Improve Ransomware Resilience for Healthcare

Prevent incursions and defend against ransomware attacks.

Analyst Perspective

Ransomware presents an opportunity and a challenge.

As I write, the frequency and impact of ransomware attacks continue to increase with no sign of slowing. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.

The opportunity comes with important challenges. Hackers require less time in discovery before they deploy attacks, which have become much more effective. You can't afford to rely solely on being able to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.

Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. Eventually, you reach the top and reflect on how far you've come.

Michel Hébert
Research Director, Security and Privacy
Info-Tech Research Group

Executive Summary

Info-Tech Insight
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what your organization can control and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recover quickly.

Ransomware attacks are on the rise and evolving quickly.

Three factors contribute to the threat:

• The rise of ransomware-as-a-service, which facilitates attacks.
• The rise of crypto-currency, which facilitates anonymous payment.
• State sponsorship of cybercrime.

Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least US$2 billion in payments.

A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the cleanup cost or economic fallout over attacks during this period.

Total ransom money collected (2015-2021): US$2,592,889,121

The frequency and impact of ransomware attacks are increasing among healthcare institutions

Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.

Sophos commissioned a vendor-agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.

The survey was conducted in Jan - Feb 2022 and asked about the experience of respondents over the previous year.

Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.

Of the respondents whose healthcare organizations were not hit by ransomware in 2021 and don't expect to be hit in the future, 77% cited either backups or cyberinsurance as reasons why they didn't anticipate an attack.

While these elements can help recover from attacks, they don't prevent them.

Sources: "State of Ransomware in Healthcare," Sophos, 2022; "Cost of A Data Breach," IBM, 2022

Critical infrastructure sectors are being targeted by ransomware attacks

There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital that their incapacitation or destruction would have a debilitating effect on a nation's security, economy, public health or safety, or any combination thereof.

In 2021, the FBI's Internet Crime Complaint Center (IC3) received 649 complaints indicating ransomware attacks on organizations worldwide. Although the healthcare sector was not the most targeted for cyberattacks, it was the most victimized industry sector for ransomware attacks.

The three-step ransomware attack playbook

1. Get in
2. Spread
3. Profit

At each point of the playbook, malicious agents have to achieve something before they can move to the next step.

Resilient organizations look for opportunities to:

• Learn from incursions
• Disrupt the playbook
• Measure effectiveness

Ransomware is more complex than other security threats

Ransomware groups thrive through extortion tactics.

• Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
• As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying backups.
• Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threatening to publish them.

Healthcare organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.

Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:

• Detection and response - Activities that enable detection, containment, eradication and recovery.
• Notification - Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
• Lost business - Activities that attempt to minimize the loss of customers, business disruption, and revenue.
• Post-breach response - Redress activities to victims and regulators, and the implementation of additional controls.

Source: "Cost of a Data Breach," IBM, 2022

Organizations in the health care sector are stewards of regulated data, which makes them especially vulnerable to extortion, and ransomware gangs know it.

Disrupt the attack at each stage of the attack workflow.

An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.

Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.

Shortening dwell time requires better protection and detection

Ransomware dwell times are shrinking, and average encryption rates are dramatically increasing.

Hackers spend less time in your network before they attack, and their attacks are much more effective.

What is dwell time and why does it matter?

Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until the ransom is paid.

Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.

Dwell times are dropping, and encryption rates are increasing.

It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.

References: Bleeping Computers, 2022; VentureBeat; Dark Reading; ZDNet, 2021.

Resilience depends in part on response and recovery capabilities

This blueprint will focus on improving your ransomware resilience to:

• Protect against ransomware
• Detect incursions
• Respond and recover effectively

For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery Plan.

Info-Tech's ransomware resilience framework

Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond, and recover effectively.

Prioritize protection

Put controls in place to harden your environment, train savvy end users, and prevent incursions.

Support recovery

Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

Info-Tech's ransomware resilience methodology

Insight Summary

Shift to a ransomware resilience model
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.

Focus on what your organization can control and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly.

Visualize challenges
Build risk scenarios that describe how a ransomware attack would impact organizational goals.

Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.

Prioritize protection
Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

Seize the moment
The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.

Measure ransomware resilience
The anatomy of a ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.

Project deliverables

Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

Ransomware Resilience Assessment
Measure ransomware resilience, identify gaps, and draft initiatives.

Ransomware Threat Preparedness Workbook
Analyze common ransomware techniques and develop countermeasures.

Ransomware Response Workflow & Runbook
Capture key process steps for ransomware response and recovery.

Ransomware Tabletop Tests
Run tabletops for your IT team and your leadership team to gather lessons learned.

Ransomware Resilience Roadmap
Create a roadmap that displays ownership, start dates, and durations for initiatives (produced by tab 6 of the Ransomware Resilience Assessment).

Key deliverable

Ransomware Readiness Summary Presentation Template

The resilience roadmap captures the key insights your work will generate, including:

• An assessment of your current state and a list of initiatives to improve your ransomware resilience.
• The lessons learned from building and testing the ransomware response workflow and runbook.
• The controls you need to implement to measure and improve your ransomware resilience over time.

Plan now or pay later

In 2021, organizations worldwide spent on average US$4.62 million to rectify a ransomware attack. These costs include escalation, notification, lost business, and response costs, but not the ransom amount. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of US$4.69 million.

Building better now is less expensive than incurring the same costs plus the cleanup and regulatory and business disruption costs associated with successful ransomware attacks.

Source: "Cost of a Data Breach," IBM, 2022

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.

See what members have to say about the Ransomware Resilience Blueprint:

• Overall impact: 9.8/10
• Average $ saved: $98,796
• Average days saved: 17

"Best parts were the fact that we were able to have a facilitated discussion with our MSP about security and create a much-needed tool - the runbook out of that meeting."
- Anonymous CIO, Healthcare Institution

Blueprint benefits

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks are used throughout all four options.

Executive brief case study

SOURCE
UVM Health Network Ransomware Attack

Organizations who build back better after a ransomware attack often wish they had used relevant controls sooner.

Guided implementation

What kind of analyst experiences do clients have when working through this blueprint?

A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI involves six to eight calls over the course of four to six months.