The growing threat of ransomware in healthcare

In the dynamic landscape of healthcare and life sciences, where data security and the provision of care must be balanced. Recent attacks in healthcare settings highlight this conflict. The Synnovis ransomware attack in June 2024 revealed how even critical infrastructures remain vulnerable and how complex and intertwined supply chains are, even in public services. This creates cascading impacts when failures or attacks occur. As the pathology laboratory that provides blood testing services to many in London and the wider UK, Synnovis is a vital partner. The ransomware attack on the laboratory plunged blood sampling tests from 10,000 per day in London hospitals to just 400 per day, and forced the affected hospitals to postpone a total of around 800 operations and around 700 outpatient appointments.

Another attack saw 12.9 million Australians caught up in a hack (almost half of the Australian population) on electronic prescriptions provider, MediSecure. Victims may never be told their personal information has been compromised, with the Australian prime minister saying on Friday he wasn’t aware if he was one of the victims. It was revealed that 6.5TB of data had been compromised after a ransomware attack on a database server, which was discovered by the company in April. MediSecure went into administration after the hack, forcing healthcare providers to scramble to find an alternative distracting them away from delivering patient care.

Closer to home, the threat landscape has resulted in politicians in the UK wanting to ensure companies are more transparent. Initial ideas are being discussed on whether all victims of ransomware attacks should be required to report incidents to the government. Affected businesses should also have to obtain a licence before making extortion payments.
A complete ban on ransom payments for organisations involved in critical national infrastructure is also being proposed by some. The ban is intended to remove the incentive for hackers to disrupt these critical services by preventing them from monetising attacks. This would likely only reduce wiper attacks, as nation-state actors are focused on destabilisation and destruction rather than a financial gain.

How healthcare organisations can respond

The risk of successful cyberattacks on the well-being and lives of citizens will continue to drive politicians to enact new rules and regulations with the aim of strengthening levels of resilience. So there is likely to be more to come. Healthcare institutions should start now in their journey to build resilience to destructive cyber attacks, both to ensure the continuity of care to their patients and to ease the future burden of regulatory compliance once legislation is enacted. The following steps are essential in this journey:

  • Understanding data precisely: Companies need to know exactly what data they have, what value it has in the delivery of health products and services and what regulatory obligations surround that data. Only then can they report to the authorities which data was corrupted or exfiltrated in any attack. Companies must index and classify their data, including classification to their relevant record strategy. This should include not just the structured data sources like databases, but also all of the unstructured data scattered across an organisation.
  • Regulating access: Once the data has been correctly classified, it can automatically enforce rules and rights that regulate access to it.
  • Survive attacks: In order for an organisation to be able to continue to deliver its services to patients and its supply chain, it must be able to maintain its ability to rapidly recover its critical services into a trusted state. A ransomware or wiper attack may mean nothing will work: door access control, email, voice-over-IP telephone systems, authentication servers controlling access to medical devices. The systems needed to investigate the incident to determine root cause may have been taken out, the IT operations team may need to assist the security operations team in recovery of the response capability before investigation can start. Isolation of infected hosts and networks to contain the incident can cause issues with some security tooling, further complicating response and delaying recovery. Recovery without investigation and mitigation leaves the gaps in security controls, vulnerabilities, persistence mechanisms and even phishing emails that kicked off the whole incident languishing in recover email inboxes. We need to speed investigation and enable rapid response, to minimise impact on patient care.

Being prepared for an attack by establishing a clean room capability beyond the reach of the adversary, that can be stood up in minutes that contains trusted tooling and other essentials to handle the incident like workflows and contact lists is critical in speeding response, and therefore recovery of critical services. The ability for the clean room to be able to allow investigation, even if systems have been isolated further speeds efforts.

Incident preparedness and response forms the basis of most recent regulations including NIS 2, DORA and GDPR.

Choosing an efficient backup and recovery solution for critical patient data

Healthcare institutions grapple with many challenges concerning managing and protecting electronic health records (EHR) and electronic medical records (EMR). These challenges stem from the sheer volume and complexity of healthcare data, encompassing patient records, imaging files, lab results, and administrative documents, which require meticulous management and safeguarding. Healthcare providers must navigate stringent regulatory requirements, necessitating robust data protection measures to ensure compliance and mitigate the risk of legal penalties.

Time is of the essence in patient care and treatment, so any downtime can have serious health implications. Therefore, healthcare institutions need a modern backup and recovery solution that offers high performance, allowing for rapid backup and recovery processes to minimise disruption to patient care and operational workflows. Rapid access to accurate patient information is essential for delivering timely and effective care, making the speed and efficiency of backup and recovery processes critical.

Protecting data integrity is also non-negotiable in healthcare. Immutability features that prevent unauthorised alteration or deletion of backup data ensure the integrity and reliability of system backups.

By considering the above factors and partnering with a trusted data management provider, healthcare, and life sciences organisations can enhance their cyber resilience, improve response and recovery capabilities, and safeguard the continuity of patient care and medical research initiatives in light of the growing threat of ransomware.

James Blake, EMEA Field CISO at Cohesity