Introduction

The ransomware cybersecurity policy is specially designed to emphasize the areas that are at particular
risk of ransomware as well as to extent the cybersecurity policies that already exist.

The main reason for the ransomware attacks in hospitals and the healthcare department is due to the
high cost that is in dollars. The other reason is the patient care of any interruption of service that makes
the hospital's high risk target of ransomware attacks. Span od systems are involved, from the records of
patients as well as billing to the equipment that is used for critical patient care. A large number of roles
are involved in hospital operations that provide a large attack area.

Objectives

The purpose of the ransomware cybersecurity policy is to facilitate rapid recovery and to decrease the
risk of any catastrophic ransomware attack on hospitals.

The policy involved the personnel who are part of cybersecurity, or they handle email or part of any
organization. Ransomware attacks protection needs awareness as well as action from a large group of
people. Implementation of this ransomware policy will help to limit, prevent as well as recover from the
attacks without any payment.

What are we protecting?

Currently, ransomware works by transmitted malware through emails. It is being executed on the
system of the end-user. It encrypts the user and system data with the private key. The data can not be
accessible by the user. It will only be decrypted if the user will pay to ransom. (1)

If the ransom is not paid and there is the information of theft, then the ransomware attacks focused on
the loss of the data. The document mainly focuses on the prevention of loss of data. The existing
cybersecurity policies deal with the prevention of theft data.

The shared data used by the hospitals. Records, billing, range of systems involved in patient care, and
normal IT functions are at the critical risk of ransomware.

HIPAA protected health information should be protected from loss and disclosure. This includes the
information of any individual’s record that was created and used. The variety of identifiers, as well as
various information that is recorded throughout the routine treatment and billing also. (2)

Furthermore, operational systems that are usually involved in patient care should also be protected—for
instance, monitoring devices of any patient and immediate management systems of patients.

General approach

There are several weaknesses of ransomware attacks that occur before the attack. The end-user can see
the email, and the user must open the email. The end-user must have un unpatched or unknown
vulnerability to allow the execution of ransomware code. It must have access to critical data for
encryption. The organization must lack the ability to detect, to isolate, and to recover from the attack of
ransomware quickly.

The approach of the problem is to make try to decrease the ability of ransomware. It reduces its ability
to infect the systems of hospitals and networks, to provide the specific strategy for recovering from any
infection, to limit the range of the impact when the attack occurs. Most of this approach overlaps with
already existing policies for the hospital.

The main three elements of the policy are

 Prevention
 Limiting impact
 Recovery

By the alignment of these elements, this policy helps in the reduction of ransomware attacks.

User classification

This document will be used directly or indirectly by the large group of security and hospital staff. It can
be used with a sharp division between end-users and cybersecurity staff.

User Category Roles and Responsibilities

End User of Email Understanding of ransomware risks, detection of ransomware attack, email
handling, and heightened awareness of unusual activity.
Cybersecurity and IT Develop plans to implement the policies and procedures outlined in this
Planning document.
Cybersecurity and IT Implement and monitor the ransomware prevention, impact mitigation, and
Operations recovery policies defined in this document
Hospital Support ransomware efforts through funding and focus.
Administration Manage external communications during Ransomware incidents.

Systems at risk

Ransomware attacks are unusual, and the aim of the attacker is not to steak the valuable information. Its
objective is to encrypt the available information.

System Risk Mitigation

Email Systems Carriage of ransomware Email filtering
End User Ransomware launching End system security software
Systems
HIPAA Data Encryption by ransomware Partition of data to limit scope and
Storage smart firewalls to restrict access to
data
Patient Care DOS because operational code and data Firewalls, partitioning, hot restores
Systems encrypted of operational data

Prevention:

Prevention consists of human and technical components. Currently, a ransomware attack does not occur
if the source of the attack is not systematically filtered through suspicious emails or suspicious emails
are blocked by email users.
The first step is to prevent email containing ransomware from reaching email users, the second step is
to train users not to open suspicious emails and the third step is to tighten the system to reduce the
ransomware malware's ability to compromise the system.

Evaluation:

 We do ransomware risk assessment.

o When major systems changed, we must perform it.
 We do not practice "protection from ambiguity".
o Rans Ransomware Risk Assessment results should be shared internally.
 We will check if our end-to-end email solution is secure.
o Email penetration testing is performed periodically to test email filtering, firewalls, and
the following email screening procedures for users.
o If the threat assessment is considered "very likely" or "serious impact", any
vulnerabilities found should be addressed promptly.

System Level Prevention:

 We will install endpoint security software.

o All known emails for known threats should be scanned at the end user workstation.
o Software security software should conduct behavioural and reputable analyses along
with matching virus samples.
 We need to display email at the network level.
o System should scan all attachment threats and all emails for links to known or suspected
risk websites.
o Search Any search security activity should be alerted.
 We automate patch management.
o The system patch must be patched within 30 days from the release date.

End user prevention:

 We enforce end user rules on email management and Internet usage.

o All email users should be trained in ransomware detection and management.
o System User accounts in the hospital system are used for hospital business only and not
for personal use.
o Users are not allowed to access work related websites on Hospital Systems.
o Users should only use email on systems where users are logged in.
o If a user opens a word attachment to an email and the word says macros must be
enabled, the user must close the document and send an email to "checkEmail @
<someInternalEMailAddr>" for further analysis. If the email is verified to be secure, it
will be sent to the user.
o If a user receives an email and is not sure if it is a valid email, they forward it to
"checkEmail @ <someInternalEMailAddr>" for further analysis. If the email is verified to
be secure, it will be sent to the user.
 o Employees or vendors who do not follow the reporting procedure for suspicious emails
may be subject to termination discipline.

 We need to invest in security awareness training for end users.

The first line of defence in preventing attacks is end user ransomware and risk
awareness to help reduce the rate of ransomware incidents.

 Raise User Awareness:

 Security Periodic reminder emails about security threats.
 Share stories and news articles from hospitals or clinics that have
experienced cyber-attacks.
 Keep cyber security posters and table tents with brief, catchy
reminders.
 And provide periodic cyber security reminders and topics of discussion
at board and management meetings.

Limit Impact

The bad impact of a malware attack can be reduced by proper planning and mitigation. The aim is
basically to finish the malware, minimize the footprint of the data that the virus can access, and start the
recovery process. This process needs proper planning, financing, and constant practice.  

Moreover, the process must include technical and process solutions to identify a malware attack and to
back up all data. The malware diagnosis process is in addition to existing cybersecurity processes for
malware detection.

From an information and organization engineering viewpoint, firewalls and other organization security
gadgets can be utilized to seclude what frameworks and applications can keep in touch with the
appropriately parceled information store to lessen the capacity of malware to peruse and scramble
information. 

Planning:

 Develop a disaster recovery plan (DRP):

 The DRP must have the capacity to discover and separate malware-infected systems.
 A DRP must have the capacity to retrieve from malware attacks, including the purifying of
contaminated systems and the reclamation of scrambled information. 
 The DRP must address patient-care implications, guaranteeing that patients are not affected
during a malware occasion.
 The DRP must address joint effort with the business and business coherence partners to
distinguish and implement alternate (isolate) systems and information that can be utilized as
choices to support basic activities during an assault.

· Develop and execute a malware incident handling process:

· This process will give generally direction and course during problematic occurrences.

· Coordinate between various reaction partners and chief administration, including accomplice clinics,
providers, innovation merchants, and so on.

· Ensure that the association conveys timely communications to internal and external partners.

· Proactively work with medical clinic divisions to create and test techniques, guaranteeing that, patient
care and time-sensitive activities can continue during a malware attack.

Malware Mitigation through Data Storage Management and Network Partitioning:

 We will divide the network and data storage resources to isolate systems access only to
resources required to function.
 We will lessen the capacity of information storage systems to execute additional programming.

Malware Mitigation through Data Backups:

· Backup all information on different occasions and in numerous locations.        

· Partner with Information Security to proactively execute reinforcement and recuperation capacities
that explicitly address the malware danger.

 One copy of each backup must be offsite.

 All backed up data must be backed up more than two times
 Regular testing of reinforcement and reestablishes will occur.
 The backup must have the capacity to reestablish the data from a given point in time
before the malware attack occurred.

Malware Detection and Isolation:

 We will partition data stores to limit the range of data that anyone system can access.

 HIPAA information must be isolated from other data stores.

 We will add a malware identification service at any critical data storage.
 The system will identify encoded data that doesn’t match expected data formats.
 The system will signal the system of the data write.
 The system will alarm Security Operations.
 We will add the capacity to separate a malware-infected system from the data storage and
other systems.
 If a malware scrambled write is discovered, the system must be separate from the other
systems and network.
 Security Operations must be alarmed when isolation occurs.

Recovery
The recovery process can start after the stoppage of propagation and cause of the ransomware. The
only way it can be done is by producing information backups and a group response that not restores the
functions but also maintains the method in a standard way. The aim is to readily recover from the
ransomware attack without paying anything for the ransom.

 The recovery process will be conducted by the Security Operations Center.

 It will maintain the operational level response, by using the Security Incident Response
methods of the company.
 It will take part in conducting the response, giving input on how the infected computers
affect the hospital functions. Furthermore, it also makes it certain that the company
gives preference to the patient care and other time-sensitive operations throughout the
event.
 It will also aid in the response efforts, making sure that forensic reports are attained,
and information is recovered without any reintroduction of malware.
 It will communicate with the law enforcement and other external security agencies as
required.
 The service restoral function will be conducted by the IT Operations.
 The ransomware will be removed from the affected systems by IT Operations.
 IT Operations will recover information that was harmed by the Ransomware that was
contained within backups.
 Reports on the extent of ransomware encoded in formation that wasn’t restorable
because of the absence of backups will be provided by the IT Operations.
 We will have to contact law enforcement in order to take help in the enquiry.
 All the appropriate breach notification laws will be met.
 This consists any special management of HIPAA information.

Conclusion

Ransomwares target hospitals due to the level of attacking surface, HIPPA requirements concerning
patient information, the urgent requirement to manage functions, and the monetary assets to pay for
the ransoms. The effect of ransomware attacks can be lessened, and their number can be decreased by
proper planning, practice, investment, and response.

References

(1) https://blog.barkly.com/how-ransomware-infects-computers
(2) https://compliancy-group.com/protected-health-information-understanding-phi/
(3) https://www.provaltech.com/2018/07/best-practices-protecting-data-ransomware/
(4) https://avalution.com/addressing-the-ransomware-threat-at-hospitals-and-health-systems/
(5) https://blog.barkly.com/things-to-do-now-hospital-ransomware
(6) https://slate.com/technology/2018/06/how-hospitals-can-protect-themselves-against-
ransomware.html
(7) https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-
response.html