.st0{fill:#FFFFFF;}

Compliance

Help Me With HIPAA Ep 305 “6 Ransomware Planning Tips”

 May 21, 2021

By  Anton Kiorolgo

Share0
Share0

HIPAA Say What!?!

[06:33] Today, we are following up on the Scripps Health Cyberattack that we discussed in our last podcast, Privacy Questions Everywhere – Ep 304:

Scripps Health – We want to remind you that although we…

We want to remind you that although we are experiencing a network outage, all our locations, including our hospitals, urgent cares, emergency departments, Scripps HealthExpress, Scripps Clinic and Scripps Coastal, are open and continuing to provide care. Patients or families with questions should contact 1-800-SCRIPPS. We apologize for any inconvenience and are working diligently to restore our systems as quickly and as safely as possible.

The good news is that it seems that Scripps Health has been able to restore patient care, performing surgeries and doing the things they need to do to care for patients. There are a lot of positive patient comments about being able to get care now on their Facebook feed. That is by far the most important news. However, they are still very upset that they haven’t heard any news from the company about the severity of the attack and what it means to the privacy and security of their medical records.

6 Ransomware Planning Tips

[11:14] So we had planned to do this episode a week ago. Our original title was “Ransomware: How Bad Is It Really?”. Little did we know a major attack on Colonial Pipeline was already happening (yes, here in Georgia… again). We have been paying attention to all the indicators and see that this is only getting worse, not better. Just one week later, we have headlines like these:

John Katko: Colonial Pipeline hack most significant attack on critical infrastructure ever – CNBC

And then there are these headlines from the Information Security Media Group which publishes several cybersecurity only publications:

Colonial Pipeline: ‘A Global Day of Reckoning’

Rise of DarkSide: Ransomware Victims Have Been Surging

Colonial Pipeline Attack: ‘All Monsters Are Human’

Teardown: Inside the Colonial Pipeline Ransomware Attack

A Few Things We Know Right Now

[22:09] According to the information that has come out so far about the ransomware attack, Colonial paid $5 million and got the decryption key to the data. But, as we have mentioned many times, that isn’t as easy a solution as you think. These gangs don’t worry about efficient methods of decrypting data. The programs encrypt data very fast but the decryption process is very slow.

DarkSide Wanted Money, Not Disruption from Colonial Pipeline Attack – April 1, 2021 blog post

DarkSide operates on a RaaS (ransomware-as-a-service) model, offering its malware up for lease. CyberReason said last month that the DarkSide team recently announced on Hack Forums that it had upgraded its offering, releasing DarkSide 2.0, with the fastest encryption speed on this underground market, DarkSide claimed. The service includes Windows and Linux versions.

A Closer Look at the DarkSide Ransomware Gang – Krebs on Security

First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.Don’t let that healthcare part put you on your heels. This is what their statement actually said:

Based on our principles, we will not attack the following targets:

  • Medicine (only: hospitals, any palliative care organizations, nursing homes, companies that develop and participate (to a large extent) in the distribution of the COVID-19 vaccine.)

Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom

Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.

Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.

What we had planned to cover but won’t even be able to get to today:

The State of Ransomware 2021 by Sophos

Ransomware Reality Shock: 92% Who Pay Don’t Get Their Data Back

FiveHands Ransomware | CISA

Ransomware Response Plan Tips

[33:44] There is a reason we focus our attention on a Ransomware playbook when we help our clients build their incident response plans. Many of them don’t understand what is really included in a plan much less what you should do to prepare for a ransomware attack. Ransomware planning today would help you navigate an attack tomorrow.

First, if you think you are too small or IT has it covered and you shouldn’t worry, you are already fighting an uphill battle. Check out Gary’s article Small and Medium Businesses: DarkSide Has You in Their Sights.

One of the biggest issues we see in the technology space is that businesses rely on generalists, your IT company, to protect their business. Instead, they should be working with specialists, a cybersecurity company who provides advanced security solutions to protect your livelihood. Do you honestly believe your IT vendor has the knowledge and resources to protect you from a threat group that has the capacity to take down our national infrastructure? The answer is NO.

[35:09] Here are our 6 tips:

  1. Have a real plan, not just an assumption that you will know what to do.
    1. Remember the quote from the hospital president that was hit last year saying he had no idea it would be as bad as it was.
    2. Identify every risk possible, the likelihood, and the impact. Then plan accordingly.
  2. Understand what your insurance covers and how to quickly open a cyber attack claim.
    1. This is where you need to be sure your application for that coverage didn’t embellish your security program activity.
    2. “I’m sure my insurance will cover it” is not a response plan.
  3. Know who to call.
    1. IT provider or MSP
    2. Forensics
    3. Lawyers
    4. Law enforcement
    5. Public Relations company
    6. Leadership of company – the ones that know about the plan and know what to do
  4. Know how you will communicate with employees AND your customers, clients, and/or patients.
    1. Listen to our discussion last week, Privacy Questions Everywhere – Ep 304, about Scripps Health to understand more.
    2. Know how to maintain privacy in communications.
  5. Prepare to be completely down for at least 10 days.
    1. Average recovery time is still around 10 days, but going up.
    2. Having a plan can help you be on the low end of that number.
  6. How are you going to handle notifications to your entire client/patient base?
    1. Not social media
    2. Not a postcard
    3. People expect notifications almost immediately. Set expectations.
Share0
Tweet0
Share0

Subscribe to our newsletter now!