Florence, unfortunately, is not alone in having to respond to and recover from these kinds of attacks. And the dangers are even greater now as ransomware attackers are making urgent demands of the state and local governments managing the front-line consequences and responses to COVID-19. For example, the ransomware attack that hit the Champaign-Urbana Public Health District in Illinois took down the district’s primary method of communicating about COVID-19.
We all have tremendous respect for the leadership that state and local officials are providing during this crisis. With all that confronts government officials and health-care providers during the COVID-19 pandemic — literally putting their lives on the line to save others — they shouldn’t have to worry about ransomware attacks. And yet, because public health departments, hospitals, clinics, and nursing homes can’t afford to risk having their services stopped even briefly, they present even more attractive targets to these criminals.
Health-care organizations accounted for 24 percent of ransomware attacks in the first quarter of 2020, according to a list compiled by Beazley, an insurance firm. Health-care organizations experienced nearly three times as many incidents as manufacturing, which ranked third.
The nightmare scenario isn’t as much about attackers stealing valuable patient electronic data as it is about disrupting critical operations by encrypting patient records and hospital systems, and freezing inventory management, scheduling and other systems that are the lifeblood of each moment in a busy hospital.
We should bear in mind, too, that there is no assurance that paying a ransom will result in vital data being released by cybercriminals.
Thankfully, defenses exist. Commercial backup products can preserve vital information. Data integrity guidance from the National Institute of Standards and Technology (NIST) can help IT staff everywhere from state government agencies to hospitals configure architectures that protect data and improve recovery from ransomware attacks.
Following are the four primary steps for such a defense:
1. Identify: NIST Special Publication (SP) 1800-25, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events discusses ways to maintain awareness of organizational assets, including how to use technologies for vulnerability detection, management solutions and policy enforcements. This is particularly critical for health-care providers, which have had to deploy additional equipment, users and data quickly to serve more patients during the pandemic — and have added vulnerabilities in doing so.
2. Protect: Especially in the current environment, keeping equipment operational is critical. Also in NIST SP 1800-25, IT staff will find steps to maintain system and data integrity, including preventing attacks before they can occur. This involves technology such as those found in zero trust networking, including network segmentation, and proper privilege management.
3. Detect and Respond: Organizations must carefully monitor their infrastructure. This may be particularly challenging for health-care organizations as their day-to-day operations become more chaotic. NIST SP 1800-26, Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events discusses ways to discover attacks and react to them quickly. This guidance shows how file integrity and network monitoring solutions can enable IT staff to recognize attacks as they occur, rather than wait for bad actors to reveal themselves.
4. Recover: As hard as IT staff may try, adversaries can be difficult to detect. NIST SP 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events explains how robust backup and restoration technologies can help an organization weather an attack without having to pay a ransom.
These recommendations and guidance apply broadly. Health-care organizations, firefighters, police, and many other state and local entities can use this information to protect against ransomware attacks. State and local governments, some of which use local managed service providers to maintain their information infrastructures, often lack the cybersecurity resources typical at the federal government agencies. These free resources should be passed along to any staff or consultants that are providing cybersecurity services to ensure best practices and preventive measures are in place.
Officials in both Florence and the Champaign-Urbana Public Health District chose to pay ransoms, as have other local governments. Preparing for a potential ransomware attack can help us avoid being caught in the difficult position that led Florence officials to pay nearly $300,000 to regain control of their systems.
Samuel S. Visner is the director of the National Cybersecurity Federally Funded Research and Development Center, operated by MITRE. He is also a professor of cybersecurity policy, operations, and technology at Georgetown University. The opinion expressed is the author’s and does not necessarily reflect the views of MITRE.
