Open menu
Connection Icon

The Need for a Ransomware Response Plan

  • August 10, 2016|
  • 2 years ago

by Tom Foley

  • Follow us
  • Follow us

Director, Global Health Solution Strategy

There has been an “explosion” of ransomware attacks in the last few months, says Scott Keoseyan, a specialist on the Deloitte Threat Intel Team. Recent attacks on hospitals are highlighting just how far the health industry still has to go to catch up with and handle these cybersecurity developments.

What is a Ransomware Attack?

Ransomware attacks seize control of a facility’s digital operations, compromising computer systems and encrypting information. Once that happens, the hackers demand payment for the release of the data. This means that during a heist, patients with serious health problems could be denied care or access to prescriptions. It’s a dangerous situation that your organization needs to address in advance to prevent such situations from occurring.

When security is breached, response time is critical. That’s why every organization should have a ransomware response plan in place, including criteria for determining whether to pay to unlock data. The longer you wait, the more you put at risk—patients, business operations, and reputation.

The challenges are that vulnerabilities in health management software have been known for years, some of which have yet to be addressed. And as care delivery models shift more toward outpatient or in-home treatments, security needs to focus on devices as well as software. “The pace of technology that is happening inside of that space is outpacing the understanding of risk exposure,” says Keoseyan.

Outline Your Response Plan: Four Points of Consideration

With that in mind, your strategy needs to address all endpoints, users, and computer systems. Consider each of the following factors to create a plan that will aid in response time and show customers, stakeholders, and the public that you are prepared to protect their best interests.

1. Back Up Your Data

With the exponential growth of corporate data, it’s difficult for enterprises to know what information they have and where it’s stored. However, this knowledge is critical to determine whether or not to pay a ransom. If you have a solid backup of the data taken hostage, you may be able to avoid the ransom with backup restoration.

Understanding where and how a system stores its confidential patient information is critical. Robust security policies and procedures are essential not only for employees, but also voluntary attending physicians, contractors, vendors, and other business associates.

2. Take Inventory

Be sure to review your entire IT ecosystem to assess where there could be data or system liabilities—this includes company and personal devices with access to company data. Any apps should be thoroughly vetted by the IT department and come from reputable companies. All employees need to be educated on proper use and security policies, as well as how to identify potential email scams or viruses.

Identifying operation-critical pieces of your data systems will help your organization determine specific criteria for what is worth purchasing.

3. Know What to Say

It’s never good for a company’s reputation when criminals take its data hostage, but it can be made worse by poor communication. You need to prepare a communications plan to address the incident, both internally and externally. Consider how a ransomware attack will affect your relationship with customers, partners, shareholders, and employees.

4. Consider the Liability

While paying ransom may be the easiest way to release compromised data, there’s never a guarantee that criminals will release the information. While the FBI claims that most organizations that pay the ransom do get their data back, some argue that paying ransoms only encourage these thieves to refine and continue their attacks. You have to decide what the true costs are for your health organization.

Most importantly, make this process as inclusive as possible. All employees—from software developers and call center staff to physicians and critical third parties—need to partake in proper ransomware attack training.

Costly Damages Beyond the Ransom

Targeted hospitals have had to revert to manual record keeping, scheduling, and billing due to extensive IT downtime after ransomware attacks. These organizations that have been hacked could face regulatory violations and fines, public scrutiny, revenue loss, and potential exposure of confidential patient information.

A little planning and practice can go a long way in helping to protect your data and IT systems and saving your organization as well. Start drafting your plan as soon as possible. The frequency of attacks is only rising.

1. The Morning Risk Report: Health Care Ransomware Threat Rises. The Wall Street Journal. April 27, 2016.
2. Ransomware: Four Ways to Assess This Growing Threat as a Business Risk. Security Week. May 9, 2016.
3. Cyberattack Bull’s-eye is Squarely on Medical Industry. CFO. May 2, 2016.