Hackers have become savvier in recent years, using ransomware to disrupt businesses and redirect assets for malicious intent. Healthcare systems are especially susceptible to attacks due to the increased risk of exposing sensitive customer and patient information.
Knowing how to respond to a ransomware attack is essential for data recovery and patient protection. An organization’s first steps determine how well healthcare systems bounce back following a breach and can progress with upgraded security measures.
Here are the most common ransomware attacks in healthcare, the essential steps for emergency ransomware response and how to prevent future cybercrimes.
Prevalence of Ransomware Attacks on Healthcare Systems
Ransomware attacks in healthcare have been on an upward trend in the last decade. One study from January 2016 to December 2021 revealed 374 ransomware attacks on U.S. healthcare organizations, exposing 42 million patients’ personal information.
Annually, the attacks doubled from 43 to 91, while 44.4% caused delayed care due to electronic system downtime. Some of the attacks also diverted ambulances and impacted appointment scheduling.
There were already 15 healthcare system ransomware attacks in the U.S. this year as of May 2023. Cyberattackers stole data from 12 of the 15 organizations.
In August 2020, a ransomware attack on Universal Health Services affected nearly 400 locations nationwide, making it the most extensive cyberattack in U.S. history.
Although UHS could restore much of its pharmacology records within days due to its 24-hour backup protocol, the damage was done. The breach cost $67 million in recovery costs, labor and operating revenue.
7 Steps for Emergency Ransomware Response
The first steps are essential when responding to an emergency ransomware attack. Healthcare organizations should take the following measures to secure their systems, restore data, and protect patients and customers.
1. Contain the Attacked Systems
Organizations may want to delete information following a security breach. However, saving evidence is vital to understand how the hack occurred and who did it.
First, identify the compromised servers so more devices do not become infected. Disconnecting the internet, turning off remote access and changing all passwords are some of the more immediate measures organizations can take.
2. Assess the Breached Data
Healthcare organizations can tell whether their systems are infected with ransomware because attackers will give notice. A ransom note on the screen informs users of locked files with payment instructions to decrypt them. Strange filenames or a “Lock” prefix on affected extensions also indicate a virus.
It’s important to assess who was breached — customers, employees or vendors — and the severity, including what information the attackers targeted. This could be credit cards, email or mailing addresses, or birthdays.
3. Back up the Affected Data
Organizations can lose important information during a ransomware attack if it’s not backed up. Backing up data allows healthcare groups to restore it once they’ve cleared the virus from all affected systems.
Organizations that did not previously use cloud storage or another backup system should do so in the event of future attacks.
4. Report the Attack
Law enforcement can assist organizations in locating the perpetrator following an attack and recover lost data and assets. Companies should also contact the Cybersecurity and Infrastructure Security Agency to report the issue.
Filing a complaint with the FBI’s Internet Crime Complaint Center can be done online. The IC3 will ask for the victim’s name and contact details, financial information and other information regarding the incident. Organizations should contact local law enforcement for time-sensitive emergencies.
It is also best for the organization to contact its cyber insurance carrier to provide additional resources and guidance.
5. Inform Affected Parties
Organization leaders must contact staff through email to inform them of the security breach and implement comprehensive procedures and authorizations.
Healthcare organizations should err on the side of transparency regarding patients. They should set up a customer service hotline to field calls and answer questions about the breach. The more honest an organization is in its communication, the better its chance of maintaining positive and professional relationships.
6. Restore Data
If company technicians cannot decrypt the affected files, restoring data is the only way to preserve it — but only after removing ransomware from the computer systems.
Organizations must know the type of ransomware used in the attack for decryptor tools to work. These can be challenging to find.
Of course, data recovery backups will only work if healthcare companies have backup systems in place. Otherwise, the information could be lost forever.
7. Upgrade Security Measures
Once systems have been recovered, organizations must implement upgraded security measures to prevent future attacks. For example, they should upgrade software or integrate more stringent security controls.
IT departments should review and update security protocols to improve response efficiency to future threats.
Preventing Future Ransomware Healthcare Breaches
The healthcare industry can take several measures to prevent future ransomware attacks and other security breaches, including the following:
- Develop an organizational plan for identifying and containing ransomware attacks. This should include steps for reporting the issue to officials and notifying patients about potential data exposure.
- Offer regular cybersecurity training to employees so they are equipped with the tools and best practices to prevent cyberattacks and phishing scams.
- Automate software updates and review system securities.
- Utilize a cloud system to back up files and ensure data recovery during future threats.
- Segment crucial medical devices from broader networks to prevent ransomware from spreading.
- Add security controls like firewalls, multifactor authentication, intrusion detection systems and data loss prevention solutions.
Organizations should always avoid paying the ransom to retrieve the encrypted data and allow law enforcement to assist.
Improve Healthcare System Recovery During Ransomware Attacks
How an organization responds to a ransomware attack is critical in healthcare. The faster the response time, the better it is for protecting organizational data, assets and patient privacy. Companies should upgrade their protocols and security measures to prevent cybercriminals from disrupting services.
By Zac Amos, rehack.com
