The COVID-19 pandemic has resulted in a surge of ransomware attacks focused on 1 target in particular: hospitals. To help combat this trend, ISACA® has provided a tip sheet with 10 key actions hospital cybersecurity teams can take to protect hospitals and their data from ransomware attacks while continuing to provide uninterrupted patient care:
- Understand risk profiles—Like most organizations, hospitals should have their risk assessed to accurately prepare for potential attacks. To do this, cybersecurity teams must take inventory of responsibilities, products and services, and the technical requirements affiliated with each. By defining these risk areas, cyberteams can better assess areas that require the most attention when allocating cybersecurity resources.
- Realize data responsibilities—Each employee on a cybersecurity team should realize the types of data that they are responsible for storing, transmitting and protecting. Understanding different types of data helps the hospital identify what policies may apply to the protection of the information, such as the US Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- Test for incoming phishing attacks—Most attacks start with a phishing campaign, and they continue to be effective. Try testing filters by sending yourself de-weaponized phishing emails identified by others from an external test email account. How often will they make it through? Test it. It is possible that email filters need to be strengthened.
- Assess all cybersecurity roles on a regular, event-controlled basis—Regularly assess and audit cybersecurity controls to ensure that they are applied and maintained appropriately. A truly mature organization will test these controls on both a time-based schedule and in response to incidents. In this case, use recent ransomware attacks against other hospitals as an opportunity to assess existing systems to ensure that they are not at risk. Consider setting up tests to ensure that the red team will be detected in a ransomware test exercise.
- Evaluate patches on a timely basis—Healthcare organizations often struggle with vulnerability management and patching. In many cases, hospitals fail to patch systems connected to patient care equipment. It is understandable that most hospitals will not apply a security patch immediately upon dissemination from the issuing organization; business processes may break and delivery systems may fail. However, ensure that patches are applied in an organized and methodical fashion. For vulnerable legacy systems that cannot be patched or updated, hospitals need to isolate them in their network and ensure that those systems do not have access to the Internet.
- Perform regular policy reviews—Make sure that all pertinent cybersecurity policies not only exist at the hospital, but are also regularly evaluated and updated based on the ever-changing cybersecurity landscape. Specifically, update these policies based on both time-based schedules and event-based instances.
- Leverage threat intelligence appropriately—Reading and disseminating threat intelligence throughout a cybersecurity team can be overwhelming. Hacks and cyberattacks occur on a 24/7 basis, with different branches of similar attacks emerging overnight in many instances. Understanding which type of intelligence applies to the hospital and parsing it out correctly increases understanding of what threats may pose the greatest danger to your organization.
- Protect end-user devices—We often forget to ensure 100% protection of end-user devices—not only for devices within the network, but all devices used by remote users to access systems. Exclusion lists should be minimal. In today’s healthcare landscape, there are many sensitive applications, and application vendors should not have the power to dictate antivirus policies.
- Communicate clearly with executive leadership and employees—To gain executive support, ensure that reporting and communication to the leadership level is clear and accurate. Once leadership understands the threat, the risk and its potential impacts, cybersecurity teams are more likely to receive the funding and support required to protect the organization. Hospital employees also need to be trained on how to open emails and websites safely. Some tactics include gamification, highlighting hospital cyberheroes and creating a rewarding phishing-reporting structure.
- Comprehend organizational cybermaturity—All points listed here are a part of comprehending an organization’s cybermaturity, or its developed defensive readiness against potential cyberattacks and exploitations. Cyberteams that understand the hospital’s maturity level and actively work to raise it have the best chance of defending the hospital in today’s chaotic cyber landscape.
Hospitals that tend to invest in the latest medical technologies may not always keep legacy systems up-to-date, resulting in siloed and disparate systems that can leave unprotected gaps vulnerable to attackers. Instead, healthcare organizations should focus on obtaining a solid grasp of their critical assets and understanding the potential operational consequences of a ransomware attack. These facilities will be well-positioned to implement more tactical methods of reducing risk exposure.
To learn more, download ISACA’s “How Hospitals Can Prepare for Ransomware Attacks” tip sheet.