Information can be one’s greatest ally, but for many organizations it can also become public enemy # 1. The healthcare industry has learned this the hard way in 2016 as it has increasingly fallen victim to a series of ransomware attacks.
Ransomware is malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key. Locker and Crypto, the two typical types, are spread through email attachments, infected programs, and compromised websites. Locker prevents users from accessing their computers by locking components or all of the system. Crypto targets the data and file systems on the computer versus the device itself, therefore leaving the computer functional except for the ability to access the files because they have been encrypted.
How to avoid or rapidly recover from, data breaches
Information can be one’s greatest ally, but for many organizations it can also become public enemy # 1. The healthcare industry has learned this the hard way in 2016 as it has increasingly fallen victim to a series of ransomware attacks.
In February, Hollywood Presbyterian Medical Center chose to pay ransomware hackers $17,000 after an attack disabled its networks and left it unable to use its electronic health record system for 10 days. In March, a ransomware attack paralyzed MedStar Health’s computer systems. Those are just two examples. More than half of hospitals surveyed recently by HIMSS Analytics and Healthcare IT News said they had been hit by ransomware attacks in the past year. Another 25 percent were unsure whether such attacks had occurred.
What is Ransomware?
Ransomware is malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key. Locker and Crypto, the two typical types, are spread through email attachments, infected programs, and compromised websites. Locker prevents users from accessing their computers by locking components or all of the system. Crypto targets the data and file systems on the computer versus the device itself, therefore leaving the computer functional except for the ability to access the files because they have been encrypted.
“This is a really big deal in healthcare because it’s not like at the DMV where if your driver’s license information is stolen, you’re merely inconvenienced,” said Greg Carter, healthcare technologist with Veritas Technologies, LLC. “Rendering critical personal health and medical records information inaccessible from hospitals can sometimes lead to misdiagnosis or, at the very least, more pain for the patient.”
Ransomware is not new; in fact, it has been around for years, so why the sudden increase in attacks? Those perpetuating these ransomware attacks have increasingly targeted healthcare because they know organizations within the industry can’t afford to go one day or even hours without accessing vital information. Hospitals will often pay if they don’t have a proper plan in place to recover data or to avoid an attack altogether.
Should companies automatically pay the ransom to get their data back and maintain status quo? While some victims of ransomware do pay the ransom, Carter cautions against this.
“It’s difficult for a hospital to know for sure if the hacker is still in their environment,” Carter explained. “They may have just attacked a small portion of the network and are simply lying in wait to attack again. There’s no guarantee, either, that if an organization pays the ransom they’ll get the information back. It’s not unheard of for the attackers to then ask for more money.” One example of this is Kansas Heart Hospital.1
Enterprise Data Protection Solution
One reason that ransomware is effective is that the cybersecurity field is not entirely prepared for its resurgence. This leads to more successful attacks because effective countermeasures are not in place. That’s why it’s essential that healthcare organizations of all sizes take steps to ensure that they are regularly updating their technological, administrative, and physical safeguards as cybersecurity threats continue to evolve.
“Some organizations may think because they only employ a couple of doctors, they are safe from harm, but no matter what size you are, you are dealing with patient data,” said Carter. “If you are in the business of providing patient care and your data is being held hostage, your ability to help patients get better becomes more difficult.”
Ransomware can also affect data protection servers within a data center so preventing attacks must evolve from a systematic approach that brings together the right people, process, and technology. One such technology is an enterprise data protection solution for backup and recovery, but not all are created equal. Most choose solutions based primarily on performance, but that is only partially the answer because it needs to be secure too. Experts recommend an organization have the ability to avoid malware and zero-day attacks such as ransomware by implementing a solution that has built-in security safeguards to avoid targeted attacks, such as intrusion prevention and detection, application whitelisting and file integrity monitoring.
Educate Your People
People are always the weakest link in the security chain and are how most ransomware is activated. Often, the simple click of a URL can lead to a malicious site ransomware that quickly spreads throughout the data center, unchecked.
“The fact of the matter is that many companies are not doing a good job of educating employees on what’s bad out there and what to look for, so most users don’t understand what ransomware is until they accidently click on the wrong link,” said Carter.
To temper this risk, an organization must continually educate staff on how to avoid malicious attacks that will put the entire entity at risk. It comes down to, “to click or not to click.” In other words, an employee needs to know that clicking on the wrong link or the wrong file can have significant consequences that extend beyond one individual computer. If a user knows what to look for in terms of suspicious files, it’s quite possible to avoid an attack altogether.
That’s one reason Carter counsels hospital organizations to provide employees with a clear outline of policies against opening emails that come from unknown or questionable sources.
“Does an employee know what to do, who to notify in the event of a wrong click?” asked Carter. “Not always, but with technology that detects malware or suspicious files, the user community doesn’t have to make those decisions, and the weakest link is bypassed.”
Implement Security Best Practices
The next part of the process involves making sure an organization puts proper security policies in place as it pertains to sensitive data. The Defense In-depth practice is a great example of this. This strategy is based on the military principle of it being more difficult for an enemy to penetrate and defeat complex and multi-layered defenses versus penetrating a single barrier. Through a multi-faceted approach of gaining visibility (identifying unnecessary high level permissions to files), taking action (lowering levels of permissions), and assuming control (automating this process) over information, a hospital can use these steps to remove organizational barriers to information decision-making.
“If sensitive patient information resides on a particular system, who has access and who shouldn’t have access?” questioned Carter. “The process of understanding how, where, and by whom information should be secured is critical and enables organizations to avoid triggering ransomware from the get-go if they can remove users who don’t need access to certain information anyway.”
Information governance allows for customer visibility, action, and control over the unstructured data that is typically targeted. Information availability guarantees customer access to what they need, when they need it, wherever it resides even in the midst of an attack. Security technology is paramount to the fight against malware, but many organizations don’t realize that proven information governance and information availability (backup and recovery) solutions can help avoid ransomware attacks altogether or at least allow for a faster recovery.
Carter recommends identifying a technology partner who can manage an organization’s user community in terms of who has access to what information, control security levels to Protected Health Information, and provide appropriate access as prescribed by HIPAAA. Technology partners are often leveraged to provide visibility and adjust access levels if they are too high or too low. Limiting the amount of access to sensitive data can prevent ransomware altogether, with the right technology in place.
Practicing for a Ransomware Attack
Information has value and must be protected. Information systems (including people, processes, and technologies) are the primary vehicles employed to process, store, and transmit such information — allowing organizations to carry out their missions in a variety of environments of operation and to ultimately be successful.
Simply putting these solutions in place is not enough. There needs to be frequent testing of a hospital’s security response and recovery strategy to find out if there are any gaps. By illuminating hazards and providing tools for automated remediation, the right technology can deliver a detailed blueprint of an information ecosystem, arming an organization to fight back against the exponential data curve and reign over risk. Additionally, technologies that integrate and automate will drastically reduce the manual effort required to manage the governance workflow and improve the organization’s ability to mitigate information risk. This allows organizations to focus resources on the few exceptions and not be overwhelmed chasing false positives.
It’s important to regularly test the education level of employees, the strength of accountable security policies in place, and the viability of recovery tools, including backup and recovery safeguards, before a problem should arise. It sounds simple enough but is easier said than done, according to Carter.
“The feedback I regularly receive from my customers is they don’t practice recovery from a ransomware attack enough, for any number of reasons from being stretched thin tending to daily business operations to fear that putting technology in place will be disruptive,” said Carter. “No matter the hesitancy, it’s important to practice for the worst, as often as an organization can, at least once every quarter.”
Hospitals should be concerned about ransomware and should also assume they will be targeted. However, as long as senior leadership makes it a priority to educate staff on what not to do, and if their security department is executing best practices to prevent ransomware from getting into environment altogether, backing up information on a frequent basis, and doing test recoveries, they are ahead of the game.
“Above all else, remain vigilant and assume it’s going to happen,” Carter explained. “To say a ransomware attack won’t occur on your watch is just putting your head in the sand.”