The aftermath of a ransomware attack on a hospital or medical organization can have devastating consequences for patients, with even a brief disruption in services leading to higher mortality rates. According to Hannah Neprash, an associate professor of health policy at the University of Minnesota, the longer the disruption, the worse the health outcomes. When software connected to the targeted organization pulls its services, patients may struggle to receive necessary medical attention.
To mitigate these risks, companies often request assurance letters, which provide confirmation that a system has been thoroughly cleaned and attackers have been removed. While there is no legal requirement to obtain such letters, they have become increasingly popular as ransomware attacks have become more common and litigious.
Specialist cybersecurity companies help compile these assurance and attestation letters, which detail what systems can be reconnected and when. The decision-making process is often based on perceived risk, with companies concerned about the potential for cybercriminals to move “laterally” between systems.
However, some experts argue that the assurance process may be overly restrictive, with Charles Carmakal, chief technology officer of Mandiant, suggesting that companies need to weigh the risks associated with connectivity between two parties. Carmakal notes that wormable ransomware attacks are rare and that independent cybersecurity experts can provide verification that malware has been contained and remediated.
In the aftermath of a ransomware attack, companies may also hold webinars and one-on-one calls with vendors, share indicators of compromise with health organizations and government agencies, and provide regular updates to stakeholders.
Cybercriminals have become more brazen with attacks against hospitals and medical organizations in recent years; in one case, the Lockbit ransomware gang claimed it had rules against attacking hospitals but hit more than 100. Often these sort of attacks directly impact private sector companies that provide services to public infrastructure or medical organizations.