Getty Images
CISA Releases Guidance on Protecting PII From Ransomware Attacks
CISA released a fact sheet on protecting PII from ransomware attacks in light of recent high-profile cyberattacks that put personal data in jeopardy.
The Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet outlining steps organizations can take to prevent ransomware attacks, protect personally identifiable information (PII), and respond to a data breach.
The guidance follows recent high-profile ransomware attacks in healthcare and other sectors that exposed customer and patient data and cost millions to remedy. Over 500 healthcare providers suffered ransomware attacks in 2020 alone.
Additionally, a massive cyberattack on US critical infrastructure pipeline company Colonial Pipeline in early May kickstarted a new wave of cybersecurity initiatives and guidance as the government rushed to patch holes in the nation’s cybersecurity infrastructure.
CISA’s new guidance, outlined below, applies to all government and private sector organizations. CISA warned that all organizations are at risk of suffering a ransomware attack and are responsible for implementing safeguards to protect private data.
PREVENTING A RANSOMWARE ATTACK
“Ransomware is malware designed to encrypt files on a device, rendering files and the systems that rely on them unusable. Traditionally, malicious actors demand ransom in exchange for decryption,” the fact sheet explained.
“Over time, malicious actors have adjusted their ransomware tactics to be more destructive and impactful. Malicious actors increasingly exfiltrate data and then threaten to sell or leak it—including sensitive or personal information—if the ransom is not paid. These data breaches can cause financial loss to the victim organization and erode customer trust.”
To prevent a ransomware attack, CISA first recommended that all organizations maintain offline, encrypted backups of data. It is crucial to regularly test and maintain backup procedures, especially since some ransomware variants specifically attempt to delete or encrypt backups.
It is also critical to enact safeguards against common cybersecurity vulnerabilities and misconfigurations that may provide easy access to an organization’s network. CISA recommended employing best practices for use of Remote Desktop Protocol (RDP), since hackers often access networks through improperly secured remote services.
CISA also stressed the importance of developing and maintaining a cyber incident response plan, associated communications plan, and a resiliency plan.
The agency pointed to resources such as the CISA and Multi-State Information and Sharing center (MS-ISAC) Joint Ransomware Guide and CISA’s cyber resilience assessments to ensure cybersecurity.
The fact sheet recommended that all organizations conduct regular vulnerability scanning, update software, enable strong spam filters to reduce the risk of phishing, install antivirus software, and implement a cybersecurity awareness training program to prevent ransomware attacks.
PROTECTING CUSTOMER AND EMPLOYEE PII
Organizations with access to medical records, bank account information, and other PII have a duty to protect that information from bad actors and maintain customer trust.
CISA emphasized the importance of knowing exactly what personal information is stored on your organization’s systems and exactly who has access to it.
“Limit the data by only storing information you need for business operations,” the fact sheet encouraged. “Ensure data is properly disposed of when no longer needed.”
It is critical to implement cybersecurity best practices by encrypting sensitive information, identifying the specific computers or servers where PII is stored, and implementing firewalls to protect networks from malicious activity.
Organizations should also consider applying network segmentation to further mitigate risk.
CISA also stressed an organization’s responsibility to report cybersecurity incidents according to state and federal laws. Cyber incident response plans and communications plans should incorporate processes for notifying authorities of data breach incidents.
RESPONDING TO A RANSOMWARE ATTACK
In the event that your organization experiences a ransomware attack, CISA urged organizations to secure network operations and prevent additional data loss by using the following checklist:
- Determine which systems were impacted and immediately isolate them. If several systems appear impacted, take the network offline at the switch level. If taking the network temporarily offline is not immediately possible, locate the network (e.g., Ethernet) cable and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.
- If—and only if—affected devices cannot be removed from the network or the network cannot be temporarily shut down, power infected devices down to avoid further spread of the ransomware infection. This step should be carried out only if necessary because it may result in the loss of infection artifacts and potential evidence stored in volatile memory.
- Triage impacted systems for restoration and recovery. Prioritize based on criticality.
- Confer with your team to develop and document an initial understanding of what has occurred based on preliminary analysis.
- Engage your internal and external teams and stakeholders to inform them of how they can help you mitigate, respond to, and recover from the incident. Strongly consider requesting assistance from a reputable third-party incident response provider with experience in data breaches.
Organizations should never pay a ransom to cyber criminals, CISA stated. Paying the ransom does not guarantee the safe return of data and may incentivize the attackers to keep targeting organizations for lucrative payoffs.
As ransomware attacks become increasingly common, organizations across all sectors should prepare for the worst by implementing safeguards to protect valuable data and prevent a costly and lengthy recovery.
Healthcare ransomware attacks are becoming increasingly common, and hackers have been forced to pivot their strategies as a result of increased industry awareness of proper cyber hygiene.
Major hospitals and health systems were prime targets in recent years, but research shows that hackers are shifting their sights to unsuspecting outpatient facilities and business associates.
Ransomware is a constant threat to all businesses, but employing advanced cybersecurity tactics can stop hackers before they have the opportunity to inflict serious damage.