We recently used Presbyterian Health Services potential breach of protected health information (ePHI) as a case study in why employee behavior and training are key elements of security and compliance.
Not even a month later, and here we go again.
Last week, Grays Harbor Community Hospital in Aberdeen, WA issued a formal notice of a potential electronic protected health information (ePHI) breach. Like Presbyterian Health Services, this potential breach was the result of a phishing email. In this case, the attackers initiated a ransomware attack holding the organization’s medical records hostage and demanding a $1 million ransom to release the key to de-encrypt their data.
Grays Harbor seemed to have done everything right to prepare for this type of incident. They have an IT department, anti-virus solution, data backups, and even took out a $1 million cyber insurance policy.
Even though they seem to have followed the playbook, there are some lessons to be learned from this incident.
IT Departments are People Too
In this case, the ransomware attack was launched on the weekend when the IT staff was most limited. This is a common strategy as it gives ransomware the most time to spread throughout the network undetected. IT staff sleep, go on vacations and have their own lives. They’re not “on” 24/7, so there will always be times when there are fewer eyes on your network. A robust network monitoring solution integrated with your anti-virus solutions can help mitigate this. It’s unknown if a monitoring solution was in place in this case. Plus, monitoring will only generate an alert and depends on a human accurately interpreting the cause of the alert and quickly responding appropriately.
If you depend on internal IT resources, make sure you have a large enough team to appropriately maintain 24/7 coverage or contract with an outsourced vendor with the capacity to offer backup coverage during off-peak hours. If you don’t have an internal IT department, make sure your IT support vendor is adequately staffed to offer 24/7 coverage. Additionally, your IT team should utilize a network monitoring and alert system or be sure that service is included in your outsourced IT support contract.
Cybersecurity Doesn’t Prevent Human Error
Users are often your greatest point of weakness. A cybersecurity solution can alert you to a problem, but attacks launched through phishing emails are often designed to bypass technological security safeguards. They rely on an authenticated user inadvertently granting them access to the network. Email and web filtering solutions can help reduce the frequency of phishing attempts, but they’re not foolproof. At the end of the day, user education, training, and awareness are the most essential components of your email security strategy as well as your overall cyber threat prevention strategy.
Traditional Backups Also Get Infected
A good backup solution can render ransomware useless, but the backup itself is useless when it is also encrypted by the ransomware. Traditional file backups are stored at the file level and overwritten by the most recent backup file. This is the biggest reason why ransomware attacks often occur over the weekend. Weekend attacks give the backup time to run several times, encrypting more corners of the network and as many backup files as possible before the attack is detected.
Even if your backups are not encrypted, downloading and restoring an entire network from individual files can take days, sometimes even weeks or months depending on the size and scope of the network. This is what often motivates organizations to pay the ransom, even when they have good, clean backups. The cost of the ransom is often less than the cost of downtime and loss of business while the network is restored from backup.
Redundant, image-based backups are really the only sure-fire remedy once ransomware has infected your network. Image backups store a snapshot in time of the entire network and allow you to essentially turn back the clock to the most recent recovery point in time. A quality backup solution allows you to work virtually from cloud servers until on-site hardware is restored, reducing downtime to minutes or hours instead of days or weeks.
Cyber Insurance Policies are Great within their Limits
Although it is unknown if Grays Harbor Community Hospital paid the ransom, attackers conveniently requested $1 million, the exact amount of their cyber insurance policy.
Attacks of this size and scope are usually strategic and very targeted. The cost of the ransom is typically not an arbitrary number.
Cyber insurance policies may cover the cost of recovery, downtime, and regulatory fines. However, the average cost of a ransomware attack to the business is 10 times greater than the cost of the ransom. In this case, that is likely about $9 million in uninsured expenses, potentially more depending on any HIPAA violations which can result in up to $1.5 million in fines per violation.
Action Plan
An IT department, cybersecurity solution stack, data backups and cyber insurance policy alone are not enough to protect your business from cyber threats.
Consider the following strategies to solidify your network security approach.
- 24/7 network monitoring with appropriate resource availability to quickly evaluate and respond to alerts.
- Add web and email filtering to your solution stack.
- Incorporate network security training and awareness into your professional development and network security strategies.
- Adopt a backup solution that meets your tolerance for downtime.
- Review your cyber insurance policy to make sure it will cover the actual cost of disaster recovery to your business.
