Preparation — Not Payment: How To Protect Your Healthcare Organization From A Ransomware Attack
By Brian Wells, Merlin International
Just this past month (in March), Geneva, N.Y.-based Finger Lakes Health lost computer access and most of its phone lines after a hacker hijacked its systems and demanded payment to unlock them. After going into what it called “downtime paper” mode for about a week, Finger Lakes paid the ransom, for an undisclosed amount. “We’ve become very accustomed to relying on digital-everything — and this type of breach sets us back 30, 40 or 50 years,” an employee remarked, in describing the incident’s immediate impact.
For at least two years now, a ransomware attack known as SamSam has collected nearly $850,000 from a wide range of victims, including healthcare organizations. One of them, Hancock Health in Greenfield, Ind., paid $50,000 in January after SamSam infected its system and changed the names of more than 1,400 files to “I’m sorry.”
In April of last year, Greenway Health, a Carrollton, Ga.-based electronic health records (EHRs) and practice management software vendor, discovered a ransomware-triggered breach that affected 400 enterprise clients deploying the company’s Intergy, an EHR/medical management cloud platform. The clients were forced to use pen and paper manual processes for patient-related needs until Greenway Health could restore the platform.
By now, it’s quite clear that healthcare organizations have emerged as a prime target of ransomware, as survey research from the Ponemon Institute reveals that 37 percent of these organizations have experienced the attacks. In addition, 29 percent indicate that they’ve encountered ransomware as a result of an advanced persistent threat (APT) or zero day threat, according to the survey report, The State of Cybersecurity in Healthcare Organizations in 2018.
It’s valid to conclude that adversaries find healthcare organizations appealing because the possible “life or death” consequences of a systems shutdown boost the urgency factor, increasing the likelihood of a ransom payment. At hospitals, ambulance crews, physicians and other team members need constant access to electronic medical records (EMRs) as they interact with patients, keeping track of their vital signs, current prescriptions and other data to make informed decisions about their care. Automated record systems perform critical functions here, as manual processes often delay treatment, with greater potential for errors that may result in, for example, medication mistakes which could prove deadly.
Ransomware adversaries, of course, know this. They realize that hospital officials will always consider their patients first and foremost in light of a shutdown. What’s more, they’re frequently savvy enough to avoid “getting too greedy” by not asking for too much money. After he learned that the restoration of systems could take days or even weeks, Hancock Health CEO Steve Long decided that it simply made business sense to pay the $50,000. “These folks have an interesting business model,” he told a local reporter in January. “They make it just easy enough [to pay the ransom]. They price it right.” His perspectives mirror those of many healthcare organizations, especially smaller ones in rural areas which opt to pay up because they do not have the IT personnel or resources to promptly get themselves back up online on their own.
So what should you do to defend your organization, outside of 24/7/365 monitoring for vulnerabilities and threats? There are no measures which ensure 100 percent protection. But the following proactive steps will, at the very least, reduce exposure to risk and the ensuing, negative impact:
Employee training. As with many cyber exploits today, ransomware is every bit of a “human” problem as it is a technology-driven one. While it may sound like “simple common sense” at this point, there are times when employees must learn – or get a refresher course – about proper computer usage and overall cyber hygiene. They should avoid sharing passwords while routinely changing them with an assortment of letters, numbers and symbols which are difficult for an adversary to figure out. They need to know about the dangers of clicking on links sent to them from an unfamiliar party, and visiting suspicious websites. Ultimately, they must recognize what “a phishing scam looks like” (perhaps during a hands-on workshop session) and understand how to respond without inadvertently shepherding ransomware into the network. Organizations should regularly test their employees’ ability to recognize “phishing” by initiating their own attacks followed up by individualized training for those who were “hooked”.
Make your backup files “untouchable.” As a reactive “minimize the damage done” measure rather than preventative one, hospitals can swiftly restore patient-care capabilities with ready access to backup EMRs, even as a ransomware incident takes hold. But the backups must remain out-of-reach from the attackers. To implement this, you should consider storing the files off-site electronically, or physically storing the data in separate discs. You can also seal the files off via segmentation, which creates an entirely separate network environment for the EMRs, one that is completely disconnected from the main network. Thus, the segmented data is essentially “walled off” and otherwise off-limits to a ransomware threat.
Take snapshots. Tech vendors offer “snapshot” solutions which enable healthcare teams to take images of patient data and store it offline on PCs. Again, this remedy is more responsive in limiting disruption and additional fallout, rather than preventative.
Family practices, hospitals and other healthcare organizations hardly stand alone as potential ransomware victims. But the hackers know that – for an insurer, banker or school system – there’s “less on the line” when records are temporarily hijacked. However, for doctors, nurses and support teams dedicated to the lives of their patients, the stakes are always high and the hackers are more than happy to leverage this. That’s why the steps you take to encourage strong cyber awareness among staffers and isolate/protect backup files will reduce the “desperation factor” – and hopefully help you avoid paying a hefty ransom.