The recent Synnovis ransomware attack suggests that today, with all the layers of software security protection we have brought to bear on modern enterprise systems, critical IT infrastructures remain vulnerable. As a London, UK-based pathology laboratory, Synnovis is closely linked to some hospitals with its pathology services such as blood testing. The ransomware attack on the laboratory forced the affected hospitals to postpone a total of around 800 operations and around 700 outpatient appointments. With this news causing a significant stir in the mainstream media this summer, how does the enterprise technology industry think we can achieve a cleaner bill of health in PharmaTech security?
“In healthcare and the wider world of business, there is a ransomware pandemic raging unabated and it’s leading to political and regulatory debate on how companies should react and how to stop funding the attackers. In the UK, there is a discussion about whether companies should be forced to report attacks and ransom payments, while the EU has already defined strict reporting obligations with NIS2 and Dora,” said Mark Molyneux, EMEA CTO at Cohesity.
Around the globe, newspapers have reported attacks against municipal facilities such as Michigan’s Traverse City and New York’s Newburgh in the US. These are examples of recent successful attacks, but the number of unreported cases is widely thought to be considerably higher. As a result, politicians want to ensure companies are more transparent.
“Initial ideas are being discussed in Europe centralise on whether all victims should be required to report incidents to the government. Affected businesses should also have to obtain a licence before making extortion payments,” said Molyneux. “A complete ban on ransom payments for organisations involved in critical national infrastructure is also being proposed. The ban is intended to remove the incentive for hackers to disrupt these critical services by preventing them from monetising attacks. This would likely only reduce a subset of attacks though as nation-state actors are focused on destabilisation and destruction over cash reward.”
The American Adventure
In the USA, the Biden administration has already regulated in March 2022 with its Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) that operators of critical infrastructure must report a cyber incident within 72 hours. Ransomware payments must even be communicated 24 hours after payment.
The regulations and laws with which governments want to shed more light on cyber threats and risks are increasingly based on strict time requirements for the reporting obligation. Today we know that 72 hours is the global standard, which now seems to be establishing itself across many regulators.
“We know that 72 hours is also the measure of things in the Digital Operational Resilience Act (DORA), which focuses on the financial industry, and the NIS2 Directive. With both sets of rules, the EU wants to push companies in Europe to become more operationally cyber-resilient,” said Molyneux.
The mandatory reporting obligations for data breaches are tough and set out clear requirements:
· Within 24 hours, the organisation must provide an early warning if there is a suspicion that a serious incident was caused by unlawful or malicious acts or could have cross-border implications.
· Within 72 hours of becoming aware of a serious incident, the early warning must be updated with an initial assessment, including its severity and impact. The organisation should also report any indicators of compromise related to the attack to the national CERT (Cybersecurity Emergency Response Team).
· Upon request from a national CERT or supervisory authority, the organisation must provide interim status updates.
· Within one month of submitting the incident report, the organisation must submit a final report.
Clarifying Transparency
“The risk of successful cyberattacks on the well-being and lives of citizens will continue to drive politicians to enact new rules and regulations with the aim of strengthening security levels and cyber resilience. So there is likely to be more to come,” advised Cohesity’s Molyneux. “Companies should respond accordingly and create more transparency and control over their data and services internally.”
The Cohesity team suggest the following steps:
Understanding data precisely: Companies need to know exactly what data they have and what value it has. Only then can they report to the authorities which data was corrupted in a successful attack. Companies must index and classify their data, including classification to their relevant record strategy.
Regulating access: Once the data has been correctly classified, it can automatically enforce rules and rights that regulate access to it.
Survive attacks: In order for a company to be able to create reports for the authorities at all, it must remain able to act. In the worst-case scenario, however, nothing will work in the case of ransomware or a wiper attack. The IT teams of CIOs and CISOs will not even be able to react to this attack because all security tools are offline and evidence is encrypted in logs and on the systems. Companies should therefore implement clean room concepts where an emergency set of tools and system and production data is located in order to create emergency operation of the entire IT.
In essence, the rules for IT are becoming stricter because our dependence on IT is increasing and with it the damage to the economy and society when important services fail. Molyneux suggests that if organisations want to comply with the 72-hour reporting requirements, they need to check all the processes and workflows that handle data in order to address the ransomware pandemic.
Free image use: Wikimedia Commons