Surviving the storm: The key to cyber resilience and incident response in healthcare

Introduction

Healthcare workers and support staff have experienced many challenges over the years, from staff shortages to ageing equipment and failures to the global COVID-19 pandemic. Fatigue is prevalent, and retention is at an all-time low; the perfect setting for a storm. As many in the industry are facing cyber-related challenges, the following hypothetical scenario may resonate with most. Early Monday morning, several hospital staff members reported their computers were acting strangely; some users reported files were locked, and they were unable to access these files. The Information Technology (IT) support team was notified and was quick to discover that hospital systems, critical to providing patient care, had been hit by a ransomware attack. Although it was unclear how the malicious software entered the system, it is widely known attackers gain access to networks through phishing e-mails, a vulnerability on ageing systems, or compromised third-party vendor to gain access. Whatever the approach the threat actor used to craft the attack and detonate the payload, the ransomware spread quickly throughout the hospital system’s network, encrypting files and locking employees out of their computers.

If you have experienced a highly impactful malicious attack, then this scenario resonates, as it sends shivers down your spine, knowing full well the effects on the system, staff, and patient care. In today’s digital age, healthcare systems and patient data are increasingly vulnerable to cyberattacks. The healthcare industry is one of the most highly regulated and critical infrastructures, yet it has been experiencing an exponential increase in cybersecurity breaches in recent years. According to the Ponemon Breach Report in 2022, the healthcare industry is leading the total average cost of a breach, surpassing $10 million, which is double that of other industries such as finance and pharmaceuticals. Healthcare organizations face various challenges, including resourcing, culture, obsolete technology, and supporting processes that cannot keep pace with the digital transformation or technological revolution that is right at our doorstep.

Given the challenges faced by the healthcare industry, it is essential people, processes, and technology are aligned and prepared for the changes ahead. One critical aspect of this preparation is building cyber resilience—the ability to bounce back quickly in the aftermath of an adverse impact to an organizations ability to provide services. Cyber resilience is the ability to maintain essential functions during and after a cyberattack, minimize damage, and quickly return to normal operations.

In this article, we will examine the importance of cyberdefences and response processes in healthcare and how they contribute to cyber resilience. To demonstrate this, the ransomware attack scenario outlined will examine how the incident affects healthcare and the support staff providing the essential systems to those on the frontline, as well as the challenges the incident creates as teams rush against the clock to bring systems and essential services back on-line.

Digital reconnaissance: Unveiling the threat

The frontline staff reported the issue to their supervisor, who immediately called the IT support desk for assistance. The supervisor, who did manage to take the cybersecurity training, explained what was prevalent on the impacted Personal Computers (PCs). Their quick response was extremely beneficial, as the IT support staff immediately escalated the cyberevent to the cybersecurity team which has special tools, processes, and procedures they follow to ensure the malicious threat does not spread.

The Chief Information Security Officer (CISO) was getting ready for the day, drinking coffee while reading the latest threat intelligence newsletter, when the dreaded call came in. “We have a cyberevent happening; it has impacted clinical systems and looks as if it’s spreading throughout the network. The full impact is still unknown, as the IT support desk is still receiving calls from across the healthcare network; we have seen screenshots, and it’s definitely ransomware.” Hearing ransomware on a cyberincident call is a CISO’s worst nightmare. They know full well this is going to negatively impact patient care and clinical operations if the threat is not analyzed for corrective measures quickly. Time is of the essence to contain the spread while ensuring teams do not make matters worse; adding fuel to the fire by not following the process.

The CISO calls an emergency executive leadership meeting to outline the situation, what is currently known about the cyberevent, where the malicious threat is spreading, and the next steps. After discussing with leadership, the cyberevent is now classified as a cyberincident, evoking the cyberincident response plan, the plan that was introduced as a direct result of other incidents happening across the healthcare industry. The plan establishes responsibilities and a list of key external assistance and specialist support, including law enforcement, evidence collection and handling processes, and containment and eradication procedures. The cyberincident response team has assembled to conduct incident response activities from the command centre or war room. External support from additional resources, third-party security analysts, and incident response forensic auditors start the analysis phase of the incident, while internal communications go out to inform staff to prepare for emergency downtime procedures, with each department leveraging their business continuity plans. These plans may include additional resources required to support the manual efforts while systems are not available. Now, frontline staff begin to feel the impact of the incident! Registration is impacted due to the inability to leverage technology to register patients. Paper starts piling up and must be managed and maintained for efficient data entry when systems come back on-line. Building systems might also be impacted, along with devices such as drug dispensing units and other automated processes connected to the corporate data centre. Fortunately, a majority of acute care systems can function independently; however, additional staff are called in as systems are not centrally managed and require manual efforts to monitor patients.

Digital forensics: Decrypting cyberintrusions

In the analysis phase, the incident response team investigates the attack and gathers information about the threat actor, the tactics and malware used for the attack, as well as determining the impact of the attack, leveraging an impact level matrix, which is basically a table with data ranges aligned to an ordinate scale for financial, reputational, health, and safety business-type impacts. Assessing the risk to the organization and prioritizing the response based on the criticality of the affected systems is key, as the executive leadership must warrant the level of effort and funding required to contain, eradicate, and recover from the incident in the shortest time possible.

Once the analysis was complete, the cyberincident response team classified the incident as severe or critical, impacting 80% of the systems contained within the healthcare datacenter. The CISO informs the executive leadership team of the situation outlining the systems impacted, the ransom request, the estimated downtime, and the planned next steps.

No matter how you spin the news, the situation is grim! The threat actor managed to move freely throughout the network for over 200 days, and the cyberincident response team has witnessed some counter-behaviours typical of a threat actor still prevalent in the network while watching the incident response team’s activities. It was determined that the threat actors managed to enter the system by exploiting an externally facing web vulnerability. Once in the system, they began harvesting privileged credentials from legacy systems that do not leverage today’s security best practices. This, along with limited network segmentation, a process that breaks the network down into smaller environments with controls in place to make it difficult for a threat actor to move laterally, established the perfect storm that brought the organization to a near standstill. With limited proactive monitoring of the environment, IT teams were completely unaware of the threat actors’ activities prior to the incident.

Containment and eradication

With the incident analyzed and communicated to executive leadership, the cyberincident response team takes measures to contain the ransomware infection. The cyberincident response team works closely with other operations teams to isolate the affected systems and devices to limit damages and prevent the ransomware from spreading to other parts of the network. This requires significant coordination with frontline staff, as some of these systems are critical to providing patient care, and many of the systems frontline staff rely on for patient care are taken off-line. Effective, clear communication and collaboration throughout the incident are key to resiliency, so everyone must know each of their responsibilities and have the ability to easily pivot when unforeseen circumstances arise. Frontline staff could take on additional responsibilities to compensate for the loss of systems needed to support patient care, which may contribute to fatigue and burnout.

As the response effort drives forward, the ransomware infection is contained, and the monitoring tools are reporting no infections throughout all systems being monitored. Having systems continuously monitored will give teams reassurance that infections do not resurface, causing additional delays to the restoration efforts. The cyberincident response team begins to remove the ransomware and any associated technical vulnerabilities from the network, ensuring systems are clean and free from the crippling ransomware infection. Teams may use specialized malware removal tools and techniques, which can be time-consuming and labour-intensive. Additional external support will be called upon to help speed up the process. However, depending on the environment, all technical vulnerabilities will need to be reviewed, updated, and patched before these systems come back on-line to prevent the attack from resurfacing. If healthcare environments lack vulnerability management processes or have legacy, end-of-life, or end of support systems, patching and updating will add cost and time to the recovery efforts. No CISO wants to give the all clear, only to revert back into another cyberincident and this does happen more than people realize! It is a vital step to ensure systems are free of known vulnerabilities to halt repeat occurrences. However, replacing legacy equipment that systems and applications depend on might not be feasible. Teams may need to be creative and flexible, using various network isolation strategies with heightened access management practices supported by real-time monitoring to detect and respond quickly to any future malicious attacks. So, network redesign plans may be required and validated prior to implementation.

During this phase, frontline staff may start to feel fatigue set in from the prolonged downtime and the additional pressures the cyberincident triggered. If the eradication phase is completed quickly, frontline staff may only experience a brief disruption. However, since the ransomware spread extensively throughout the network, recovery efforts may take several days, weeks, or even months to fully remove it from all systems. Human resources must be engaged as part of the executive leadership incident response team, acting as a liaison officer to safeguard employees against fatigue and employee burnout, as well as ensuring public safety.

Digital resurgence: Rebuilding in the aftermath

Once the ransomware has been eradicated, the next step is to restore the affected systems and devices. This phase involves restoring data and files from backups, reinstalling software and applications, and ensuring all systems are fully functional and secure. A backup is key to a successful disaster recovery, so it is important that teams regularly test backups. It’s times like these when failed backup and restoration processes cripple restoration efforts. To make matters even worse, backups may also be impacted by the ransomware, either through the ransomware attack itself (encrypting the backups) or through the malicious payload included as part of the regular backup procedures. It is important to scan all backups for any malicious code prior to initiating the restore efforts. Nothing can hinder the process more than backup restoration failures, forcing teams to pull on paper backups or archives to manually input data before bringing systems back to their normal functioning state, adding several additional days or even weeks to complete the recovery process.

The final phase and one that I will summarize for the purpose of this article is the post-incident review phase. This is where teams, including executive leadership, come together to evaluate the incident response process and identify any weaknesses or gaps. Teams will also gauge the effectiveness of their communication with frontline staff and identify any areas where communication could be improved. In my opinion, this phase is one of the most important, yet sometimes overlooked phases to reduce the mean time to recovery and improve overall cyber resilience. During this phase, the teams will implement changes to their processes, procedures, and systems to prevent similar incidents from occurring in the future and identify action items required to adjust the process for continuous improvement.

No matter how trivial or substantial the incident, the review phase is highly recommended as it may have a positive impact on frontline staff and lead to improved systems and processes to enhance staff knowledge and functionality, as well as patient care and patient experience.

Resiliency: Reflection and future directions

The healthcare industry is facing a rapidly evolving threat landscape that requires an approach that goes beyond traditional security measures. Healthcare organizations must embrace cyber resilience as a strategic priority to protect patient data and ensure continuity of care. Cyber resilience requires a multi-layered approach that includes prevention, detection, response, and recovery. To prevent incidents from happening, it requires a healthcare culture that understands and embraces cybersecurity, as “cybersecurity is everyone’s responsibility.” This is best achieved through education and awareness throughout the organization. Good risk management governance and risk assessment processes provide a detailed understanding of the environment by pointing out the threats, vulnerabilities, and gaps. This analysis will give recommendations and security controls to bring identified issues or known risks down to acceptable levels or acceptable risk tolerance.

A couple of hints I had alluded to that may add time to the recovery efforts are limited modern technologies to prevent and mitigate against cyberthreats. Having next generation detection and response tools (XDR) on endpoints and medical devices will reduce the time it takes to contain and eradicate malicious threats from the devices. Next-generation security incident event management (SIEM) helps weed out the noise from system alerts by pinpointing actionable events security teams must address, saving precious time from scrolling through the collected data. Network segmentation is also notable as it divides a computer network into smaller subnetworks, called segments, essentially dividing a big house into smaller rooms, each with its own unique purpose and level of access control. By separating different parts of a network into isolated segments, it becomes harder for attackers to move around and access sensitive information. Network segmentation also allows for better network management and more efficient use of network resources, as traffic can be directed and prioritized within each segment.

As the healthcare industry continues to evolve and rely more heavily on digital technologies, the need for cyber resilience will only continue to grow. By taking a strategic and proactive approach to cybersecurity, healthcare organizations can stay ahead of the curve and ensure continuity of care for their patients.