Last month the U.S. government released an alert that—unfortunately—confirmed something that many of us had already been detecting: A sharp uptick in ransomware attacks directed against healthcare organizations.
The alert, prepared by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), notes that “CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”
It was interesting to see the alert specifically make mention of the pandemic: “These issues will be particularly challenging for organizations within the COVID-19 pandemic …” I took special note of this in that it underscores the fact that hackers thrive in chaos, and COVID-19 has caused enormous chaos throughout healthcare systems—not only in the ICU, but also in finding ways for hospital personnel, including IT security, to stay completely engaged even when many are working from home.
As a lifelong fan of William Shakespeare (and as a member of the Board of Directors for the Orlando Shakespeare Theater) I’ve always been amazed by how words written 400 years ago still resonate with truth and perception today. In this case I’m thinking of love-wrought Romeo declaiming about “misshapen chaos of well-seeming forms,” words that could be used to describe the environment in which ransomware thrives.
I work with many healthcare organizations and hospitals, and so don’t want them to take umbrage at the mention of chaos, but COVID-19, now ramping upwards into what has been called our forthcoming “dark winter” will certainly create challenges that simply haven’t been experienced—making the first wave just a dress rehearsal. And now enter what Shakespeare termed “well-seeming forms,” which could most certainly describe the social-engineered e-mails and phone calls that bad actors use to phish their way into a hospital’s IT network.
In the past I’ve written about the need for creating a culture of security to prevent social engineering attacks, about security best practices, and training your team to recognize security threats. Today I would like to provide a picture of just how formidable is the adversary that healthcare organizations—and others—are up against.
My work in security allows me to hear a lot of first-hand stories of just how bad actors—whether cybercriminals or foreign state actors—are able to worm their way into an organization’s network. If someone wants to break into your network, they only need to visit your website (or tap into a search engine) to learn the name of your CTO, CIO, CFO, or any other CxO position they may want to drop when making an urgent sounding phone call. “I’m working with [insert CIO name here] and we are doing final work on the presentation. We need to get into . . .”
In other cases, a bad actor might even make arrangements for a specific time. “I’m with IT and we’re updating an application. Can I schedule a time to work with you at 4?”
Or just sticking with e-mail, the bad actor can send an e-mail to the CFO, for example, and say something like: “I think we were double-billed for this. Could you open the attached and let me know?”
Hackers could invite radiologists to speak at a conference. “Click here to register.” They could send nurses “coupons” for free appreciation dinners. It goes on and on. That is why it’s hip to be paranoid, or at least extremely cautious.
Effective Backups Set You Free
Organizations should never pay ransom. And the absolute get-out-of-jail-free card for an attempted ransomware attack is to have multiple protected backups of your data and applications, ready to deploy if needed. The shocking reality is that, especially with smaller healthcare organizations—those that can’t afford a world-class 24×7 security team—backups can be so poorly executed as to be all but useless.
CSO Online just a few days ago published an article “How to protect backups from ransomware,” that describes how some ransomware will also encrypt files carrying backup extensions. This is especially easy when the backed-up data is on the same network as the line of business data—which is not where it should be stored.
A Guide to Staying Safe
Ok, here are some tips (that I beg you to employ) for keeping your data safe:
- Please . . . Backup . . . Extensively. Organizations should have a synchronized backup plan that includes multiple copies stored on multiple sites—including cloud-based and other offsite locations. If your only backups are on the same network that got hacked into, they will likely be encrypted along with all of your other data. So be securely redundant.
- Backup Your Applications as Well as Your Data. If you need to begin anew to escape a ransom domain, your time offline will be greatly reduced if you are able to restore the complete—and up-to-date—operational environment, as well as the data.
- Encrypt your Data In Motion and At Rest. I always encourage our clients to employ encryption as part of their backup and disaster recovery plans. Data should be encrypted before it is transmitted to each backup resource, and remain encrypted until needed. That way, if it is intercepted en route, or hacked into while in storage, there is nothing for the hacker to steal.
- Encryption Can’t Protect Against Ransomware. While encryption protects hacked documents from being read, it’s important to realize that encryption can’t protect your encrypted files from being encrypted again by ransomware.
- War game it. Something that we do internally is to practice on a regular basis what we would do for specific customers if they were to call with a ransomware attack or some other event from which we needed to help them recover. Having a well-tested plan slashes response time.
- Educate, Educate. This goes back to the first days of phishing. The weakest link in a network’s cyber protection is generally the employees making use of it. Just because a phone caller says he’s from your IT group, doesn’t mean that they actually are. Never give out your password. And on and on. Implement a solid security education program that shows employees how to respond to the spectrum of phishing attempts they are likely to be subjected to. And repeat on a regular basis.
Clinton Pownall is the President & CEO of Computer Business Consultants and has been in the IT field since 1990. Pownall served in the U.S. Navy for six years as a Weapons Systems Technician and has a Bachelor’s of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications. Pownall serves on several boards and committees and has a strong affiliation with education having served in regional efforts of the Bill & Melinda Gates NextGen Foundation. He serves as a Board of Director for the Orlando Shakespeare Theater and is heavily involved in the South Lake Chamber of Commerce, West Orange Chamber of Commerce and the Orlando Economic Partnership.