Introduction
Unfortunately, the U.S. government (“Team USA”), despite being aware of the damage that Ransomware can inflict upon the healthcare industry writ large, including the fact that patients will die if a concerted effort is launched attacking the industry at its weakest links (of which hundreds of thousands exist), offers nothing more than platitudes as to how Ransomware Resilience can be obtained, to wit:
Three Steps to Resilience Against Ransomware:
1. Back-Up Your Systems – Now (and Daily)
Immediately and regularly back up all critical agency and system configuration information on a separate device and store the back-ups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than you lost, fully patched and updated to the latest version.
2. Reinforce Basic Cybersecurity Awareness and Education
Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing and suspicious links – the most common vectors for ransomware attacks. Remind employees how to report incidents to appropriate IT staff, in a timely manner, which should include out-of-band communication paths.
3. Revisit and Refine Cyber Incident Response Plans
Agencies must have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA and the MS -ISAC, in the event of an attack.
See CISA, MS -ISAC, NGA & NASCIO RECOMMEND IMMEDIATE ACTION TO SAFEGUARD AGAINST RANSOMWARE ATTACKS. Really, circa mid-2019 (i.e. the date that the above “advice” was promulgated) is this the best that Team USA can do? NO! But you can rest assured for the foreseeable future this is the best that Team USA will do, premised on national security concerns. Team USA is not about to go any further than the “proverbial toe in the water”—doing nothing more than reinforcing the anemic response that it has shown pursuant to cybersecurity threats over the last four decades. It’s not about to expose its sources and methods by coming to the rescue of the healthcare industry. If patients must die, then so be it. After all we are at war. People die during wars. It’s the inescapable nature of the beast. This is on us. Team USA will do little more than what its already done by offering platitudes yet not venturing into the no man’s land of reallocating public/private Risks pursuant to cybersecurity threats. Big Brother is not coming to the rescue anytime soon.
As discussed in February’s webinar, patients are likely, almost certainly, to die from a forthcoming concerted attack on the healthcare industry—arguably, along with the government itself, one of the most vulnerable industries in the country. Team USA will not change its current position according to public/private cybersecurity risks anytime soon, and when it does, it will be a slow roll. The healthcare private sector has no choice but to step up in a big way, but it appears weak, and imminently ill-equipped for this challenge. The most insidious reason that the industry is so ill-equipped is that it continues to be in denial vis-à-vis its vulnerability, despite the U.S. government, ratings agencies, and knowledgeable observers beating the drum for well over a decade now. Healthcare executives, not all but in sufficiently large numbers, exhibit a naive response to this growing cacophony. They just want to place their collective hands over their ears and hope that the noise goes away. It won’t. In the interim people will die, and the latter will have blood on their hands; along with their underlings—all complicit in standing by and taking no action, while the writing has been on the wall for a long time now.
If you are a CO that has been beating the drum to no avail, we suggest that you start writing “memos to file” (i.e. as a CYA strategy) according to recommendations that likely fell on the deaf, dumb and blind. It’s important that you lead your executive team to the water, and that you document these efforts, even though you can’t make them drink. We understand that many CO’s are not able to affect real change within your respective organizations; you’re overworked and underpaid. Eventually, your management team will “wake up and smell the coffee” or perish as roadkill on the info highway. It’s important that you live to fight another day.
Ransomware Resilience Framework
What is a Ransomware Resilience Framework (“RRF”) and why does it matter? Glad you asked. Our RRF (shipping soon to a theatre near you) is designed to help organizations of all sizes who experience a Ransomware attack to respond effectively, keeping in mind that lives are at stake. Our Framework also attempts to cover the major components of Ransomware Resilience, which by necessity, touches on other collateral in our Subscription Plan (e.g. our Breach Notification Framework, our Contingency Framework, and our Breach Response Framework). Other than the obvious shameless plug, we use our offerings here as reference to eliminate the healthcare industry’s constant lament that compliance is too confusing, too expensive, etc. Fill in your excuse du jour. These excuses do not hold water because once patients start dying based on your neglect, they will seem even more vacuous. We’re in perpetual cyberwar, no amount of excuses will get you through these dark tumultuous times. The healthcare industry writ large must take the proverbial “bull by the horns” and begin to take serious actions to mitigate the number of lives lost.
Resilience Components
Here we capture, at ten-thousand feet, the major components you should have in place as part of your Ransomware Resilience initiative. Our objective here is to put you on notice. If you want to take your initiative to the next level, then you must make the necessary investment. You can purchase our RRF or spend hundreds of man-hours trying to piece together the pieces of the puzzle yourself, but the important thing is that you act quickly. Time is not on your side. Patients’ lives are at risk because your organization has failed to prepare. This is true across the healthcare industry writ large.
No one contests the foundational material facts that lead to this inference. Last month’s webinar contains the sources that we relied on to arrive at this sobering conclusion. You can also look here and here for additional background. This is dark and unsettling territory that we have embarked upon, but we are never going back to the nonexistent, yet soothing concept, embodied in the nostalgia for the good-ole-days. For many of our fellow citizens, these mythical good days weren’t all that good. Moreover, if they ever existed, they are long since gone; we have crossed the Rubicon.
Preparedness
The problem with “preparedness” is that it is too easy to fall into a litany of platitudes that everyone knows they should do, yet no one does. Well sorry to say that we are not going to disappoint. Prepare for some dull, boring, trite platitudes. However, the difference is that our RRF provides the reader with a set of tools that facilitate “preparedness,” because at the end of the day there is no escaping it. You will be forced to develop your own preparedness plan (“Response Plan” or “Plan”) or modify ours to suit your needs. Having a plan in and of itself may help you avoid some liability (i.e. to the extent that having a Plan allows your legal team to make an argument that “far from being completely negligent, you were attempting to do the right thing”). Most of you understand that although this argument is better than no argument at all, it’s only going to take you so far. At the end of the day you will be forced to provide visible, demonstrable evidence (“VDE”) that you have responded to a Ransomware attack in an effective way—that is, your “boots on the ground” did the right thing.
Here's an outline of a plan to get you started:
- Review and distribute of Ransomware Resilience Policy
- Review, modify, and distribute the Application Sensitive Data Criticality List (i.e. so that you know what applications and data to restore and in what order)
- Actions that should be taken to ensure that the vector that allowed your adversaries to install the Ransomware malware has been plugged
- A methodology for determining whether a breach has occurred (i.e. because any Ransomware response will require a breach notification analysis)
- A forensic analysis to discover technical root cause analytics;
- A legal analytical framework for deciding if the root cause analysis necessitates breach notification under applicable law, both state and federal;
- A review of tools and templates such as executive management/board of director’s updates, call lists, sample notification letters/communications to stakeholders, press releases.
- Incidents
- Ensure Incident gathering and documentation process are in place;
- Ensure that your incident master document was designed, implemented and routed for approval.
- A Communications plan
- Communication to Response partners and the activation of Response teams;
- Communication to regulatory authorities;
- Communication to media, social media, and other appropriate organizational news consumption endpoints;
- Communication to individuals impacted;
- Activation of Call Center for inquiries;
- Activation of identity protection services as required;
- Activation of remediation teams, including closely working with third-party technical partners.
- Response Plan Testing
- Test your ability to instantiate virtual (i.e. cloud-based) servers wherein users can be routed once mission-critical data is restored;
- Test the immediate incident reception and analysis workflow;
- Instantiate and test the Communications Plan;
- Review remediation readiness.
- Response Postmortem
- Review the status of remediation;
- Update the executive management team on remediation progress;
- Implement additional Security Controls that would prevent similar attacks;
- Update Ransomware Response Plan according to insights gained from postmortem.
Whew! If you are not overwhelmed by now you haven’t been paying attention. Once the magnitude of the problem is understood then everyone becomes overwhelmed; no surprise. Most compliance officers are also paralyzed into inaction. They don’t know what to do or where to start. Our Frameworks answer this question. Moreover, the entirety of our Subscription Plan focuses on this issue. The shameless plug is unavoidable. Why? Because it demonstrates that there are cost-effective and compelling solutions in the marketplace today. If your organization is not willing to spend a little over $1K to address the problem, then there is nothing anyone can do. The abyss awaits you. It should go without saying, but with an abundance of caution, we will expressly state that there are other competitive solutions available in the marketplace, despite the fact that we believe ours is more comprehensive and offered at a price point unmatched anywhere. The takeaway from this article is this: do something. Doing nothing is no longer an option. Doing nothing will likely result in people dying. Start your Ransomware Resiliency initiative today.
Incidents
“Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with the operations of an Information System. Although not all Ransomware attacks constitute Breaches per se, all are security incidents and must be analyzed as such. Notice that an attempt qualifies as an Incident. That is one of the reasons that all Incidents should be tracked as part of a rigorous compliance initiative. Tracking Incidents is obviously a key part of the Ransomware resilience process and shows visible demonstrable evidence that your organization is serious about your Ransomware response. That said, tracking Incidents is necessary, but not enough. As this article illustrates, more is required.
Teams
No man is an island. There is no compliance officer anywhere capable of responding to a Ransomware attack on his/her own. This is impossible for obvious reasons. That said, most compliance officers also do not have a Ransomware resilience program in place. They don’t understand the magnitude of the problem. They are blissfully ignorant of the teams (“Teams”) they must collaborate with to effectively respond. The Teams of necessity will include inside or outside counsel and the potential need for additional technical personnel with deep experience in Cybersecurity. You don’t want to be scrambling to put these teams in place after an attack. During an attack, you will be facing enormous pressure and it won’t take you long to figure out that your career is on the line. If you work for a certain kind of covered entity, then you are likely to also realize that lives are on the line. Failing to prepare is akin to “planning to fail.”
Testing
There is not much sense in developing a Ransomware Resilience Plan (“RRP”) if you don’t test prior to use. Sure, the old military adage that “no plan survives” the first contact with the enemy remains true; however, the military, writ large, plans more than any other organization that we know of. Why? Because if you don’t have a baseline plan, including provisions for reacting to the adversary’s anticipated actions, then you won’t know what to tweak should the unexpected occur. In war, the unexpected almost always occurs. Cyberwar is no different. Planning represents one of the most effective tools in a compliance officer’s toolbox. Yet most compliance officers do not have resilience plans in place, let alone one that has been rigorously tested.
Conclusion
This article has covered a significant amount of ground. We intended it to. We are at war. It is time that we get on with the business at hand. Big Brother is not going to come to the rescue. By all accounts, Big Brother is incapable of protecting its own information systems. We crossed the Rubicon. We are now in dark and uncharted territory. Hoping that things will get better on their own is the stuff of children. There will be no peace in our lifetime. Winston Churchill was virtually alone in the wilderness sounding the alarm of what Nazi Germany was up to, long before the commencement of WWII. Here we are not alone. Others have done the leg work. We are doing nothing more than connecting the dots and stating the inescapable inference. People are going to die because of Ransomware or computer network attacks on the healthcare industry. That blood will be on all our hands. What is the acceptable death count?
