When Hancock Health was hobbled by ransomware, it wasn’t for the usual reasons. No one had clicked a suspicious link in a phishing email. It had its system fully backed up and recoverable.
The attack came from an outside vendor. Hackers stole credentials from one of Hancock Health’s hardware providers, then targeted the hospital’s backup site.
They delivered the ransomware via the connection between the backup site and the hospital’s main site server farm, compromising the backups, the connection and the hospital’s records.
After consulting with their cybersecurity partner, Hancock Health paid the attackers about $55,000 in bitcoin, which was cheaper than fixing its system on its own, and it still took over three days for everything to return to normal.
Looking at the series of events, three major takeaways immediately jump out from Hancock Health’s ransomware attack and recovery.
By taking the following steps, a healthcare organization could avoid a similar fate.
Keep backups separate through segmentation
Maintaining backups is of course key to defeating ransomware. If an organization is able to quarantine the infected machines, they can simply wipe them and reimage them from backups without having to pay a cent in bitcoin.
The trick, of course, is keeping backups clean. In a flat network like the one at Hancock Health, everything’s accessible at the same level. Hackers with access to the backups were able to get access to the main data center. Had the backups been segmented, the criminals still would have disrupted the hospital’s operations, but the recovery could have been quicker and easier.
By putting up firewalls with strict filtering between different network segments, an organization can quarantine an attack from backups. With properly segmented networks, it can just close off the infected segment and reimage the infected machines.
Manage vendors with an eye toward security
No matter how much ransomware training is provided to employees, and no matter how many internal processes are in place, one vulnerable vendor can still leave an organization’s systems open.
Was that Hancock Health vendor categorized as a critical service provider? How much due diligence was conducted when reviewing its security posture? Was there a plan to break the kill chain in case the vendor was compromised?
A supply chain affects an organization in many ways, and one of the most commonly overlooked aspects of any relationship is cybersecurity. Now more than ever, organizations need to thoroughly vet partners that have sensitive access to their systems and keep close tabs on who has credentials.
Another caveat is that an organization’s systems don’t even have to be affected. When vendors shut down from a ransomware attack, an organization can still lose essential services. Allscripts had several applications knocked offline after ransomware gripped two of its data centers, affecting a variety of healthcare providers.
While the company hustled to get back online, customers had to make do without the infected applications. Always think through a contingency plan for when a critical partner is at the receiving end of an attack.
Expand cybersecurity partnerships
While vendors can cause attacks, they can also prevent them.
The Hancock Health attack confirms the need for pre-arranged partnerships with industry experts to assist during crisis situations. A hospital only has so much resident cybersecurity expertise. After all, its mission is delivering quality care that improves patient outcomes, not thwarting ransomware.
By striking up a relationship with a specialized cybersecurity firm, Hancock Health got quick access to threat mitigation and disaster response services.
Finding such a firm before an attack occurs can allow you to test procedures and resiliency regularly. By conducting mock data breach exercises, an organization can identify and address any gaps before they’re exploited.
In addition to uncovering potential vulnerabilities, like lack of segmentation, an outside firm can limit the damage after an attack and ultimately get an organization up and running faster.
The longer it takes to fully recover from an incident, the costlier it can become, and in healthcare especially, any delay can cost lives.
While many ransomware attacks are the result of phishing emails and unsuspecting employees, it’s not the only way hackers can paralyze your systems. Any outside vendor that has access can unwittingly become the source of malware.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access