This article is part of a new monthly series by ISAO SO working group members focusing on current topics impacting the Information Sharing Ecosystem. The content is not endorsed by the ISAO SO but provided to stir conversations and engage stakeholders of the ecosystem.
By Stuart M. Gerson and Alaap Shah[1]
Ransomware attacks have become big business, and they are on the rise. And entities in the health care and life sciences space have become primary targets of opportunity for attackers.
As the recent Colonial Pipeline Co. ransomware event illustrates, a small group of black hat hackers, living in protected status in nation states hostile to U.S. interests, can create massive disruption in our country’s infrastructure and well-being, and significant economic and other benefit for themselves and for the governments that support them.
Why is it that health care is such a prime target? The reason lies in the nature of the data that health care and life sciences companies and institutions create and store, and their relative vulnerability in the way they maintain and communicate it.
Health care entities are a treasure trove of cutting-edge research and information regarding pharmaceuticals, medical devices and other intellectual property that command great value. The protected health information that they store is of immense value, less with respect to identity theft, as is the popular notion, than it is as an enabler of fraudulent billing schemes that can quickly produce millions in revenue for hacking organizations. And in the broadest sense, imagine, for example, the societal dislocation that a hostile digital intruder, or its sponsors, could cause if hospitals couldn’t provide services because their patient records were made inaccessible by ransomware encryption code. That kind of potentiality has been the reason why so many institutions and companies have caved in to ransomware demands.
To keep their malicious economic engine running, hackers have become have become increasingly creative in their extortion schemes. Not only do they conduct ransomware attacks, but some offer ransomware as a service, selling the means for others to conduct exploits.
In short, the tactics, techniques and procedures employed by hackers exhibit ever greater sophistication and can leave victims struggling operationally, financially and from a reputational perspective. This is in large part due to the fact that hackers are increasingly trying to take three bites at the apple when extorting ransom payment.
. . .
Prepare for the Inevitable Attack Including Compliance and Risk Management Activities
What then should a health care or life sciences organization do to prevent or deal with ransomware? Perhaps the best place to find actionable guidance is in the U.S. government technical guidance manual titled “How to Protect Your Network From Ransomware.”
This manual is a joint publication of the government’s principal law enforcement agencies, including the DOJ and the FBI, as well as the member agencies of the intelligence community, including the U.S. Department of Homeland Security. DHS’ cyber component, the Cybersecurity and Infrastructure Security Agency, has also published a helpful guide to ransomware.
In short, all ransomware prevention is premised upon risk determination and awareness, followed by intensive training and testing.
There are many steps that even small organizations can undertake to reduce risk. Specifically organizations should consider employing spam filters to weed out phishing emails, firewall configuration, limitations and monitoring of network access, regular software update and patch management, automatic antivirus and anti-malware utilities; end-to-end encryption; and dual-factor authorization, among other cybersecurity best practices.
Of course, larger, more sophisticated organizations can go further with technical means in terms of prevention and managed detection and response.
Every organization must, to the best of its ability, assure resilience, regularly backing up data to secure servers, offline or air-gapped if possible, or using cloud-based solutions.
And it is strongly encouraged to conduct at least annual penetration tests and vulnerability assessments. Law firms and insurers can provide useful assistance in that regard to put organizations in a defensible position relative to hackers and regulatory authorities.
If systems fail and an organization suffers a ransomware infection, it must immediately contain the threat by isolating infected computers, powering off all likely infected devices and securing cloud-based or remote backups. Shortly thereafter, an organization should contact the FBI or U.S. Secret Service as soon as possible.
This is an excerpt of the article “Health Cos. Must Prepare For Growing Ransomware Threat“, published on June 21, 2021. To access the full article, visit law360.com/articles/]
[1] Stuart M. Gerson and Alaap Shah are members of the law firm Epstein Becker Green. Gerson is also a former Acting Attorney General of the United States and is a member of several Working Groups of the ISAO Standards Organization.