- Sophisticated ransomware attacks are on the rise and evolving quickly within the healthcare industry.
- Emerging strains can exfiltrate sensitive healthcare data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
- Healthcare executives want reassurance but aren’t ready to write a blank check. Improvements must be targeted and justified.
Our Advice
Critical Insight
- Malicious agents design progressive, disruptive attacks to pressure organizations to pay ransom.
- Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
- Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.
Impact and Result
- Conduct a thorough assessment of your current state, identify potential gaps, and assess the possible outcomes of an attack.
- Analyze attack vectors and prioritize controls that prevent ransomware attacks. Implement ransomware protections and detection to reduce your attack surface.
- Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.
Workshop: Improve Ransomware Resilience for Healthcare
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess Ransomware Resilience
The Purpose
- Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.
Key Benefits Achieved
- Develop a solid understanding of the likelihood and impact of a ransomware attack on your organization
- Complete a current state assessment of key security controls in a ransomware context.
Activities
Outputs
Review incidents, challenges, and project drivers.
- Workshop goals
Diagram critical systems and dependencies and build risk scenario.
- Ransomware risk scenario
Assess ransomware resilience.
- Ransomware resilience assessment
Module 2: Protect and Detect
The Purpose
- Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.
Key Benefits Achieved
- Identify targeted countermeasures that improve protection and detection capabilities.
Activities
Outputs
Assess ransomware threat preparedness.
Determine the impact of ransomware techniques on your environment.
Identify countermeasures to improve protection and detection capabilities.
- Targeted ransomware countermeasures to improve protection and detection capabilities
Module 3: Respond and Recover
The Purpose
- Improve your organization’s capacity to respond to ransomware attacks and recover effectively.
Key Benefits Achieved
- Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.
Activities
Outputs
Review the workflow and runbook templates.
Update/define your threat escalation protocol.
Define scenarios for a range of incidents.
- Security incident response plan assessment
Run a tabletop planning exercise with IT.
- IT tabletop planning session
Update your ransomware response runbook.
- Ransomware workflow and runbook
Module 4: Improve Ransomware Resilience
The Purpose
- Identify prioritized initiatives to improve ransomware resilience.
Key Benefits Achieved
- Identify the role of leadership in ransomware response and recovery.
- Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.
Activities
Outputs
Run a tabletop planning exercise with leadership.
- Leadership tabletop planning session
Identify initiatives to close gaps and improve resilience.
Review broader strategies to improve your overall security program.
Prioritize initiatives based on factors such as effort, cost, and risk.
Review the dashboard to fine tune your roadmap.
- Ransomware resilience roadmap and metrics
Summarize status and next steps in an executive presentation.
- Ransomware workflow and runbook
Improve Ransomware Resilience for Healthcare
Prevent incursions and defend against ransomware attacks.
Analyst Perspective
Ransomware presents an opportunity and a challenge.
As I write, the frequency and impact of ransomware attacks continue to increase with no sign of slowing. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.
The opportunity comes with important challenges. Hackers require less time in discovery before they deploy attacks, which have become much more effective. You can't afford to rely solely on being able to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.
Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. Eventually, you reach the top and reflect on how far you've come.
Michel Hébert
Research Director, Security and Privacy
Info-Tech Research Group
Executive Summary
Your Challenge | Common Obstacles | Info-Tech's Approach |
Ransomware is a high-profile threat that demands immediate attention:
|
Ransomware is more complex than other security threats:
|
To prevent a ransomware attack:
|
Info-Tech Insight
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what your organization can control and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recover quickly.
Ransomware attacks are on the rise and evolving quickly.
Three factors contribute to the threat:
- The rise of ransomware-as-a-service, which facilitates attacks.
- The rise of crypto-currency, which facilitates anonymous payment.
- State sponsorship of cybercrime.
Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least US$2 billion in payments.
A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the cleanup cost or economic fallout over attacks during this period.
Total ransom money collected (2015-2021): US$2,592,889,121
The frequency and impact of ransomware attacks are increasing among healthcare institutions
Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
Sophos commissioned a vendor-agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.
The survey was conducted in Jan - Feb 2022 and asked about the experience of respondents over the previous year.
Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.
Of the respondents whose healthcare organizations were not hit by ransomware in 2021 and don't expect to be hit in the future, 77% cited either backups or cyberinsurance as reasons why they didn't anticipate an attack.
While these elements can help recover from attacks, they don't prevent them.
Sources: "State of Ransomware in Healthcare," Sophos, 2022; "Cost of A Data Breach," IBM, 2022
Critical infrastructure sectors are being targeted by ransomware attacks
There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital that their incapacitation or destruction would have a debilitating effect on a nation's security, economy, public health or safety, or any combination thereof.
In 2021, the FBI's Internet Crime Complaint Center (IC3) received 649 complaints indicating ransomware attacks on organizations worldwide. Although the healthcare sector was not the most targeted for cyberattacks, it was the most victimized industry sector for ransomware attacks.
The three-step ransomware attack playbook
- Get in
- Spread
- Profit
At each point of the playbook, malicious agents have to achieve something before they can move to the next step.
Resilient organizations look for opportunities to:
- Learn from incursions
- Disrupt the playbook
- Measure effectiveness
Ransomware is more complex than other security threats
Ransomware groups thrive through extortion tactics.
- Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
- As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying backups.
- Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threatening to publish them.
Healthcare organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.
Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:
- Detection and response - Activities that enable detection, containment, eradication and recovery.
- Notification - Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
- Lost business - Activities that attempt to minimize the loss of customers, business disruption, and revenue.
- Post-breach response - Redress activities to victims and regulators, and the implementation of additional controls.
Source: "Cost of a Data Breach," IBM, 2022
Organizations in the health care sector are stewards of regulated data, which makes them especially vulnerable to extortion, and ransomware gangs know it.
Disrupt the attack at each stage of the attack workflow.
An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.
Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.
Shortening dwell time requires better protection and detection
Ransomware dwell times are shrinking, and average encryption rates are dramatically increasing.
Hackers spend less time in your network before they attack, and their attacks are much more effective.
What is dwell time and why does it matter?
Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until the ransom is paid.
Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.
Dwell times are dropping, and encryption rates are increasing.
It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.
References: Bleeping Computers, 2022; VentureBeat; Dark Reading; ZDNet, 2021.
Resilience depends in part on response and recovery capabilities
This blueprint will focus on improving your ransomware resilience to:
- Protect against ransomware
- Detect incursions
- Respond and recover effectively
For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery Plan.
Info-Tech's ransomware resilience framework
Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond, and recover effectively.
Prioritize protection
Put controls in place to harden your environment, train savvy end users, and prevent incursions.
Support recovery
Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.
Info-Tech's ransomware resilience methodology
Assess resilience | Protect and detect | Respond and recover | Improve resilience | |
---|---|---|---|---|
Phase steps |
|
|
|
|
Phase outcomes |
|
|
|
|
Insight Summary
Shift to a ransomware resilience model
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.
Focus on what your organization can control and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly.
Visualize challenges
Build risk scenarios that describe how a ransomware attack would impact organizational goals.
Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.
Prioritize protection
Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.
Seize the moment
The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.
Measure ransomware resilience
The anatomy of a ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.
Project deliverables
Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.
Ransomware Resilience Assessment
Measure ransomware resilience, identify gaps, and draft initiatives.
Ransomware Threat Preparedness Workbook
Analyze common ransomware techniques and develop countermeasures.
Ransomware Response Workflow & Runbook
Capture key process steps for ransomware response and recovery.
Ransomware Tabletop Tests
Run tabletops for your IT team and your leadership team to gather lessons learned.
Ransomware Resilience Roadmap
Create a roadmap that displays ownership, start dates, and durations for initiatives (produced by tab 6 of the Ransomware Resilience Assessment).
Key deliverable
Ransomware Readiness Summary Presentation Template
The resilience roadmap captures the key insights your work will generate, including:
- An assessment of your current state and a list of initiatives to improve your ransomware resilience.
- The lessons learned from building and testing the ransomware response workflow and runbook.
- The controls you need to implement to measure and improve your ransomware resilience over time.
Plan now or pay later
In 2021, organizations worldwide spent on average US$4.62 million to rectify a ransomware attack. These costs include escalation, notification, lost business, and response costs, but not the ransom amount. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of US$4.69 million.
Building better now is less expensive than incurring the same costs plus the cleanup and regulatory and business disruption costs associated with successful ransomware attacks.
Source: "Cost of a Data Breach," IBM, 2022
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.
See what members have to say about the Ransomware Resilience Blueprint:
- Overall impact: 9.8/10
- Average $ saved: $98,796
- Average days saved: 17
"Best parts were the fact that we were able to have a facilitated discussion with our MSP about security and create a much-needed tool - the runbook out of that meeting."
- Anonymous CIO, Healthcare Institution
Blueprint benefits
IT benefits | Business benefits |
---|---|
|
|
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit | Guided Implementation | Workshop | Consulting |
---|---|---|---|
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks are used throughout all four options.
Executive brief case study
SOURCE
UVM Health Network Ransomware Attack
Organizations who build back better after a ransomware attack often wish they had used relevant controls sooner.
Challenge | Complication | Resolution |
---|---|---|
In October 2020, University of Vermont Health Network experienced significant disruptions and application issues. Upon further investigation, they suspected a data breach and took their network offline. A text file left on a computer by cybercriminals indicated that they had compromised the health network's system and encrypted the organization's data. No ransom was demanded, but they urged the health network to contact them. The organization instead contacted the FBI, who with their assistance identified the attack's source and resolved the incident. No sensitive data was exposed, and the organization regained access to their backup copies. | While the organization didn't pay any ransom and no sensitive data (e.g. protected health information [PHI]) was stolen or exposed, the attack still carried deep implications. The full shutdown of network systems during the attack caused the organization to incur significant recovery expenses. This included the recovery cost of the health network's servers, applications, and computers, which totaled an estimate of over US$63 million. Furthermore, the attack impacted patient care as many patients faced delayed test results and some medical procedures had to be rescheduled. The lengthy incident recovery time damaged the reputation of the health network. | The organization was scrutinized for its lack of policies, which motivated the organization to put more protections in place, including:
|
Guided implementation
What kind of analyst experiences do clients have when working through this blueprint?
Scoping Call | Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|---|
Call #1:
Discuss context, identify challenges, and scope project requirements. Identify ransomware resilience metrics. |
Call #2:
Build ransomware risk scenario. Call #3: Assess ransomware resilience. |
Call #4:
Review common ransomware attack vectors. Identify and assess mitigation controls. |
Call #5:
Document ransomware workflow and runbook. Call #6: Run tabletop test with IT. |
Call #7:
Run tabletop test with Leadership. Call #8: Build ransomware roadmap. Measure ransomware resilience metrics. |
A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI involves six to eight calls over the course of four to six months.