Getty Images

Responding To a Healthcare Ransomware Attack: A Step-By-Step Guide

With a comprehensive incident response plan, organizations can respond to healthcare ransomware attacks efficiently and effectively.

Healthcare ransomware attacks can result in data exfiltration, financial and reputational losses, and workflow disruptions. Even the most sophisticated security programs are not immune to ransomware.

The Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) found that the healthcare sector faced the most ransomware attacks in 2021 compared to other critical infrastructure sectors.

Given the evidence, organizations should prepare for the possibility of a ransomware attack and coordinate response efforts to minimize damage and recover quickly. HIPAA requires organizations to have an incident response plan, but putting that plan into action is different from simply having one on paper.

It is important to note that the following guide is not a singular, exhaustive playbook for responding to a healthcare ransomware attack. Each organization will have specific needs and resources to help them respond and recover.

A variety of stakeholders and departments should be involved in the incident response process, including executives, IT and cyber professionals, legal teams, and communications experts. Organizations should assign responsibilities accordingly.

This guide should serve as an example of how an organization might respond to ransomware in its environment, based on a combination of government and industry ransomware resources.

This guide also assumes that an organization already had a comprehensive cyber incident response plan in place before experiencing a ransomware attack. Without proper preparation, organizations may run into additional challenges during response and recovery.

IDENTIFY AND CONTAIN IMPACTED SYSTEMS AND DEVICES

At the first sign of suspicious activity, IT and cyber professionals should perform a technical analysis, identify the incident's root cause, communicate with executives, and trigger the organization's incident response plan.

Once the organization has determined that the incident was a ransomware attack, it is vital to move quickly to identify infected systems and devices. Emergency response managers and IT and cybersecurity professionals should work together to determine the scope of the incident and power down infected systems, the HHS 405(d) Task Group explained.  

The response team should implement short-term mitigations to stop the ransomware from spreading. Organizations should also close relevant ports and mail servers, change admin passwords, and update firewall filtering, the Cybersecurity and Infrastructure Security Agency (CISA) recommended.

"Containment is challenging because defenders must be as complete as possible in identifying adversary activity, while considering the risk of allowing the adversary to persist until the full scope of the compromise can be determined," CISA noted.

If the team finds new signs of compromise after the containment process, they should revert to the technical analysis stage and redetermine the incident's scope. Throughout this process, CISA recommended capturing forensic images and collecting and preserving evidence and data for investigation purposes.

SEEK HELP

Organizations should prioritize notifying local, state, and federal law enforcement. Organizations such as HHS, FBI, CISA, and MS-ISAC can help organizations mitigate risk. Federal authorities may also have access to specific decryption codes or guidance about particular ransomware variants, HHS 405(d) noted.

In addition, organizations should remain mindful of state-specific notification laws that may apply to their situation.

An organization's legal and IT teams are essential players when responding to a security incident. They should work together to respond to the incident while considering both groups' legal and technical consequences.

"Often when you're responding to an incident, part of what you're doing is also creating a legal record that may have significant consequences for the company. The tendency is that legal is one of the last groups to get brought in," Nathan Salminen, senior associate at Hogan Lovells, previously explained in an interview with HealthITSecurity.

"By the time they get brought in, emails may have already gone out to customers or employees, and others may have already conducted a bunch of analysis done that was not conducted under attorney-client privilege."

Engaging with the appropriate stakeholders and notifying law enforcement promptly can help organizations navigate the response and recovery process.

TO PAY OR NOT TO PAY

Threat actors may demand payment for the safe return and security of protected health information (PHI). Organizations will then face a difficult decision: give in to ransomware demands or potentially risk workflow and patient safety. Ideally, the organization would have data backups and downtime procedures to lessen these risks.

"There are a number of factors that are going to play into that decision-making process," Erik Weinick, a seasoned litigator and co-founder of Manhattan-based law firm Otterbourg's privacy and cybersecurity practice, explained in an episode of Healthcare Strategies.

"One is going to be the scope of the attack. Another is going to be who is implicated in the attack."

It is crucial to note that paying the ransom does not provide any assurances. The Federal Bureau of Investigation (FBI) strongly discourages paying the ransom for that reason, in addition to the fact that it may incentivize cybercriminals to continue targeting other organizations.

"Obviously, your ability to continue to care for the patients in your charge is the overriding factor in how to respond," Weinick suggested.

MANAGING COMMUNICATIONS

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) released a checklist to help healthcare staff and executives preserve operational continuity while recovering from a severe cyberattack.

Within the checklist, HSCC identified the roles and responsibilities of the public information officer, whose team would be responsible for communicating relevant information about the ransomware attack to internal and external stakeholders.

The guide noted that notifying the public during breach response may create additional vulnerabilities and confusion. Organizations should have a media and public relations (PR) strategy in place and coordinate with law enforcement to avoid interfering with an ongoing investigation.

The public information officer should quickly develop an internal communications strategy  to communicate the event to staff, including information about alternate phone numbers and services that may be disrupted.

HSCC also noted that internal communications may rapidly become external once they are sent out to staff.

BEGIN RECOVERY PROCESS

"The fire is out and it's time to return to business as usual. The scope of the ransomware attack and the severity of its impact on your daily operations will determine how much time and effort is needed to recover," the Cyber Readiness Institute explained in its ransomware playbook.

"Use the incident as a learning experience to reinforce the importance of cyber readiness principles like patching and phishing awareness."

The recovery process will look different for every organization depending on the scope of the ransomware attack. Healthcare entities that faced a PHI breach impacting more than 500 individuals must notify HHS of the breach within 60 days of discovery, as required by the HIPAA Breach Notification Rule. Local breach notification laws will also apply but may vary from state-to-state.

After eradicating the ransomware, HHS 405(d) recommended that organizations restore data from offline or encrypted backups, monitor network traffic, and address any security gaps or remaining vulnerabilities. Organizations should also consider sharing lessons learned with CISA or threat-sharing organizations to help others in the industry respond to similar events.

There is no one right way to respond to a healthcare ransomware attack. There are many moving parts and stakeholders to consider, as exemplified by the steps above. With these steps in mind, organizations should develop an incident response plan that addresses each element of response and recovery, paired with proper prevention tactics and a robust security program.

Next Steps

Dig Deeper on Cybersecurity strategies