Written by: Jeremy Maxwell, Vice President and Chief Security Officer, Veradigm
*Editor’s note: This is the second blog in a series on cybersecurity.
Cyberattacks are constantly evolving and while cybersecurity measures grow and change to combat them, becoming a victim is always a possibility—and for many, it is the unfortunate reality across all industries. But in healthcare the risk isn’t just monetary. Patient health and well-being can be threatened, too. In the first blog of this series, I discussed what your organization should do before an attack takes place. (To refresh: Implement preventative measures to reduce your risk of attack and have a response plan in place before an attack occurs.)
First: remain calm. Refer to your organization’s response plan for your next steps. Then, you need to ask yourself these four questions:
Understanding the root cause of the intrusion is critical in preventing it happening again. Common points of entry include phishing and exposed Remote Desktop Protocol (RDP). This is the key question to ask (and answer) so that your entire system doesn’t remain avoidably vulnerable.
A cyberattack crime scene is exactly that—a crime scene. And just like a physical crime scene, it needs to be preserved to avoid losing evidence. Limit the number of people entering your system to avoid crime scene contamination. Extend your log retention to preserve forensic images and server logs. Engage your outside forensic experts to determine what systems and data the attacker may have accessed. The more comprehensively you can determine the damage, the easier it might be to restore the system’s integrity.
Before you begin restoration efforts, take time to ensure the attackers have been evicted from your network. Change user passwords, disable all accounts used by the attacker, and review logs and alerts. Attackers routinely leave persistence mechanisms to access a compromised network at a later date—or worse—they might sell that access on the dark web. Don’t assume just because the attacker is no longer taking visible action that they aren’t still lurking in your system.
Word gets around the dark web—fast and far. If the attacker attempts to return and attack your system, or another threat actor believes your organization is vulnerable because you were already compromised one time, you want to be prepared. That’s why as the recovery process takes shape, you’ll want to revisit the tenets discussed in the first blog in this series.
Answering these questions will help indicate when it is safe to begin your recovery efforts. The only thing worse than facing a compromised attack on your system is to be hit again in the middle of recovery efforts. Continue relying on your response plan and lean on your stable of external experts that you have called in to assist you.
In the next post of this series, I’ll explore the intersection of cybersecurity and patient safety. As you read this series, I hope that the main takeaways are that this, like much of anything else in this industry, is process-based. Stay tuned for more critical advice on how to maintain a strong cyber defense in the face of growing threats.