ORLANDO – It’s a well-known adage at this point – it’s not “if” your organization gets hit with a cyberattack, it’s “when.”
And when that happens, said US Federal Bureau of Investigation Special Agent Andrew Sekela, it’s the exact wrong time to ask, “What are we going to do now?”
“It shouldn’t catch you by surprise,” he told HIMSS22 Healthcare Cybersecurity Forum attendees on Monday.
In the Navy, Sekela noted, they would perform casualty drills all the time – preparing for flooding, fires, torpedoes – so they would be prepared to immediately respond to problems on the submarine.
The same mentality should be present, he said, when it comes to cyber activity. “There’s going to be all kinds of alarm bells going off, figuratively if not literally, and you’re going to be scrambling around, you don’t want to be … going to Google and typing in, ‘What do I do if I get hit with a ransomware attack?’ You have enough [of] other things on your plate.
“That’s why it’s really important to have that incident response plan,” he said.
Special Agent Harry Walker echoed the sentiment, saying, “You have to train your people.”
A company’s plan, he said, should also include knowing when to let the FBI know what’s taken place.
“There is a certain point in the investigation where you might want to bring a partner onboard, and you want to make sure you can get to the right people at the right time,” he said.
The agency has a variety of ways to get in touch, including calling a local field office or reaching out to IC3.gov. “Go ahead and bookmark that page now,” said Walker. “It’s going to be your best bet.”
Generally, the FBI prefers to speak to members of the IT team first, Walker said.
“The FBI’s main goal is to collect evidence,” Sekela explained. “Ultimately, what we want to do is identify perpetrators and bring them to justice.”
Of course, tracking down a cybercriminal can be a lot more complicated than ferreting out an old-fashioned bank robber. “One of the biggest challenges we face in our cyber investigations is trying to figure out where the bad guys are located – and more often than not, they’re not in the US”
The FBI can assist with triage – “stop the bleeding,” as Sekela put it – before focusing on the investigative portion and building a criminal case. That investigation may include backup recovery, obtaining copies of ransom notes or communication addresses, and information sharing with other offices.
File extension names are important too, as is the amount of ransom.
“At the end of the day, involving the FBI is extremely important, because we have extremely strong local and state partner contacts,” said Walker.
He also encouraged organizations to make contact with the agency before they face a threat, in order to learn how to better protect their network or find out about recent trends in ransomware.
“There’s nothing more exciting for me than an eager team that actually wants to get ahead of this threat,” he said.
Kat Jercich is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.