By Matthew C. Bertke, CPA, MBA, Product Development Manager, Coverys
2020 was a year that saw many changes that particularly affected the healthcare community. But while U.S. healthcare workers remained on the front lines heroically battling the COVID-19 pandemic, another hidden menace has been steadily increasing in prevalence underneath the radar: Ransomware.
As more workers become remote and health organizations continue to make the shift to be more connected technologically due to the COVID-19 pandemic, the risk of ransomware attacks, as well as other forms of cyberattacks, has grown.
In fact, when examining the ransomware claims experience of Coverys insureds, Coverys’ ransomware claims increased over 66% compared to the average of the past four underwriting years.
Not only do businesses risk data being locked or having to pay a ransom, they can also experience a detrimental data breach due to a ransomware attack - one that has grown significantly in recent years.
But how can you fight an unseen, growing monster? Like the vaccine developed for COVID-19, the answer lies in developing a plan and taking action to prevent an attack before it has the chance to spread – and in having a safety net ready in the event of infection.
To protect a healthcare organization’s employees, patients, and data, a multifaceted defense system is required.
The typical initial infection is carried through a phishing email containing a link or attachment. Other infection opportunities include users inadvertently installing malware from the internet or from USB drives, and exploiting remote access using stolen or hacked credentials.
To defend against the initial phishing infection, there are a few steps an organization can take:
- Provide security awareness training to educate employees not to click on links or open attachments from suspicious senders and without carefully inspecting emails for signs of phishing.
- Provide for phishing and spam filtering at the mail gateway.
- Don't install/run programs unless they're from a reputable source.
- Restrict the ability of end-users to install software themselves or only allow installation from whitelisted sources.
- Only allow the use of trusted USB drives and don't allow execution from USB drives.
- Implement endpoint detection and response products to stop malicious code from executing.
- Require strong, unique passwords and multifactor authentication.
Once infected, oftentimes the initial malware will reach out to a command and control (C2) server in order to download additional malware or to open a backdoor allowing the attacker to access the system. To defend your systems against this infiltration, consider two important modes of protection:
- Domain Name System filtering.
- Next-generation firewalls used to block unauthorized egress traffic.
Once malware is past the initial defenses, it will use application vulnerabilities to execute code. The code will run under the context of the logged-in user, or the attacker will try to elevate privileges. Therefore, consider the following defense strategies:
- Reduce access privileges so users have the minimum access that they need in order to do their job.
- Regularly patch operating systems and applications, including web browsers.
- Harden endpoint systems and the use of endpoint detection and response products to stop malicious code from executing and privilege execution.
If in the event the malware is able to execute and encrypt data, organizations must identify what data was affected, whether it was exfiltrated from the network and whether it can be recovered. The following tactics can be used as a data defense:
- Audit logs.
- Regular backups and testing of those backups.
These defense strategies can be used to fortify an organization, but even the safest of healthcare organizations are at risk of a stealthy attack during day-to-day activities.
Data will be less secure at times to address the everyday aspects of sharing data with business partners, patients, employees and others. These standard business needs create the weak points that hackers are eager to exploit.
While prevention is the smartest strategy, it is not 100% effective.
When isolating data from the most recent fully developed underwriting year (2018), Coverys’ Cyber Liability and Protection Plus
incurred losses increased over 110% relative to the previous four-year average – a number which demonstrates the need for a solid contingency strategy in the event of a cyberattack.
Just as healthcare organizations have a written plan for responding to potential natural disasters, they should also have a written plan for responding to potential data breaches. Therefore, it is equally important to be properly insured. Because in the age of technology and remote work, the question isn’t if, but when an attack will occur.
In the event of a breach, both your organization and your board could face lawsuits. There may be some overlap between D&O, general liability, and cyber policies, but one should not assume that one policy type will provide all the coverage needed if an attack occurs. Check D&O and general liability policies to see whether they cover cyber events, as well as cyber policies to see whether they cover board members within the Definition of Insured. Consult with your organization’s insurance broker to assess whether your insurance coverages meet your organization’s needs.