Fend Off Ransomware with a Cybersecurity Recovery Program

As healthcare organizations continue to take advantage of digital transformation and modernization, cybersecurity intrusions and ransomware attacks continue to skyrocket.

According to the HIPAA Journal, in 2020 the cost of ransomware attacks across the U.S. was estimated to be $21 billion. More recently, the journal reported that CommonSpirit Health estimates the cost of its October 2022 ransomware attack alone will cost them up to $160 million.

As bad actors continue to infiltrate healthcare systems, it is the responsibility of every healthcare organization to build a stronger cybersecurity recovery program with the necessary tools, processes, education and organizational support to secure and protect against data loss, and most importantly, to mitigate impact to patient care services. The goal: Build a customized and resilient security program that can defend against attacks and help your organization weather them without failing patients or experiencing financial burden.

Leaders in healthcare organizations have many critical priorities to manage, and consistently evolving a security program can feel like an overwhelming, time-consuming task. Working with a trusted technology partner can help you assess, build and manage a security program that suits your organization’s needs.

Even the most modern healthcare systems likely still have antiquated components; for example, a physician that insists on keeping a legacy clinical system running for a few more years to access archival data because a plan has not yet been identified for retirement. And in IT, we know there are likely some vulnerable systems that need to be patched, but the vendor has not yet approved the required version and refuses to support any updates. Same goes for a network device that is nearing end of service that may not be on the retirement or rationalization roadmap.

Without a proper security program to address known vulnerabilities or insufficient tools, governance, processes and education, your organization is at risk of a major security breach — perhaps without your IT staff knowing about it for days, weeks or even months.

At CDW, we work with healthcare systems to assess vulnerabilities and build more mature security programs. We collaborate with your team to identify areas of weakness, then arm your teams with the tools, processes, education and organizational support skills to mature your security program while following standardized governance to enable repeatable results.

According to CISA, “All organizations, and particularly those supporting designated critical infrastructure or National Critical Functions (NCF), should implement an effective cybersecurity recovery program to protect against cyberthreats and manage cybersecurity risk commensurate with the urgency of those NCFs to national security, national economic security and/or national public health and safety.”

A vulnerability assessment is the first step to mature your security program and bolster your defense against ransomware attacks. An assessment can uncover a wealth of information that will help you strategize and prioritize.

Common Mistakes to Avoid: 

Before you begin, here are some common stumbling blocks to avoid as you prepare to evolve your security program:

• Don't make an unfounded decision to purchase the best data protection equipment on the market immediately. Take the time to do the research, interview candidates, vendors, etc., to find the right fit for your business needs.
• Don't shut down your other active projects to shift all focus to ransomware prevention. The business must carry on.
• Don't scare your clinicians by telling them to unplug their network cables from their workstations when not logged on. CISA’s response checklist for an active attack states isolating or powering-off the affected systems immediately, but education is more powerful than scare tactics.

Key Questions to Discuss

The road to a stronger security program won't be a straight line; each organization will have a unique path to follow. 

To start prioritizing for your organization, here are some key questions to discuss with your IT staff:

• Have you performed a clinical care business continuity assessment in the last two years?
• Have Tier 0 infrastructure applications been identified?
• Have Tier 1 critical clinical applications been identified?
• From a governance and process perspective, what happens during a disaster? What if data is wiped, the data center itself is down, or your clinicians are locked out of workstations, or worse?
• Does your organization have repeatable processes in which any resource can pick up the baton to ensure there is sufficient coverage and continuity?
• What is your incident response plan (IRP)? Do you know when to restore at the current data center and/or when to shift to true disaster recovery protocols?
• Introducing new applications or upgrading the legacy is part of any lifecycle; however, have disaster recovery options been identified on the intake form?
• Do you have adequate cybersecurity insurance to combat potential loss of productivity, damage to reputation, and service?

Once you’ve laid the groundwork, you can begin to plan key initiatives. Don’t think of this prep work as a checklist; think of it as a game plan. By taking the time to uncover your organization’s specific vulnerabilities, you can form a set of strategic initiatives that will mature your cybersecurity recovery program.

With any security program must come discipline, such as a governance framework that everyone adopts to ensure the same standards are being followed across the organization. While each project under the program will have different deliverables, the progress of the journey will be working toward the same goals.

Here are some key initiatives CDW developed to take your security program to the next level:

• Investigate the state of your overall infrastructure/application environment, such as the operating systems, vulnerabilities, resiliency, redundancy, remote access and unsecure authentications.
• Determine the age of your network and security assets, and where they reside physically (hospital campuses and data centers) and on your lifecycle refresh roadmap (core, firewalls, NAC).
• Limit an adversary’s ability to learn an organization’s enterprise environment and move laterally (see a detailed list from CISA).
• Identify your Tier 0 / 1 applications. Ensure runbooks exist for each application/service.
• Validate their functionality with tabletop exercises that include hands-on-keyboard execution.
• Thoroughly map application dependencies. Determine if application B is down, will application A still function?
• Determine your recovery time objectives (RTOs) and your recovery point objectives (RPO). Consider ways to improve your RPOs.
• Establish the application/business owners, delegates and IT support representatives, and ensure they know they own their applications/services.
• Establish or strengthen your business continuity and disaster recovery (BCDR) training for IT, clinicians and service owners. Determine what KPIs are documented and how often.
• Determine if clinicians can function during an outage with the proper downtime procedures.

Evolving your cybersecurity recovery program will identify areas of opportunity to improve resources, processes and technology, resulting in positive business outcomes, a more secure healthcare organization, and ultimately, better patient care.

The beauty of creating a more robust security program is that not all projects must initiate simultaneously. When you work with our healthcare team, CDW experts will collaborate to develop a strategic roadmap that aligns to your vision, assesses the most critical weaknesses, and conforms to your budgetary and resource constraints. It all starts with identifying where to begin, knowing your weaknesses and determining your roadmap.