One in three healthcare organizations around the world experienced ransomware attacks in 20201. Since then, ransomware attacks in healthcare have increased2, with more than during the first half of 20213. What’s even more concerning is that ransomware tactics are evolving, reinforcing the need for continuous vigilance. Some of the latest tactics involve cybercriminals licensing tools to inflict ransomware, resulting in ransomware-as-a-service offerings that allow novice cybercriminals to launch sophisticated ransomware attacks4.
For hospitals, the impact of ransomware extends beyond financial losses and reputation damage. Rendering medical devices inaccessible can impact patient safety. Even blocking access to electronic medical records can put patients at risk when healthcare providers are unable to access critical health information such as patients’ medications and medical histories.
Given the frequency of cyberattacks in healthcare, reducing ransomware risks was a recurrent theme during a recent panel discussion BD hosted at the 2021 Health Information and Management Systems Society (HIMSS) conference. While discussing cybersecurity attacks in healthcare, three best practices for reducing ransomware risks at hospitals emerged:
Train staff to recognize threats
From phishing emails to suspicious activity within the hospital, training staff to recognize and report potential red flags is essential. Glenn Hilburn, RN, MBA, CHCIO, Vice President of Information Technology for Grady Health System noted that phishing emails are still recognized as the most common method of malware payload delivery, increasing the need for meaningful cybersecurity awareness training.
“Phishing training campaigns are vital to protecting an organization,” Hilburn said. “These types of practices should be a routine occurrence, as it is imperative to keeping the issue at the forefront of users’ minds and influencing their resulting actions.”
Rosemary Kuca, RN, MS, Director of Ancillary IT Clinical Systems for Catholic Health System, also noted the importance of educating employees and teaching them to recognize when they are being targeted. She added, “It’s the proverbial ‘see something, say something’ approach.”
Kuca also recommends positive reinforcement when employees take action and prevent possible cyberattacks.
“We have a reward program that recognizes what we refer to as ‘a good catch,’ such as preventing injury to a patient by recognizing something and calling an alert,” she said.
Proactively manage technology systems and software
Unpatched systems provide another avenue for threat actors. However, particularly in healthcare, keeping systems up to date and patching cybersecurity vulnerabilities has become increasingly complex. As Hilburn said, “Procuring technology is the easy part. Managing it well is what separates more secure organizations from their weaker peers.” He added, “In my organization, we have made upgrading and removing end-of-life systems wherever possible an absolute imperative.”
Along with hardening technology to industry standards and patching software in a timely fashion, BD CISO Rob Suárez recommends using network segmentation to reduce ransomware risks.
“If you don’t need a particular type of system connected to or adjacent on the network to your email servers,” he advised, “segment them away from other traditional IT assets.”
Plan for ransomware attacks
Finally, guarding against potential ransomware attacks is not enough. To be resilient, hospitals must also prepare as though an attack is imminent. Suárez encourages all organizations to take advantage of ransomware resources available through the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA)5 and to test their business continuity, disaster recovery and broader incident response plans routinely. He noted, “If a system or process is fundamental to your business and to serving your patients, then it’s worth testing.”
Hilburn also recommends conducting tabletop exercises to simulate and practice how your organization would respond to an actual ransomware attack. In addition, he advises organizations to plan how they would communicate to staff and patients.
“In times of stress,” he added, “you have less time to think strategically. Tabletop exercises allow you to prepare for that in advance, so you will have a playbook ready when something occurs.”
Along those lines, Kuca advises healthcare providers to store contact information for all vendors. She said, “We make sure we have a mechanism to get in touch with vendors, beyond email or a corporate phone number. If you can’t reach someone by email or phone because their systems have been shut down, it makes it very difficult to assess the risk to your organization.”
Providing meaningful cybersecurity awareness training, keeping systems and software up-to-date, and planning ahead for ransomware attacks can help hospitals be resilient when an attack happens. What’s at stake is the safety and wellbeing of patients.
For more information about protecting cybersecurity in healthcare, register for Health system cybersecurity: thought leaders in dialogue, a two-part virtual event planned for October 26, 2021, hosted by BD Medication Management Solutions in recognition of Cybersecurity Awareness Month.
1 Pifer R. More than 1/3 of health organizations hit by ransomware last year, report finds. Healthcare Dive. https://www.healthcaredive.com/news/more-than-13-of-health-organizations-hit-by-ransomware-last-year-report-f/602329/. Published June 24, 2021. Accessed September 22, 2021.
2 Davis J. Ransomware Keeps Healthcare in Crosshairs, Triple Extortion Emerges. Health IT Security. https://healthitsecurity.com/news/ransomware-attacks-surge-102-in-2021-as-triple-extortion-emerges. Published May 14, 2021. Accessed September 24, 2021.
3 Bracken B. Ransomware’s New Swindle: Triple Extortion. Threatpost. https://threatpost.com/ransomwares-swindle-triple-extortion/166149/. Published May 14, 2021. Accessed August 17, 2021. Accessed September 24, 2021.
4 Ransomware as a Services (RaaS) Explained. Crowdstrike. https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/. Published January 28, 2021. Accessed August 24, 2021.
5 CISA’s CSET Tool Sets Sights on Ransomware Threat. Cybersecurity & Infrastructure Security Agency. https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/cisas-cset-tool-sets-sights-ransomware-threat. Published June 30, 2021. Accessed September 22, 2021.