Last week’s Joint DHS, FBI, and HHS ransomware advisory for the U.S. healthcare and public health sector and the 2019 FDA warning on software risks to medical devices indicate the growing severity of cyber threats to healthcare systems. This article provides actionable recommendations to help secure your organization’s networks, Protected Health Information (PHI), Electronic Health Records (EHR), and personally identifiable information (PII).
Multiple U.S. and Canada-based hospitals have recently confirmed ransomware attacks, including Universal Health Services (UHS), one of the largest U.S. health systems. Additionally, more than 400 U.S. hospitals may be targeted for additional attacks.
Cyber attacks in the healthcare sector, particularly ransomware campaigns, have delayed medical treatment resulting in death and forced medical offices to close permanently. Some attacks have shut down hospital systems and labs. Others have impacted critical machines and other types of medical equipment, including heart monitors and MRI machines, for weeks at a time.
How is your organization managing the risk of stalled operations, high recovery costs, and sensitive data exposures from a ransomware attack?
Proactively Manage Ransomware Risk
The following six best cybersecurity practices are a starting point for your organization to manage ransomware risk:
- Implement a Fully Automated Recovery Scheme: One approach is to use an orchestration platform and create scripts to automatically rebuild servers, containers, and applications. Depending on the scripts, this could be deployed daily for fresh builds, memory, and patching. Tools and platforms for this approach include: Jenkins, Ansible, CircleCI, Puppet, Chef, Bamboo, Gitlab, and Python for deeper customization. Carefully consider your organization’s unique needs, risk tolerance, and data history requirements. A rotating, offline data backup tape rotation scheme may be useful.
- Separate Internet of Medical Things (IoMT) Devices from the Main Network: Sequester IoMT devices on a separate network. IoMT devices for managing assets, personnel, and patient flow should not have access to sensitive devices or servers on internal networks. Refrain from placing IoMT devices on the open Internet. Put them behind a firewall to avoid external access. Change default IoMT device credentials before connecting them to the Internet. Update devices with current firmware releases either by enabling an auto-update or periodically checking the manufacturer’s website for updates.
- Conduct a Cybersecurity Assessment Focused on Data Protection: Security costs are increasing. The virtual landscape is becoming increasingly dynamic and interconnected. A cybersecurity assessment and strategy helps your organization maximize cyber investment by driving resource planning decisions in line with business needs while meeting local, federal, and international legal compliance.
- Separate Operational Technology (OT) and Information Technology (IT) Systems: IT and OT systems have distinct vulnerabilities, risk implications, and associated required skillsets. As such, the risk approach and segmentation of each type of system should be unique. Zero Trust and Software Defined Parameter (SDP) can support segmentation. Separate OT networks from IT systems and the Internet as much as possible.
- Build Security into DevOps: Using LEAN and DevOps approaches significantly increases security when done correctly. These approaches help your organization reduce waste and costs, quickly pivot from an attack, and make other risk reducing decisions. Read more at DevSecOps.org and Understanding the Differences Between Agile & DevSecOps – from a Business Perspective.
- Ensure Your Business Continuity/Disaster Recovery (BC/DR) Plan is Up to Date: Does your organization have a recently tested BC/DR plan? What does your computer incident response capability look like? How quickly could your organization rebuild its IT systems following a successful attack? Your BCP should include strategies and procedures for the people, processes, and infrastructure supporting your critical pace of business operations in the event of a disaster.
What to Do If You Are Attacked
If you are attacked and can recover, before you go live again be sure to patch your systems. Update anti-malware and conduct a security review or assessment to help identify any ongoing vulnerabilities.
If you haven’t started already, continue developing your employees to be your first line of ransomware defense by providing them with anti-phishing training and awareness to help prevent future attacks.
Cyber attacks are impacting the quality and urgency of care for patients and forcing healthcare organizations to pay substantial investigation and recovery costs. These best practices can serve as a starting point for managing ransomware risk in the the healthcare sector.
Connect with GPSG’s Cybersecurity experts at cyberteam@gpsg.co, we look forward to helping protect your organization’s Protected Health Information (PHI), Electronic Health Records (EHR), and personally identifiable information (PII).
Disclaimer: This website provides ever changing content, conversations, and insights on cyber threats and trending solutions that is accurate to the best of our knowledge. Although we are cybersecurity experts, we provide information which we hope is helpful, and do not endorse any specific products, tools, or solutions referenced herein. Consult with your cybersecurity team before taking any action.