In a recent Ponemon Institute Survey, 51% of organizations have experienced a ransomware cyberattack. But the recent global cyberattacks NotPetya and WannaCry, have been brutal eye openers to how this growing threat can quickly impact business operations. And expectations for that number to continue to grow quickly with continued global attacks is now a topic amongst many top CISOs and CIOs across the world.
When events like this occur, we all sit back and consider the impact. I am particularly interested in communications, incident notification and response planning when these crises occur. In a June blog, I outlined new regulatory requirements for Medicare and Medicaid healthcare providers to spell out communication mechanisms in their emergency incident response plans. Events such as Petya and WannaCry offer great insight on the importance of employee communications during cyberattacks, especially those that shut down networks that are so vital to business operations.
With these two events – so much was unknown and confusing at times. I immediately start to question:
- How did the affected organizations give employees, patients, customers and partners instructions on what to do during and after the attack?
- What factors did they account for in designing communications in their incident response plans in the first place?
- What technologies were used to communicate as part of their incident response plans? Did they rely on old mechanisms like phone trees or a simple sign in the office lobby – or did they have more innovative ways to notify and respond to what was happening?
Let’s look at some examples of operational impacts and the role communications played – or didn’t play – during these recent global ransomware attacks.
The Health Insurance Portability and Accountability Act (HIPAA), has very strict breach notification requirements. It is important that healthcare incident response plans allow the provider to rapidly determine if breach notification to the government and patients is required when a data security incident occurs. So, in this case, you would think that all healthcare organizations would have their incident preparedness, notification and response plans locked down and ready to go. Unfortunately – as we all know – it is not that simple.
Although somewhat escaping the impacts of WannaCry, technology systems of U.S. healthcare organizations were indeed held hostage during the NotPetya attack. One healthcare network provider, with two hospitals, 60 doctors’ offices and 18 community satellite facilities in the Northeast, took their network down following the attack.
In this case, we don’t know much about employee communications during this provider’s incident response. However, one key communication mechanism was the provider’s website. There they acknowledged the cyberattack and kept patients apprised of steps taken to restore the systems, investigate any compromise of confidential patient information and which facilities were open for scheduled patient appointments.
Another health organization hit by NotPetya remained operational with some delays, but had to build an entirely new network and replace all device hard drives. Think of the expense and effort!
As to technology – based on the rise in popularity and efficiency in rapid delivery and response, text messaging has become a prime target for communicating for multiple scenarios across all industries, especially in healthcare. During a cyberattack, it is vital that breach procedures for notification, remediation and response go into action as soon as possible to protect sensitive information. It is also important, however, that attackers cannot surveil internal recovery plans and communications. Keeping them ‘out of the know’ can be critical to your ability to recover quickly and forego having to pay a ransom.
Many Healthcare organizations are either already using or considering secure messaging platforms for clinical communications and collaboration. The critical use case of emergency response, however, goes beyond the traditional use of secure messaging for clinical communications. For healthcare organizations wishing to enhance their emergency preparedness and incidence response plans, as well as improve patient engagement, clinical efficiency and meet compliance demands – make sure to look for secure messaging platforms that embrace not only clinical needs but enterprise communications and deeper security.
When NotPetya shut down entire site networks at a major pharmaceutical company, operations came to a screeching halt. The culprits demanded ransom payments to unlock the computer systems they encrypted. While phones and PCs were out of commission, and networks compromised at the big pharma’s global sites, fears about research data safety grew among Merck scientists unable to access precious project data stored on central servers.
With phones and the network down, how were employee communications handled when the cyberattack was discovered? The company reportedly used public address systems to instruct employees to get off their computers, and go home. U.S. staff were instructed to check the snow emergency number to find out if they should come into work the next day.
Surely a more comprehensive, secure communications mechanism for employees is needed for this kind of incident. During ransomware attacks, email systems are typically down – and not known for rapid response in the first place. This does, however, eliminate a traditional corporate communications mechanism. Communicating via an onsite public-address system when so many workers are mobile these days is not exactly what I would call a dependable plan. Nor would reliance on an employee phone tree or snow emergency line.
It just makes me ask – in this day and age when text messaging is the number one preferred way to communicate if there is an emergency, why would I not use a secure text that shows who has received and read the notification? Would I really want to rely on a voice mail being listened to? Would I want a slow notification process?
IBM reports that financial services are the #1 target of cybercriminals. Large U.S. banks have experienced cyberattacks for years now. Though it appears that WannaCry and NotPetya did not impact U.S. banks, the financial services industry is on high alert after WannaCry did interfere with Russian, Indian and Chinese bank systems.
Having internal and external communications mechanisms in incident response plans is now a requirement of the nascent New York financial services cybersecurity regulations. Banks operating in New York will want to have reliable means for communicating with employees on what to do during and after a ransomware attack.
Although most banks have moved to text banking, and banking apps, many are just now really working through how to securely incorporate texting internally within the walls of the bank due to strict regulatory and compliance such as FINRA, SEC and others. Working with a secure messaging platform that provides advanced security and compliance can help enhance not only incident response plans, but ensure compliant communications.
NotPetya had dramatic impacts on one of the world’s largest law firms. The firm’s U.S. and European office networks, document management systems, email and phones were downed. Concerns about the safety of sensitive client data rippled across the firm and clients, especially as experts began to surmise the attack would destroy – wipe – documents rather than unlock them upon ransom payment. Without access to email and document management systems, lawyers were forced to request deadline extensions from courts.
Washington, D.C. employees were greeted with a hand written white board notice in the lobby – telling them to unplug laptops and not turn on their computers. The firm also used text messaging to keep lawyers up-to-date on the status of restoring the systems they rely on to practice law. My only question is – how secure were these texts? Were they providing intel to the attackers along the way?
The use of a Secure Messaging Platform would have ensured that all communications would be kept out of the attackers’ hands. Law firm business could have also continued as partners and staff could have continued to securely discuss cases (unlike with native sms).
Put Secure Texting in Your Incident Response Plan
77% of adults in the U.S. have a smartphone according to a 2017 Pew Institute report. We believe the pervasiveness of texting and mobile devices, makes a secure, text messaging platform a “must have” for every incident response plan.
Vaporstream® Secure Messaging alleviates the risks associated with native SMS text while empowering organizations with the rapid response required in emergency situations. Organizations can leverage the efficiency of modern day mobile messaging to ensure employee and customers receive important cyberattack communications in a timely, secure and confidential manner.
Contributer-Kristi Perdue Hinkle