Getty Images/iStockphoto
Healthcare's Data Extortion Problem, and How to Prepare for Ransomware
Data extortion attempts are now occurring in at least 70 percent of all ransomware attacks. How can healthcare providers best combat these pervasive tactics?
Data extortion was once seen as a rare, or potential threat, rather than a pressing issue, while ransomware and subsequent downtime were greater concerns for healthcare cybersecurity. But attackers have since shifted tactics, leveraging data theft in the majority of ransomware attacks prior to encryption victims' data.
The extortion technique was first popularized by the Maze hacking group, which had a penchant for targeting healthcare given its troves of sensitive data.
The hackers banked on providers needing constant access to their information and fear of potential data leaks in their efforts to make the most profit at their victims' expense.
The group has since disbanded but researchers believe the actors simply shifted to deploying the Egregor variant. Clop, Avaddon, Astro, DarkSide, and a host of other hacking groups are leveraging extortion in “secondary infections.”
In fact, VMWare researchers saw an increasing number of long-term cyberattack campaigns across the digital healthcare supply chain. The attacks are likely behind the surge in data extortion attempts, which is fueling the cybercrime market.
Overall, Coveware data shows data exfiltration and extortion in 70 percent of all ransomware incidents, up 20 percent from Q3 and Q4 2020. In the last few weeks alone, four hacking groups leaked data allegedly stolen from at least nine separate healthcare providers.
Fortunately, 59.6 percent of healthcare victims refused to pay the attackers in Q4 2020. But as hackers continue to demonstrate their incessant targeting of the sector, the question remains: how should healthcare providers handle this pervasive, ongoing threat?
It boils down to communication, honesty, and crisis management, according to Saif Abed, founding partner and director of cybersecurity advisory services of the AbedGraham Group, and Evan Roberts, managing director of strategic communications at FTI Consulting.
“Having a crisis management plan is really helpful in these circumstances as they will guide communications,” said Abed. “Messaging has to be prioritized for those affected by an attack such as patients and employees.”
“This messaging should articulate in a systematic and transparent way what has happened, how it’s being addressed and what the impact may be for those that are affected. This same approach as details become clearer should be taken with the media,” he added.
Roberts drilled down into the key questions healthcare providers need to address prior to a successful ransomware incident, which can help strengthen the response from a communications standpoint.
- What happens if you have to shift from digital records to pen and paper?
- How will you communicate with your staff and ensure they can provide care while you try to remediate?
- What happens if there is data exfiltration and the threat actors start calling or emailing your patients and threatening publication?
Providers need to preemptively prepare the answers to these questions before an attack or extortion attempt occurs. Roberts stressed that the most important principle in terms of response is to tell the truth, “as simple as that sounds,” and based on what is understood at the time of discovery.
Extorted organizations are typically without a full understanding of how the incident occured, as forensics are ongoing. The threat actor may also be communicating via the media, he added. As such, speculation should be avoided at all costs.
Instead, victims should communicate to patients clearly about what the entity knows know and how it will determine further insights in the future.
“Healthcare organizations in general have a bank of goodwill after everything we’ve been through in the past year – but if they start making definitive statements before they have all the facts, they might find themselves corrected in the media by the threat actor and facing a severe credibility gap,” Roberts said.
“Appreciation and understanding from the community can erode quickly if an organization appears to be ignorant, or worse, actively trying to conceal the truth,” he added. “Having a tested communications plan in place can often mean the difference between successful and disastrous incident response, regardless of the scale of exfiltration and extent of encryption.”
Cyber Hygiene Requirements
As noted repeatedly by security researchers and federal agencies, reliable, offline, air-gapped backups of critical data is one of the most important elements healthcare providers need in order to keep disruptions to patient care and business operations to a minimum.
For Abed, in terms of prioritizing preparation, the efforts should therefore focus on defending against the disruption of clinical services.
"Panic, disorganization and a lack of leadership can be just as damaging following an incident as an unpatched piece of software.”
However, the rise and success of extortion has highlighted the importance of addressing basic cyber hygiene across the enterprise, including understanding the range and number of endpoints operating in the network, auditing how different data is handle, from clinical to administrative data sets, and just who and what has access to that data.
These basic controls are designed to inform healthcare security leaders or administrators, which can allow for better identity and access management, as well as network segmentation.
“Two key challenges at this stage include having a clear inventory of what endpoints are in an environment followed by having a granular, contextualised understanding of what happens if these devices are compromised in a clinical context,” Abed explained.
“Addressing these two areas will accelerate all other security decision making and enhance executive level engagement in cybersecurity,” he continued.
Roberts added that while offline backups are a good practice, more often than not healthcare providers are lacking clearly practiced incident response plans. As cybersecurity incidents are more commonplace under the current threat landscape, a lack of preparation is spurring failed or ineffective response plans from healthcare victims.
Typically, the majority of scrutiny and blame against healthcare providers occurs, not from falling victim, but from failing to adequately respond to the security incident. Roberts said providers will receive a degree of understanding from most stakeholders following an incident, “but it can be squandered by mistruth, misrepresentation or the absence of communication.”
“Yes, protected health information is highly sensitive, but there is a recognition that these organizations have been doing incredible work to try to keep us safe and healthy over the past year,” said Roberts.
“An effective communications plan can build on the goodwill,” he added. “Panic, disorganization and a lack of leadership can be just as damaging following an incident as an unpatched piece of software.”