1,500 victims worldwide, including hospitals. The agency retrieved decryption keys and gave them to victims so they could unencrypt their systems and data, circumventing hundreds of millions of dollars in ransoms.
Cybersecurity firm Sophos found that 34% of ransomware attacks in 2020 targeted healthcare providers, and in 2021 that percentage jumped to 66%. According to its report, The State of Ransomware in Healthcare 2022, it takes an average of one week and $1.85 million for hospitals and health systems to recover.
Care providers are popular targets due to the amount of sensitive information they hold, which can be sold on the dark web and used for identity theft. They also commonly lack the software infrastructure and personnel training needed to combat these attacks or address them.
Allie Roblee, intelligence analyst for cybersecurity firm Resilience, told HCB News that one major issue that makes it hard for providers to prevent or combat attacks is the complexity of handling patient data and lack of a game plan and interoperability among different departments for addressing these instances.
“Because so much hospital data is regulated, even a minor incident can often have severe legal and fiscal impacts,” said Roblee. “This is why a cyber resilience approach to managing digital risk is critical. Hospitals must not only consider protecting data but also how to deal with successful attacks,” she said.
To pay or not to pay
A multimillion-dollar ransomware crisis may start with one employee opening a malicious email attachment, website, or text message. A bad actor can send out thousands of emails with a single click and only one recipient needs to take the bait for the operation to succeed. These phishing tactics are nothing new, but the amount of chaos they can cause has increased dramatically as everything goes digital and malware becomes more sophisticated.
What happens next depends on a range of factors, and experts agree there is no right or wrong answer. What kind of data has been compromised? Do you have access to backup copies? How much money are the hackers asking for? To what extent is the breach compromising patient care?
According to Sophos' survey, although providers paid most often of any type of healthcare industry organization (61% of the time), only 2% got back sensitive data with lifesaving value. “It’s easy to say that you shouldn’t pay up — there is no guarantee that you will get your data back and it also incentivizes future attacks. I don’t think you’ll find anyone that will recommend paying,” Chad Waters, senior cybersecurity engineer for device evaluation at ECRI, told HCB News. “But as a very last resort if your disaster recovery fails, some tough decisions may be made.”
Mitigating risks through planning
For preventing cyberattacks, the best offense may be a good defense. The Healthcare Information and Management Systems Society (HIMSS) emphasizes the importance of regular security awareness training for employees. That includes making sure staff understands the potential risks associated with suspicious internet links.
Multifactor authentication, a layered approach in which users must provide two or more authenticators to verify their identity and gain access to a system, is another way to reduce the likelihood of a security breach, according to Waters.
Experts agree that one of the best ways to stay prepared is by implementing a cyber incident response plan covering everything from attack prevention strategies, protocols for attack identification and breach containment, rectifying system weak points, and providing a recovery period timeline getting systems back online. Part of that plan would include appointing a cybersecurity team to implement chain-of-command and review the cyberattack afterward for actionable insights into preventing the next one.
Although the takedown of a ransomware group should be a cause for celebration, the dangers of an attack are just as real as ever. The health of patients — and a facility’s bottom line — demand vigilance.
“The threat actors and affiliates behind Hive will be back in one form or another,” said Roblee. “The takedown does not affect other groups like LockBit, BlackCat, and AvosLocker that will continue targeting the healthcare industry.”
Cybersecurity firm Sophos found that 34% of ransomware attacks in 2020 targeted healthcare providers, and in 2021 that percentage jumped to 66%. According to its report, The State of Ransomware in Healthcare 2022, it takes an average of one week and $1.85 million for hospitals and health systems to recover.
Care providers are popular targets due to the amount of sensitive information they hold, which can be sold on the dark web and used for identity theft. They also commonly lack the software infrastructure and personnel training needed to combat these attacks or address them.
Allie Roblee, intelligence analyst for cybersecurity firm Resilience, told HCB News that one major issue that makes it hard for providers to prevent or combat attacks is the complexity of handling patient data and lack of a game plan and interoperability among different departments for addressing these instances.
“Because so much hospital data is regulated, even a minor incident can often have severe legal and fiscal impacts,” said Roblee. “This is why a cyber resilience approach to managing digital risk is critical. Hospitals must not only consider protecting data but also how to deal with successful attacks,” she said.
To pay or not to pay
A multimillion-dollar ransomware crisis may start with one employee opening a malicious email attachment, website, or text message. A bad actor can send out thousands of emails with a single click and only one recipient needs to take the bait for the operation to succeed. These phishing tactics are nothing new, but the amount of chaos they can cause has increased dramatically as everything goes digital and malware becomes more sophisticated.
What happens next depends on a range of factors, and experts agree there is no right or wrong answer. What kind of data has been compromised? Do you have access to backup copies? How much money are the hackers asking for? To what extent is the breach compromising patient care?
According to Sophos' survey, although providers paid most often of any type of healthcare industry organization (61% of the time), only 2% got back sensitive data with lifesaving value. “It’s easy to say that you shouldn’t pay up — there is no guarantee that you will get your data back and it also incentivizes future attacks. I don’t think you’ll find anyone that will recommend paying,” Chad Waters, senior cybersecurity engineer for device evaluation at ECRI, told HCB News. “But as a very last resort if your disaster recovery fails, some tough decisions may be made.”
Mitigating risks through planning
For preventing cyberattacks, the best offense may be a good defense. The Healthcare Information and Management Systems Society (HIMSS) emphasizes the importance of regular security awareness training for employees. That includes making sure staff understands the potential risks associated with suspicious internet links.
Multifactor authentication, a layered approach in which users must provide two or more authenticators to verify their identity and gain access to a system, is another way to reduce the likelihood of a security breach, according to Waters.
Experts agree that one of the best ways to stay prepared is by implementing a cyber incident response plan covering everything from attack prevention strategies, protocols for attack identification and breach containment, rectifying system weak points, and providing a recovery period timeline getting systems back online. Part of that plan would include appointing a cybersecurity team to implement chain-of-command and review the cyberattack afterward for actionable insights into preventing the next one.
Although the takedown of a ransomware group should be a cause for celebration, the dangers of an attack are just as real as ever. The health of patients — and a facility’s bottom line — demand vigilance.
“The threat actors and affiliates behind Hive will be back in one form or another,” said Roblee. “The takedown does not affect other groups like LockBit, BlackCat, and AvosLocker that will continue targeting the healthcare industry.”