Ransomware became one of the most significant cyber threats organisations faced in 2020, and the healthcare industry was no exception. PwC analysis found that in the first three months of 2021 there were 25 ransomware attacks against the sector globally. In part, its attractiveness to criminals rests on the necessity of critical healthcare services — cyber actors believe executives will do anything to bring operations back online, including paying ransoms.*
The average cost to an organisation to rectify the impacts of recent ransomware attacks (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.) is over AU$900,000.1 But the severity of these attacks cannot be attributed to a dollar figure alone, in the case of healthcare, hospitals have had to turn away those requiring care2 as well as suffer the tragic death of patients.3
Cybercriminal groups are evolving their tools, techniques, and procedures (TTPs), while the number operating in the space is increasing. In a trend that has become the norm amongst multiple cybercriminal threat actors, tactics too have changed, and ransomware operators no longer merely encrypt their victim’s systems and then demand ransom, but will also steal sensitive information to further coerce victims into paying.
A prime target
The health sector is a prime target4 for cyber criminals due to the criticality of its services and potential threat to human life. There is, understandably, increased pressure on organisations to maintain and, if disrupted, rapidly restore business continuity, not to mention the need to uphold public trust. Not only are health executives more likely to pay for these reasons, the value of the accessed information is also incredibly high — from intellectual property on technology and research, particularly those relating to COVID-19 vaccine research and development, to personal or sensitive data that can be on sold to other parties for blackmail purposes.
The IT landscape of health organisations doesn’t help. A prevalence of Information Technology (IT) and Operational Technologies (OT) exists often relying on legacy technology. Over 22 percent of healthcare organisations continue to use legacy and end-of-life systems without vendor support and a further 26 percent which are unaware of any support.5 There are often low cyber controls and capabilities maturity due to low level of investments in cybersecurity uplifts at an enterprise level — cyber literacy in healthcare is lower, with digital adoption rates in healthcare trailing many other industries.
The nature of the healthcare industry means that it relies on an extensive network of suppliers, vendors and partners for day-to-day operations. Threat actors often use organisations with weaker cybersecurity protocols as a back door to the ultimate targets. This is especially poignant given the significant coordination of organisations across supply chains as vaccine campaigns roll out. The rapid and unplanned increase in usage of virtual care technologies due to COVID-19 further increases the attack surface available.
How to prepare
Cybersecurity responsibility doesn’t sit with just the executives and the board — it is every employee’s responsibility and, as such, everyone in the ecosystem has a role to play in addressing these challenges. The following range of activities will help organisations to prepare:
- Have an enterprise wide ransomware plan ready and tested. Ransomware readiness and recovery plans, and playbooks must take account of technical, operational, legal, regulatory, insurance, reputational, and revenue implications. Think of the response plan within your resilience framework, and assess your resilience maturity.
- Executive and Board visibility. Be transparent with executives, the board and business partners alike in order to engender trust about the current state of legacy technology, cybersecurity posture and cyber incident response plan. Engage the COO, CMO, CISO and CIO in developing and executing these strategies. Get the CFO’s buy-in for any spending or investment needed to manage the impact.
- Rapidly detect and contain incidents before they escalate. As the deployment of ransomware is the final stage of an attack that may have lasted months, there are almost always opportunities to detect and contain these attacks before data is encrypted or stolen. By effectively detecting and containing ‘commodity malware’ infections, organisations can also prevent opportunities for the ransomware attackers to gain access in the first place.
- Up to date endpoint detection solutions. Ensuring you have an up to date endpoint detection and response technology can help SOC’s and security teams respond to ransomware threats in a timely manner.
- Disable macros in Microsoft Office where possible. Disable the use of Microsoft Office macros for users that don’t require them, and only allow the use of digitally signed macros for all other users. Macros originating from files from the internet should be blocked, and macro antivirus scanning used.
- Build a cyber conscious workforce. Basic user education and tailored cyber training for doctors, hospital staff, clinicians, security specialists etc. is a vital control in protecting against a number of cyber threats, not just ransomware. Your workforce needs to be made aware of and trained to detect a threat so they’re less likely to access malicious hyperlinks.
- Ensure operating systems and software are regularly patched. This should be done automatically where possible. Additional care should be taken ensuring internet-facing devices are configured properly, with security features enabled. Information about enabling software updates can be found on the Australian Cyber Security Centre’s website.6
- Back up computers, phones and other devices regularly, choosing automatic backups where possible. Backups need to be kept separately from the network, on separate devices, or using a cloud service. Disconnect external storage after backups are created to avoid backups also being encrypted. Ensure staff know how to restore files from backups and practice restoration regularly.
- Implement network segmentation and segregation. Health providers should review their networks to establish where their most valuable or sensitive information is stored and identify critical parts of their system. They need to review operational control systems and apply appropriate cybersecurity measures proportionate to the risk of compromise. With network segmentation, you can better isolate an incident, reduce attack surface and prevent propagation of ransomware, for example.
- Implementing multi-factor authentication. Adding an additional layer of authentication for any remote access can prevent malicious actors using compromised details to access a network, and is particularly important when an organisation is relying on remote desktop access.
The new cyber normal
Looking beyond the COVID-19 pandemic and eventual recovery, it is unlikely that the rise in ransomware attacks will slow down. The increasing trend of digital transformation in the sector will introduce a new host of integrations with other vendors, suppliers and service providers, and in doing so will increase the attack surface for supply chain ransomware attacks. More than ever, it will be important for healthcare innovation to consider security as a priority, as any vulnerabilities can and will be exploited by cyber criminals.
* The Australian Cyber Security Centre (ACSC) and PwC recommend never to pay a ransom demand.7
This is an edited version of an article originally appearing in PwC’s Health Matters publication.
