Ransomware attacks on hospitals in Alabama forced a healthcare system to turn patients away last week.
The data and systems at three hospitals were held hostage until an undisclosed amount of ransom was paid, according to a press release. The hospitals gave into the demands despite another possible solution: reverting to a complete back-up of their data and systems.
In a press release, the health system said it was using backup files to rebuild certain system components, but received a key from the attacker to unlock the rest of its data. The lack of a complete backup, or the lack of a good data recovery plan for timely system restoration, is a common occurrence for healthcare organizations, often forcing them to pay the ransom, according to Clyde Hewitt, executive advisor for healthcare cybersecurity firm CynergisTek.
Hewitt said the culprits to an incomplete data backup are cost and time.
"There are few organizations that are actually prepared to fully recover everything," he said. "Backup is not a profit center; it's a cost center and it is historically underfunded. It takes people, it takes money and it takes bandwidth."
Why ransomware is insidious
Ransomware attacks on hospitals use a type of malware that encrypts an organization's data so that once-readable data is encoded and made impossible to decipher. The hackers demand a ransom and, once it is paid, will provide a decryption key to unlock the data.
Clyde HewittExecutive advisor, CynergisTek
Once the organization receives the decryption key, it can often start getting critical systems back online immediately, according to Tim Bandos, vice president of cybersecurity at Digital Guardian, a data protection product vendor. The decryption process may take a little time, but Bandos said going through the backup and restoration process can be "much, much longer."
But paying a ransom is a costly route -- in more ways than one. Not only does it send a message to attackers that the organization is willing to pay to get their locked data back, but a health system will have to rebuild their systems to avoid the same vulnerabilities that let the attackers into the system in the first place, Hewitt said. He noted that it's also nearly impossible to completely trust a system or data once it's back from a ransomware attack.
"Restoring to the original configuration is not necessarily a wise approach, but it may be a stop-gap approach until the health system can open the pocketbook and start bringing in new things," Hewitt said. "They can't just expect to continue to operate like nothing happened or they'll be hit again."
A data backup, which is data that has been copied to an off-site location, can give healthcare CIOs an upper hand when ransomware attacks on hospitals occur. But Hewitt noted that even if an organization has data backups, they still aren't out of the woods. The data backups have to be protected against ransomware because during an attack some ransomware will look to corrupt backups.
Challenges with data backup
The biggest challenges CIOs face when backing up a healthcare organization's data and systems are the number of disparate systems that need to be backed up daily and the time it takes to retrieve the backup data from its off-site storage location and restore it after the ransomware attack occurs.
It can take days, weeks or months to restore that much data in a health system, which is why organizations are often incentivized to pay the ransom, Hewitt said.
If an organization doesn't have good backups and decides against paying a ransom, completely restoring what was lost can be a significant challenge, according to Larry Ponemon, chairman and founder of the Ponemon Institute in Traverse City, Mich. But a full backup, while costly, stops more than 90% of ransomware attacks, Ponemon said. That alone, he said, should be a strong case to back up an organization's data and systems.
Healthcare CIOs also have little choice in the matter. Data backups and disaster recovery plans are HIPAA requirements dating back to 2003, and healthcare organizations have to work on improving their backups and plans for incorporating them should a ransomware attack occur or potentially face penalties, Hewitt said.
Hewitt said paying the ransom creates a false sense of security for healthcare systems thinking they can buy their way out of the problem, and more needs to be invested in security up front. Ponemon echoed his sentiments, and said even in the last couple of years ransomware attacks on hospitals have become more costly.
"It used to be that the ransom would be a relatively small sum of money, a couple of hundred thousand dollars maybe," Ponemon said. "Now we are starting to see ransoms above $1 million. In one case we're working on right now, if they pay the extortion, it's going to be probably close to about $10 million."
Ponemon said companies most susceptible to cyberattacks include healthcare organizations and public sector companies, like police departments. Yet healthcare providers in particular have been "laggards" in bringing their security up to speed, and attackers know they're not dealing with state-of-the-art security, Ponemon said.
Indeed, for many health systems, the security budget is below 6%, according to Hewitt. Compare that to banking or manufacturing, where the security budget hovers around 10% to 20%.
Security has to become more of a priority at the executive level in healthcare, because security teams are not getting the attention they need to deal with the problem, Hewitt said. The first step to fixing this problem is retitling CISO to chief security officer. Those serving in the post should be brought to the executive table to make their case for security, he said.
Data backups should also be viewed as part of a comprehensive security plan, Hewitt said. Conducting an independent risk assessment, training employees to have better cybersecurity awareness, reducing the number of people with access to administrator accounts and thoroughly assessing vendors are all key steps to good cybersecurity practices, he said.
Along with having a full backup, Ponemon said simulating an attack can prepare an organization to react and respond appropriately when a real attack occurs. Simulation, testing and training is important and can help the organization identify flaws within their system that need to be addressed. Having insurance to provide protection against cyberattacks can also be useful, he said.