Surviving ransomware – Know what to do before, during and after a hack attack

For more than a week in February 2016, normal operations at a Hollywood, California hospital came to a sudden and potentially dangerous stand-still. Hackers had successfully encrypted much of the hospital's data, preventing hospital staff from accessing patient medical records.

The hackers demand: pay a ransom of 40 Bitcoin, or almost $17,000, for the release of some 4.5 million private health records. While patient care was never compromised during the 10-day standoff, Hollywood Presbyterian hospital was forced to revert to pen and paper to register patients and chart medical records. Ultimately, hospital administrators decided to pay the ransom and obtain the decryption key. It was the quickest and most efficient way to restore their systems and administrative functions to normal operations, said the hospital's chief executive officer.

Ransomware – A Malicious Type of Software
The chaos that ensued at Hollywood Presbyterian was due to a type of malicious software called ransomware that encrypts data so it can only be unlocked with a decryption key. Ransomware, like other malware that exploits vulnerabilities in an organization's computer system, first surfaced in 2013. Since then, more than 56 types of ransomware have appeared, which means one of as many as 50 gangs could have been behind the Hollywood Presbyterian attack, according to Kevin Haley, director of Security Response at Symantec.

The hospital was open to attack either because of vulnerabilities in one of the software programs in use at the hospital, or because someone on staff inadvertently invited the ransomware in by clicking on a web link or by opening an infected email. According to the FBI, email with malicious attachments or hyperlinks accounts for 85 percent of all ransomware detected. The most popular hiding places for the malware are blogs and online advertisements. Probably with a single click, the malicious software was launched and started encrypting data on Hollywood Presbyterian servers, setting the hacker's scheme in motion.

Why Ransomware is Surging
Hackers continue to cast their nets across ever-widening distribution channels. Ransomware is cheaper than ever to build, creating economies of scale that result in higher rates of success. With the ability to scale, hackers can target more lucrative targets that are highly motivated to pay the ransom. The ransom itself has become easier to collect, thanks to the advent of digital currency such as Bitcoin that provides criminals an anonymous way to get paid.

The Hollywood Presbyterian ransomware attack came just months after research firm Forrester singled out the healthcare industry as the number one target for ransomware in 2016. Nearly 100 million healthcare records were compromised last year – the number of cyberattacks against healthcare organizations grew by 68 percent over the prior year.

Most Healthcare Organizations are Ill-prepared to Deal with an Attack
According to a 2016 Sophos Group study, the healthcare sector is appealing to hackers because of the alarming laxity in many healthcare organizations' approach to data security. The report also indicates U.S. hospitals lack new technology and best practices to defend against current cyber threats.

A HIMMS study from that same year reports that most healthcare organizations fail to adopt even basic safeguards like anti-malware tools, firewalls and encryption. Of all industries, healthcare had the lowest rate of data encryption.

The HIMSS report concluded that healthcare providers' traditional view is they are in the business of saving lives. It follows, then, that IT security staff have a difficult time competing for budget dollars. Unless industry leaders re-examine their funding priorities for IT security, hackers will continue to have the upper hand.

The Best Defense is a Strong Offense
Be prepared -- perhaps it's easier said than done. Know in advance what you will do if your organization becomes the target of ransomware. Preventing ransomware before it occurs is, frankly, more important than how to recover your data. This is because if ransomware encrypts ePHI it is considered a data breach even if the ePHI can be restored from backup, according to the US Department of Health and Human Services.

How to prevent ransomware:
Conduct regular network risk assessments. Assessing the security risk of your network is key to preventing security related issues, including ransomware. It's also a requirement of HIPAA/HITECH.
Conduct regular network vulnerability assessments. These should be run on a quarterly basis at minimum, and your team should take immediate action to resolve issues that were identified.
● Implement an enterprise grade Web Content Filtering solution. Ransomware is often downloaded and installed inadvertently. Web Content Filtering solutions are designed to prevent your workforce from gaining access to sites that may contain ransomware, malware, viruses, and inappropriate content on the Internet.
Regularly patch and update all applications and systems. All devices should be up-to-date. Your team should produce a report showing that all devices are patched on a monthly basis.
Invest in robust security solutions. Every device should have the latest antivirus/malware software installed, and it should be regularly updated and monitored by a professional. Additionally, ensuring that intrusion detection systems are in place and working throughout your network is key.
Implement an enterprise grade Log Management System. When problems occur, it is critical for your incident response team and law enforcement to have access to all logs. These logs will inform professionals about the incident and can help in determining whether or not a security breach has occurred.
Continually back up your data utilizing the 3-2-1 rule. While preventing ransomware in a healthcare organization is key to preventing a data breach, being able to restore data without having to pay a ransom is a must. When it comes to backups, make sure to follow the 3-2-1 rule. This means that you must have 3 copies of your data; store the copies on 2 different media; and keep 1 copy offsite. Also, make sure that you never backup to a mapped network drive on a server or computer that also has access to your production data.
Train and educate your staff. Your people should know what to do, what not to do, how to avoid ransomware, and how to report it. HIPAA/HITECH requires regular privacy and security training and awareness anyway; so, consider making ransomware one of your next training topics.

What to do during a ransomware attack:
Call the FBI. Visit www.fbi.gov/contact-us/field to locate your closest field office and report the attack right away.
Report the incident to the proper authorities. If ransomware has encrypted files with ePHI, or even if you suspect ePHI has been involved in any way, report it. Breach notification provisions require notification to the Office for Civil Rights at HHS, to the media, and to the affected individuals without unreasonable delay. If you fail to notify in time, you could face hefty fines.
Report the incident to your insurance company. Most policies only provide coverage from the day a claim was filed. Even if you suspect that there won't be a claim, file one anyway. It's better to close the claim than not be covered for expenses incurred during your investigation.
Disconnect from the network. If you receive alerts on your computer or server, or for any reason you suspect there is a security problem or instance of ransomware, disconnect the device from the network and notify your IT department and/or your information security officer.
Determine the scope of the problem. Your response hinges on several factors: the type of attack, who in your network is compromised and what data was compromised. Your security professionals, assuming they have access to all logs, will be able to determine the scope of the problem rather quickly. If they can't, then you haven't properly prepared for a ransomware attack.
Orchestrate a response. You should have an incident response plan in place. During a ransomware attack, a multi-disciplinary team should be assembled to determine the proper course of action.
Don't count on free ransomware decryption tools. Most free tools work only for a single strain of ransomware. In today's environment, relying on free decryption tools is being penny wise and pound foolish!

AFTER the breach:
Begin the cleanup process. Closely examine your system for hidden threats that you may have overlooked during the chaos.
Conduct a post-mortem review. You will have no way of stopping the next attack unless you determine how the hackers got through.
Assess user awareness. Your last line of defense is a well-informed employee.
Risk Analysis and Vulnerability Assessment review. In light of the recent event, you should conduct another risk analysis and vulnerability assessment. Before you do, review the findings of your most recent reports and determine if action items on those reports were simply not followed or discovered.
The best strategy for preventing a ransomware attack, of course, is to avoid this extortion altogether. This is well within the power of most organizations, but it requires planning and action – before the crisis hits.

About the Author
James Deck has been an innovator in the information technology field for over two decades specializing in healthcare IT, mobile and web application development, managed services, and Cloud solutions. He is the Chief Executive Officer of three companies:
Med Tech Solutions, a leading, national healthcare Cloud computing company that works exclusively with community health centers and accountable care organizations. With a mission to reduce the complexity of IT, MTS provides a full menu of HIT services and Cloud hosting solutions.
CuragoHealth, a digital healthcare engagement platform that promises to change the way physicians, medical practices, and patients work together.
JD Systems, a B2B tech company that provides enterprise-level IT solutions to the small business sector.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars