In SecurityInfoWatch.com Q&A, Meghan O’Connor Outlines Ransomware Challenges for Health Care Providers
Meghan O’Connor, a partner in the Quarles & Brady Health & Life Sciences Practice Group and co-chair of the Data Asset Management, Privacy & Cybersecurity team, addressed the significant risks of ransomware attacks faced by health care providers in a Q&A with SecurityInfoWatch.com.
O’Connor discussed the reasons health care organizations have become more frequent targets of ransomware attacks, what they can do to ensure quicker recovery, regulatory obligations when dealing with an attack, and the potential impact of a proposed federal plan for an incident-response framework.
An excerpt:
In your experience advising organizations on incident response, what separates healthcare providers that recover from ransomware attacks in a matter of days from those that face weeks of disruption?
The single biggest differentiator is preparation. Organizations that recover quickly are the ones that have invested in realistic, tested incident response plans before an attack occurs. That means not just having a written plan on a shelf, but conducting regular tabletop exercises that involve clinical leadership, IT, legal, communications, and executive management together in the same room working through realistic scenarios. Tabletop exercises should not focus only on the IT response.
Organizations need to test their communications and leadership teams who do not tend to appreciate the stress and complexity of incident response. Organizations should also work with their trusted law firms to engage important IR partners under privilege in advance of an incident to limit delays with insurance carriers or panel counsel in the first few critical hours of an incident.
Organizations that recover well also tend to have made smart infrastructure investments — particularly in network segmentation and backup architecture. If backups are properly isolated from production environments and regularly tested for integrity, you have a viable path to restoration that does not depend on paying a ransom. Segmentation, meanwhile, can be the difference between an incident that affects one department and one that takes down the entire enterprise.
On the other end of the spectrum, organizations that face prolonged disruptions often share certain characteristics: they lack clarity about roles and decision-making authority during a crisis, they have not established relationships with outside counsel, forensic investigators, and crisis communications firms in advance, and they have not rehearsed downtime procedures with clinical staff. When a ransomware attack hits, there is no time to figure out whom to call or how to operate without your EHR. Those decisions need to have been made and practiced well before the crisis begins.