June 28, 2021
Ransomware on the Rise: They’re Back.
While 2020 was a slow year for ransomware and other cyber-attacks, 2021 began with an onslaught. As of June 18th, CloudWave has assisted 9 hospitals in 2021 in their recovery efforts from cyber-attacks. Each hospital has been unique in the impact, the response, and time to restore. However, there are some common threads that we can all learn from.
First – What to do if you suspect or are under attack:
- Shutdown your firewalls
- Shutdown all compute and storage, including end point device. Some of the longest restoration times we have observed are hospitals where clinical and business PCs were impacted and required full re-deployment. Quickest way to isolate? Shutdown the core and IDFs.
- If you replicate to a secondary data center, shutdown all replication
- Call your partners so they can isolate themselves and protect any of your data they may have and begin to assist in remediation. You can reach the CloudWave Service Desk at (855) 286-7787.
- If email is impacted provide personal emails or setup temporary emails on google, Hotmail, etc.
- If hospital phones are impacted be prepared to provide alternative phone numbers such as mobile numbers to your partners
- Have a plan for alternative internet access such a cellular hotspot
- Lack of communication during the first 24 hours of the event can severely impact your ability to recover quickly
- Contact your insurance company and engage a Cyber Incident Response Team
Over the last 4 years CloudWave has assisted over 20 hospitals in their restoration efforts and subsequent hardening of their environment. Through CloudWave’s experience we have seen the following common security lapses that led to the security event:
- Unpatched system
- End-of-Life systems with known vulnerabilities exposed to the internet. End-of-Life systems also severely impact the ability to recover with some hospitals having to do reimplementations to new systems.
- Faulty DMZ implementations or no DMZ
- Poorly implemented or maintained firewalls: Any-to-Any rules, known vulnerabilities not disabled
- Flat networks
- Backdoor access, this is especially dangerous for hospitals that acquire other hospitals and integrate them into their network without fully understanding the acquired environment
- Untested disaster recovery including testing of restorations from backup
- Data and compute protection that did not cover the full environment
- Improper end point protection. One hospital’s end point protection was left in test mode, so it only warned them of the event, it did not stop it.
- Review of privileged accounts, rotation of passwords, enforcing least privilege
- Disabling access and changing privileged accounts after an IT employee termination
- No 3rd party penetration testing to identify and remediate vulnerabilities. Remediation is critical. One hospital had been conducting penetration testing for three years but had no coordinate plan for remediation – the bad guys came in the door that had already been identified.
While no environment can be protected 100 percent, your job is to ensure your walls are too high to be worth climbing over. And in the event someone does get over you can quickly respond and restore the hospital.
CloudWave has a full portfolio of security offerings to help hospitals protect themselves: Disaster Recovery, OpSus|Recover; managed air-gapped backup, OpSus|Backup; monitoring, compliance, and testing, OpSus|Defend and secure air-gapped storage archive, OpSus|Archive. We are a seasoned team of healthcare consultants who can help review your security profile, provide upgrade and hardening services, plan and perform Disaster Recovery testing. And in the unfortunate event you are attacked, help to bring you back online.
John McDougall is the Director of Professional Services and Consulting at CloudWave. John can be reached at jmcdougall@gocloudwave.com.