On March 13, Brno University Hospital in the Czech Republic was hit by a ransomware attack and was forced to shut its whole network down. Then, On Thursday, March 18, prominent cybersecurity researcher Mikko Hyppönen of F-Secure published the following public message to ransomware gangs.
Some of the gangs responded right away. DoppelPaymer (ex Evil Corp hackers) claimed, that they always try to avoid hospitals, but if they’ll hit them by mistake, they will decrypt for free. Maze ransomware operators said that they’ll stop all activity against medical organizations.
Planning and Preparation
It is disputable, whether these gangs might really cease their attacks on healthcare providers. But now more than ever, it is of utmost importance for IT staff in hospitals to be prepared. Any disruption of IT may halt medical procedures or COVID-19 testing, and human lives may be in danger.
Regarding ransomware attacks, backups and network segregation are crucial. In case of infection, the segregation of your networks might prevent its uncontrolled spread into the whole network and the offline backups are your safety net in order to restore your data. With healthcare providers like hospitals, time is of the essence. They need their RPOs in minutes, and their RTOs in few hours.
To speed up the process of restoration, it would be helpful to have a full system image of the operating system with all essential software and services pre-configured on offline SSDs. To backup and restore the data itself, one of the effective methods is to use object storage like WORM (write once, read many) that prevents altering the data.
Business continuity plans should be reviewed and tested now, because of the unprecedented situation and stress on healthcare providers. Relevant personnel should go through their recovery strategies, communication plans and make sure, all relevant contact information for the recovery team, incident response team, contractors and third parties are available and up to date. Stocktaking of resources like employees, equipment, technology, utilities, records, and backups should take place. Healthcare providers should also perform testing of their business continuity plans to ensure that they work, and in case of an incident, they will be able to restore operations in required RPO and RTO timeframes.
Business Continuity Response
It is impossible to eliminate all cybersecurity risks by only implementing preventive controls. Corrective controls, such as Business Continuity and Disaster Recovery Plans are needed to mitigate the damage once a risk has materialized. In order to be effective, quick and correctly addressed flow of information regarding reporting, alarming and escalation is important. All employees must be aware of the types of incidents to report, how to report them and whom to report to. That could be IT support, CSIRT/CERT, reception desk, head of the department or other entity. If an emergency threshold is exceeded, the incident should be escalated to a decision-making body to decide on how to respond to the emergency.
One of the first steps in business continuity is to take immediate measures to be able to contain the incident. There should be a decision made to either disable certain functions, disconnect from the network or even shut down the system if needed. The decision should be based on what the potential damage could be, what type of attack is the organization facing, is there a need to preserve the evidence for legal proceedings or what available resources there are.
If an emergency is escalated to a crisis, the crisis team members must be notified, and they must meet at a specified location or meet by telepresence. The core tasks of the crisis team are to coordinate business continuity teams and make informed decisions, as a crisis is usually a unique event that cannot be managed by standard business continuity plans. The crisis team should assess the current situation and come up with several options on how to handle the crisis. The prospects of these options should be evaluated, as well as their supposed effectiveness, their advantages/disadvantages and the effects that could result from them, with the strategic goals of business continuity in mind.
Resuming normal operations
Unless all resources are available again and all points in the restoration plan are implemented successfully, the organization cannot resume normal operations. The crisis team should specify the order in which business processes will be restored and the time of its restoration. After completing the business continuity response, the process should be analyzed to uncover things that can be improved.
In these stressful times when labor is scarce and most of it is working from home, the business continuity plans should be adjusted to accommodate the current situation. In healthcare facilities, it is advisable to require a portion of the IT department to self-quarantine and work remotely, in order to limit possible exposure of critical employees. To prevent an incident to occur, it is advisable to educate users on trending threats that exploit coronavirus pandemic and use it as a pretext for phishing attacks or as a malware delivery vector. Users should also know what to do if they suspect that their device has been compromised.
In case your organization is facing a cyber-attack, contact LIFARS immediately. We will help you manage the situation and restore your operations in no time!