This presentation was delivered in person at TopGolf in Canton in collaboration with vendors StrikeGraph, Quokka, Ridge Security, and Approov. (but don't worry, it's not salesy!) I recorded this for those who missed it, and as a reference for those who attended.
History of Ransomware
A review of the History of Ransomware in Healthcare.
Key points include:
Business Continuity and Incident Response planning are vital. Because of the Crowdstrike Cyber Incident, we learn that it's important to have a plan for when you have to manually restore many end user devices.
There are often warning signs that it is time to move away from a certain technology or protocol. For example, the Conficker virus exploited SMB shares 8 years prior to the Wannacry attack. This was a warning sign. At MEDITECH we eliminated our use of SMB shares after Conficker which protected our customers when the Wannacry attack exploited a zero day vulnerability in SMB shares.
Third parties can be a vector for a cyber-attack, so it is important to:
Vet third parties carefully
Stipulate before signing the contract any remediation plans you think they should do to correct serious risks
Write into the contract the vendor's obligations with regards to incidents caused by them
Coordinate with the third party's security team to learn about best practices and to build a relationship
How the Attacks Happen
A review of the typical pattern we see, and a review of the escalation of ransomware over time. Important points include:
Black Basta Ransomware
Resources to help you secure your organization (see reference section below under "Action Plan - Extremely Useful Resources")
Escalation of ransomware over time as a percentage of US Hospitals:
2020 - Around 1%
2022 - Around 2%
2023 - Doubled to 4%!
A Controversial Question - To Pay or Not to Pay?
This section explores whether or not to pay the ransom, and includes some "war stories." Read more in my posts here:
Data Breaches
We didn't have time to cover this at the event, but this is particularly useful information if you are in a HIPAA regulated entity.
Action Plan
Assess
First, it's important to determine what is critical by doing a Business Impact Analysis.
Identify critical systems
What is the backup plan if these go down?
What is the maximum tolerable downtime?
What are the SLAs and RPO/RTO?
Perform a gap assessment to identify such key areas as:
Do we have any systems without strong authentication?
Can we implement phishing resistant MFA?
Have we locked down remote access to servers?
Even a lightweight risk assessment can be beneficial in identifying where our organization is most at risk, and we can back up our assessment with a vulnerability scan and/or penetration test.
Cybersecurity Sprint
Build your security culture - attacks are starting with phishing in most cases. This area need to be addressed better - simple security awareness training is not cutting it. Read more here:https://www.armstrongrisk.com/culture
Implement strong authentication on all systems; consider implementing phishing resistant MFA.
Focus on identity management - hackers are stealing credentials, cracking weak passwords, and relying on massive password dumps.
Set new password requirements
Provide staff with a password vault (such as 1Password)
Educate staff ("don't use password managers in browsers", etc.)
Identify and reset weak passwords
Monitor Identity closely
Lock down your use of remote access tools such as RDP and Screen Connect. Keep them up to date since there have been some major vulnerabilities in these tools recently.
Improve your third party risk management program - go beyond a simple assessment. Really dive into what they do, how they will inform you of incidents, and how you can further protect your interests.
Establish an Incident Preparedness program and run tabletop exercises, more on that here: https://www.armstrongrisk.com/incident-preparedness
Cybersecurity Marathon
Perform a risk assessment - ideally one with quantitative measures - and present to the Executives and the Board. Gain resources and establish your long term strategy.
A key area to consider is how to move off of legacy technologies. These put your organization at significant risk.
Implement an EDR or outsource monitoring to a Managed Security Service Provider (MSSP).
Slide Deck
The video is also available on Youtube as one long video here: https://youtu.be/IZinjiNWqI0
References
Action Plan! Extremely Useful Resources
Ransomware eBook
https://www.cisa.gov/stopransomware - also accessible at www.stopransomware.gov
"Stopping the Attack Cycle at Phase One" (CISA) - https://www.cisa.gov/sites/default/files/2023-10/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One_508c.pdf
"Guide to Securing Remote Access Software" (CISA) - https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf
Black Basta Ransomware - https://www.cisa.gov/news-events/alerts/2024/05/10/cisa-and-partners-release-advisory-black-basta-ransomware
"Identifying and Mitigating Living Off the Land Techniques" (Provided by the Five Eyes Intelligence agencies) - https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques
HIPAA Journal: Cyber Fire Drills for Healthcare - https://www.hipaajournal.com/cyber-fire-drills-for-healthcare/
History of Ransomware in Healthcare
https://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
https://www.healthcareitnews.com/news/how-princeton-community-hospital-survived-global-petya-attack
https://www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks_Surge_in_2023.pdf
https://www.bbc.com/news/technology-54692120 - "Therapy patients blackmailed for cash after clinic data breach"
https://www.malwarebytes.com/blog/news/2023/03/breast-cancer-photos-published-by-ransomware-gang
https://www.theregister.com/2024/01/05/swatting_extorion_tactics/
https://www.massgeneral.org/assets/mgh/pdf/emergency-medicine/downtime-toolkit.pdf - "Hospital Preparedness for Unplanned Information Technology Downtime Events" (July 2018 - Mass General Hospital)
Change Healthcare - https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/
https://www.hipaajournal.com/ransomware-groups-data-leak-site-listings-up-20pc-q2-2024/
Crowdstrike Incident - while not a "cyber-attack" it is the responsibility of cybersecurity professionals to manage and prevent such outages to the best of their ability - https://www.hipaajournal.com/faulty-crowdstrike-software-update-major-disruption-healthcare/
Tabletop Exercises
HSEEP - Homeland Security Exercise and Evaluation Program - https://www.fema.gov/emergency-managers/national-preparedness/exercises/hseep
DHS Cyber Tabletop Exercise for the Healthcare Industry (Exercise Materials) - https://www.hsdl.org/c/abstract/?docid=789781
FEMA: Safe Exercise Best Practices - https://www.fema.gov/sites/default/files/documents/fema_safe-exercise-best-practice_06072021.pdf
HSEEP Training Videos - https://www.youtube.com/playlist?list=PL720Kw_OojlJRVI3gQiZzj2g72Ez8ISlA
CISA Tabletop Exercise Packages - https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages
Carnegie Mellon: Guide to Effective Incident Management Communications - https://insights.sei.cmu.edu/library/guide-to-effective-incident-management-communications/
"Crisis Communications - The Definitive Guide to Managing the Message" by Steven Fink
Partnerships and Threat Intelligence
InfraGard - FBI partnership with the private sector - https://www.infragard.org/
The Health-ISAC - https://h-isac.org/
ASPR TRACIE - https://asprtracie.hhs.gov/
HIMSS - https://www.himss.org/
HHS Health Sector Cybersecurity Coordination Center (HC3) - Great threat briefs and sector alerts! Be sure to sign up. https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html
Health Sector Coordinating Council Cybersecurity Working Group - Cybersecurity Strategic Plan - https://healthsectorcouncil.org/cyber-strategic-plan/
Comments