David Hansen, CPA, CISSP, QSA, CISA
Director | Risk Advisory Services
According to recent reports by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), threat actors are actively attacking healthcare providers, launching campaigns designed to compromise networks and, among other objectives, gain access to internal systems, install ransomware and disrupt operations. Of late, many agencies have also observed a continued increase in the sophistication of ransomware attacks, which are typically designed to extort compensation (ransom) to regain access and control of data, or maintain the integrity and/or confidentiality of data on systems. A similar alert was issued in June by CISA based on active and increasing attacks against financial institutions, including banks, broker-dealers, investment advisers, and investment companies. Hospitals, it seems, are the next in line…
In light of these threats, healthcare institutions, and other companies with access to sensitive data, need to remain vigilant and continue to focus on implementing, evolving, maintaining and monitoring cybersecurity plans.
Recognizing that institutions should tailor their approach towards managing cybersecurity risks, and that not all of these recommended practices are appropriate for every organization, companies should consider the following to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks:
1.) Cybersecurity Incident Response and Recovery Processes and Plans: Evaluating, testing, and updating incident response policies and procedures, including contingency and recovery plans. These processes and procedures should include and consider:
- Systems designed with resiliency to ensure data is recoverable and to achieve recovery time objectives.
- Backup and recovery systems should be configured with geographic and logical separation, and sending data to an immutable storage platform.
- The ability to respond rapidly to various forms of compromise to limit and manage the impact, including ransomware and other denial of service
- Communications protocols for timely notification of internal stakeholders if an event occurs, with clear processes and methods to escalate incidents to response teams, management, legal and compliance functions.
- Processes for communicating and reporting to federal and state agencies that track and oversee cyber incidents, and law enforcement, as
- Determining the systems that can be restored after a disruption, and prioritizing others that have been impacted to bring critical business services back online.
2.) Cybersecurity End-user Training and Awareness Programs: Organizations need to provide specific and ongoing cybersecurity training. These programs are critical for educating end-users and should be reviewed, enhanced and adapted for new and evolving threats. Continuously enhancing awareness will reinforcing the skills required to identify elements that may signify a threat, and so employees understand how to report potential risks. Testing and educating end-users with simulated phishing exercises will help employees identify suspect emails, for example, and reinforces responsibilities and heightens awareness of cyber threats such as ransomware.
3.) Cybersecurity Vulnerability Identification, Scanning and Management: Proactive, routine vulnerability scanning and identification processes are important for identifying systems within the environment that are susceptible to possible compromise. Vulnerability remediations should be prioritized based not just on severity, but the systems criticality and its accessibility to untrusted networks. Patch management programs should include monitoring vendor release notifications and prompt implementation of critical security risks for all technology in the environment. Specifically:
- Operating systems and application software, including in-house developed, customized acquired and other third-party software, should all be reviewed for available patches at least monthly, with critical security patches applied as soon as safety possible after identification.
- Network firewalls, switches, routers and other systems are just as critical to patch, including firmware, when made available.
- Web application systems should be tested periodically for coding vulnerabilities. Web application firewalls should be considered to protect any web-based, externally facing systems that store, process, or transmit sensitive data.
- Anti-virus, intrusion detection, and other network and host-based security tools should be configured to apply current updates when released from vendors. Regular scans should be configured to occur regularly.
- Limit access to only those roles / capabilities required to perform required functions
- Obtain approval from systems and data owners when before access is being granted and adjust or remove access when personnel transfer
- Restrict access to administrative roles and limit the use of those roles. Generic and shared accounts should be expressly prohibited. The actions of administrators should be logged and monitored routinely
- Review and re-confirm users’ access to systems on a periodic basis with additional attention and frequency to any accounts with administrative privileges
- Implement parameters requiring the use of strong passwords with multi-factor authentication for access network and sensitive system resources
- Remove all access to systems immediately for individuals no longer employed
5.) Perimeter Security: Perimeter security systems are critical to control boundaries between trust and untrusted networks, the segmentation of critical systems and data from other organizational resources, and logging and monitoring incoming and outgoing network traffic to prevent unauthorized activity and identify compromises. Capabilities include firewall systems, intrusion prevention and detection systems, security event identification and management capabilities, proxy systems with content filtering, and data loss prevention. Special attention should be applied to ensure the use of encryption when required and prevent the use of insecure connections and protocols. Remote network connections should always be protected using Virtual Private Network systems and closing unused and insecure ports.
We have focused on cybersecurity issues for many years, with particular attention to companies in the healthcare sector, as well as organizations that generally hold sensitive data, advising on customer data protections, identifying cybersecurity risks and threats, and compliance with legal and regulatory obligations. If you need assistance, guidance, or just a little advice on your organization’s cyber attack prevention plan, please don’t hesitate to reach out to our cybersecurity consulting team!