Getty Images/iStockphoto
CSA Offers Guidance on Preventing Ransomware in the Healthcare Cloud
New guidance from the Cloud Security Alliance warns organizations about the prevalence of ransomware in the healthcare cloud and shows how to mitigate risk.
The Cloud Security Alliance’s (CSA) Health Information Management Working Group recently released guidance warning healthcare delivery organizations about the growing threat of ransomware in the healthcare cloud. The report is meant to be used in conjunction with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Cloud storage can give organizations an advantage when it comes to data protection, but the cloud is still vulnerable to ransomware attacks. As more healthcare organizations utilize cloud storage to back up data, ransomware attacks on cloud security providers are increasing.
“Due to the nature of public cloud, where the underlying infrastructure is secured and managed by the cloud service provider, many customers incorrectly assume that the threat of ransomware in the cloud is less than in a private data center,” the report stated.
“However, cloud services rely on the synchronization of data, and if ransomware encrypted data enters the synchronization process, data will run the risk of being propagated in the cloud. At this point, cloud applications become complicit in spreading the malware.”
Healthcare organizations can fall victim to ransomware attacks in a number of ways, usually through social engineering. Hackers often use phishing scams, social media, and instant messaging to trick a user and deploy malware on the network. Cybercriminals can also exploit system vulnerabilities to infiltrate networks.
NIST’s Cybersecurity Framework identified five cornerstones to cybersecurity that organizations can use to mitigate risk: identify, protect, detect, respond, and recover.
The CSA report, following the same structure, recommended that healthcare organizations identify and classify all IT systems, software, and data in its entire network. Classifying assets will allow organizations to prioritize certain cybersecurity efforts and aid in response and recovery.
The protect function enables organizations to soften the impact of ransomware attacks.
“Prevention is the best defense against ransomware, and it is essential to implement controls for protection,” the report emphasized. “To protect an organization’s cloud from ransomware, the place to start is with protecting the computer.”
CSA recommended installing endpoint protection, filtering incoming and outgoing emails to detect threats, and employing network segmentation to ensure separation between IT and networked medical devices.
With these preventive safeguards in place, organizations will be better equipped to detect ransomware events as they occur.
“Malware detection, behavior-based anomaly detection, and intrusion detection are all used for event detection. The goal is to detect events as they happen, to trigger the appropriate responses, and to provide information about the attack to the security team,” the report explained.
How an organization responds to a ransomware attack can be the difference between a swift recovery and a costly and time-consuming one. Depending on the threat, CSA recommended that organizations disable user accounts, isolate systems, and identify the source of the ransomware.
If the first four pillars of cybersecurity were followed, the recovery function should effectively reduce the risk of a future attack and ensure that organizations can bounce back in a timely manner.
If cloud data was involved in the incident, it may be more difficult to restore backups. For that reason, healthcare delivery organizations, or HDOs, must make sure that their cloud storage systems are designed to react in the event of failure. Just because data is stored in the cloud, it is not invincible against ransomware attacks.
“When one considers that 2020 saw a 715-percent year-over-year increase in ransomware attacks and the devastating effects and cost ransomware leaves in its wake, it’s no wonder HDOs are under significant strain to prevent these attacks,” Jim Angle, the report’s author and co-chair of the CSA Health Information Management Working Group, explained in a press release.
“Ransomware can significantly impact an HDO’s operation, patient safety, and reputation and cause a complete shutdown, putting patients at risk. This makes it imperative that they do all they can to secure their data regardless of where it’s housed.”