Cyberattacks, specifically ransomware attacks, can pose serious risks and complications for healthcare facilities. Even larger healthcare organizations, such as Ascension, are not immune to ransomware attacks.
In early May 2024, Ascension had detected suspicious activities on its network systems. They began to suspect a cybersecurity incident, and due to this, they contacted external experts to begin an investigation. On May 11, 2024, Ascension confirmed the incident to be a ransomware attack.
When attacks such as ransomware occur, sensitive and valuable data can become encrypted, rendering them inaccessible to the healthcare organization. The attackers then demand a ransom for the encrypted data, even threatening to leak it all if the ransom goes unpaid. Either way, important data can be permanently lost as a result.
Securing backup data
Given the serious consequences, it is vital for healthcare organizations to secure their data from ransomware attacks and other cyber incidents. Primarily, they need to have a disaster recovery process and resiliency with their data, according to Ben DeBow, founder and chief executive officer at Fortified. DeBow also recommends that healthcare organizations encrypt their own data, especially the most sensitive data.
“One of the challenging things today to with organizations is they have an immense amount of data which adds to the complexity of how you protect all your data,” says DeBow. “I always focus and work with companies on protecting your most important data that runs the business. I call it your ‘Coca-Cola’ secret. Separate from that is making sure that your backup data strategy is also immutable.”
By immutable, DeBow means that the backup data strategy cannot be zeroed out and the data also cannot be overwritten. One of the challenges with ransomware attacks is if the perpetrators are in the systems for an extended period, they can end up overwriting the backup data. If that happens, a healthcare organization will have no data to restore back to before the ransomware incident happened.
Having the right people and services
Two critical factors in ransomware prevention are having the right people and services in place, says DeBow. This is so they can protect the systems and identify if there are any abnormalities within the network environments. If they do notice anything different, then they can address the issue as soon as possible to mitigate and minimize the damage.
However, some smaller healthcare organizations may have little to no IT departments, which can be a vulnerability in and of itself.
“The challenge for small organizations is they have limited knowledge, limited resources and limited time,” says DeBow. “'They are up against anything from state actors to what I call outsiders that do not have the best intentions.”
If smaller healthcare organizations don’t have the budget for an external security firm, then they must monitor and manage their security posture and network, says DeBow. They also must keep their systems patched and updated.
Another area DeBow stresses is having proper security training done throughout the organization.
“You are as good as your weakest link, so make sure that everyone in the organization is aware of security protocols,” says DeBow. “We must ensure that the training and awareness for everybody in the organization is kept up and maintained.”
The importance of sharing how healthcare organizations respond
Although cyberattacks are growing in frequency, one thing that is not growing as quickly is how many healthcare organizations share how they respond to these incidents.
“As other organizations around the world are breached, we need to keep on learning and learning from each of those incidents,” says DeBow. “We must be making sure that we are staying diligent and in filling in those holes, those attack vectors and addressing those as an organization prepares and becomes stronger.”
A lot of it is information sharing within the security sector, DeBow says. It enables organizations to understand what the bad actors are doing and how to counter their attacks. DeBow says that it hurts healthcare organizations in general when others neglect to share their information.
“Because if they came in through a zero-day exploit and they do not share that out, then others are susceptible and can be breached at the same time,” says DeBow. “So, part of it is sharing out the information if you were to get attacked. Let others understand how they could prepare themselves to hopefully minimize damage and save another life.”
Jeff Wardon, Jr. is the assistant editor for the facilities market.