The following is a guest article by Thomas Ritter, Attorney and Founder of Ritter Gallagher
In a recent episode of the podcast Cyber Survivor, I discussed the fast-changing landscape of ransomware attacks. It’s a message I’d like to amplify by sharing it with Healthcare IT Today readers.
Five years ago, there were really only eight to ten recurring threat actor groups in the ransomware economy – almost like a thieves’ country club. Now it’s become the Wild West, where some ransomware operators provide ransomware as a service (RaaS). In RaaS, operators sell malware strains to relatively unsophisticated lower-level affiliates around the globe for a portion of the victim payout. This evolution has significantly fragmented the ransomware ecosystem, resulting in a greater number of attackers who are now more aggressive and agile than ever before.
While the ransomware economy may now look different than it did before, the motivation of criminals remains the same: money, and lots of it. According to the 2024 Crypto Crime Report published by blockchain analysis firm Chainalysis, ransomware payments went from an estimated $220 million in 2019 to $1.1 billion in 2023. I’ve personally witnessed the devastating nature of this criminal industry countless times throughout the course of my career, helping organizations navigate catastrophic cybersecurity incidents. I was once on a Zoom call with a healthcare client when a bad actor actually joined the meeting, gruffly saying (in a thick foreign accent), “You’d better pay up or else.” Another time, I had a ransomware group extort a healthcare client by waving its cyber insurance policy in front of its nose. The attacker knew the exact amount of money my client was insured for and considered that amount to be the “floor” in the ransomware negotiations.
Ransomware’s Widening Costs
In addition to the high cost of ransom demands, healthcare facilities that are temporarily locked out of their own systems face many additional costs, including lawsuits and hard-to-quantify reputational damage.
One Alabama hospital was sued in 2019 because a baby suffered complications from a birth interrupted by ransomware downtime. While an undisclosed settlement was reached, the lawsuit made national news and was emblematic of the growing trend in private and class action lawsuits arising out of ransomware attacks against healthcare providers.
A Call to Action
Ransomware attacks are getting much more frequent and exponentially more sophisticated. Here are some suggestions for how to reduce your organization’s risk exposure:
Remember Your Top Three Priorities
Every healthcare organization has three overarching priorities: patient care, revenue, and regulation. Some hospitals feel that they can’t divert dollars from the bedside to the IT staff, yet ransomware can have a devastating impact on all three priorities.
If your system gets frozen by ransomware attackers, patients could die as a result. And the financial impact is staggering: an average of nearly $2 million per day of downtime. Finally, failure to maintain HIPAA compliance can be costly as well. In April of this year, the Office for Civil Rights announced a settlement with a public hospital in Guam who suffered a ransomware attack, finding violations of the HIPAA Security Rule.
Change the Organizational Mindset
It’s imperative to shift from passive to active in your planning. Dealing with ransomware is now much more than a “we checked these compliance boxes” task.
Preparedness is Vital
You need to continuously pressure-test your incident response plan and business continuity strategies, such as backup cadence and core application redundancies. Perform annual ransomware tabletops with your executive leadership to identify shortcomings and areas of improvement.
Evaluate 3rd Party Risk
The unprecedented Change Healthcare breach exposed the uncertainty around the security of third-party vendor management and legacy applications. Now is the time to thoroughly examine your organization’s tech stack and architecture and understand how your network interacts with outside applications.
Stay Informed About CISA Recommendations
The Cybersecurity & Infrastructure Security Agency (CISA) frequently updates its security recommendations concerning third-party risk assessments and software bill-of-materials. These guidelines can help you stay one step ahead of cyber-criminals.
If You’re Hit with Ransomware, Don’t Stonewall
When faced with ransomware demands, some healthcare organizations take the combative stance of “we don’t negotiate with terrorists.” But that response is seldom useful. When you communicate with the bad actors via experienced negotiators, you can buy time and glean valuable information on how to respond effectively. Simply negotiating doesn’t mean payment is a foregone conclusion.
Taking the measures outlined above will help safeguard your organization from this new generation of avaricious, opportunistic attackers.
About Thomas Ritter
Thomas Ritter is an attorney and the founder of Ritter Gallagher in Nashville, Tennessee.
No comments:
Post a Comment