GAO releases recommendations to prevent ransomware attacks

The GAO recently conducted a study highlighting ransomware attacks' devastating impacts and steps companies can take to prevent victimization. 

What happened

The GAO recently reported on 16 critical infrastructure sectors that provide services including electricity, healthcare, and more. According to the report, cyber threats in these sectors “represent a significant national security challenge.”  

The report, titled Critical Infrastructure Protection: Agencies Need to Enhance Oversight of Ransomware Practices and Assess Federal Support, focused on the growing impact of ransomware. 

According to the Department of the Treasury, the value of US ransomware-related incidents increased to $886 million in 2021, representing a 68% increase from 2020. The impacts aren’t just fiscal; the GAO notes that attacks can lead to down systems preventing emergency care.  

In 2022, 870 critical infrastructure organizations were victims of ransomware attacks and the majority of incidents were in critical manufacturing, energy, healthcare and public health, and transportation. Following the findings, GAO released several recommendations on how agencies can prevent ransomware attacks. 

Going deeper

The GAO released 11 recommendations, each of which apply to specific agencies. Two recommendations are specifically for the Department of Health and Human Services. They include: 

• Working in coordination with CISA and related entities to develop and implement procedures that measure the effectiveness of federal support that is used to reduce ransomware. The GAO recommends effectiveness be regularly evaluated. 
• Working in coordination with CISA and related entities to determine how well the public health sector is adopting strong cybersecurity practices to reduce the risk of ransomware attacks. 

What was said

In the report, the GAO stated, “Ransomware has had devastating impacts on the operations and vital services provided by critical infrastructures sections. In recent years, these attacks have led to widespread disruptions such as regional gas shortages and canceled urgent care surgeries.” 

The GAO also mentioned reporting efforts need to be improved to truly understand how impactful ransomware attacks are in the healthcare industries. 

Why it matters

This report shows rising concerns related to ransomware, even as companies become more strategic in responding to attacks. 

The GAO notes that the total number of ransomware attacks is unknown, as reporting is generally voluntary. In March, the Department of Homeland Security will likely release new reporting rules that could showcase the true impact of ransomware on companies. 

If some of these recommendations can be implemented, we will likely have a better understanding of how effective federal efforts are in reducing ransom attacks. 

Read more: Report: Companies are refusing to pay ransoms

Related: HIPAA Compliant Email: The Definitive Guide