- When it comes to ransomware in healthcare, the ramifications can be especially devastating. Not only could providers potentially be locked out of their own EHR systems, but patient care could be hindered. Organizations should take note of ransomware prevention tips from numerous areas, to help create a comprehensive and updated data security plan.
The Federal Trade Commission (FTC) hosted a workshop earlier this fall with a panel discussing ransomware prevention, and what organizations across numerous sectors should keep in mind with this increasingly dangerous cyber threat.
“Ransomware incidents have skyrocketed in the past year, and several high-profile attacks on health care organizations highlight the challenges that ransomware poses,” FTC explained in a blog post discussing the panel.
For example, Hollywood Presbyterian Medical Center (HPMC) paid $17,000 after a ransomware attack in February 2016. In that scenario, the EHR was encrypted and staff could not access email and some patient data. However, the FTC noted that ransomware is not just a healthcare issue.
“It affects businesses across the economy,” the blog post read. “Panelists agreed that incidents of ransomware will continue to increase across the board – and nobody is immune.”
A ransomware attack could not only disrupt business operations, but may even force an entity to shut down, according to the FTC. Any consumers or employees who have their personal data hacked may also be significantly harmed. An especially dangerous outcome - in healthcare particularly - could also be individuals unable to receive critical access to certain services due to ransomware.
This type of malware is often delivered through phishing campaigns, one FTC panelist explained. A user typically needs to click on a link or download an attachment for the ransomware to gain access to a network.
There are also “malvertising” campaigns, which is where malicious code is hidden in an online ad that infects the user’s computer.
“These attacks are particularly nefarious because they can occur even on trusted websites through third-party ad networks that redirect the user to an infected server,” the blog post explained. “More recently, attackers have exploited server-side vulnerabilities to deliver ransomware payloads by searching for networks that had failed to patch known vulnerabilities.”
For defending against ransomware, the FTC panelists advised organizations to implement education and awareness programs that train staff members about how to avoid phishing attacks.
This is often underlined as a critical step for healthcare organizations with ransomware. Robert Anderson, former executive assistant director of the FBI, told HealthITSecurity.com in November 2016 that employees at all levels thoroughly educated on ransomware and how they need to react should an incident happen.
“The heads of the hospitals and the boards need to be educated on the different types of threats that face them in today’s IT and cyber environment,” Anderson said. “Most hospitals concentrate on being a hospital and taking care of people. But I think that in today’s world, if you’re running one of those institutions, you need to be very educated into exactly what the threats could be and have a proactive plan of what’s going to happen if you do get attacked.”
Strong cyber hygiene is also essential, the FTC panelists said, and requires the following steps:
- Assess the computers and devices connected to networks to proactively identify the scope of potential exposure to malware.
- Identify technical measures that can mitigate risk, including endpoint security products, email authentication, intrusion prevention software, and web browser protection.
- Implement procedures to keep security current. Update and patch third-party software to eliminate known vulnerabilities.
Organizations also need to regularly backup their data and ensure that they are disconnected from the main network. In the event of a ransomware attack, an organization can rely on their backup data to regain normal operations.
Utilizing backups, disaster recovery planning
Finally, the FTC panelists stressed the importance of developing and testing incident response and business continuity plans.
Foley & Lardner information security lawyer Mike Overly also advised this approach for healthcare in an April 2016 interview with HealthITSecurity.com. Strong backups and being able to switch to the backup systems could keep a provider from having to shut down, he said. Disaster recovery planning will also ensure that employees can still perform daily operations should computer networks be temporarily down or inaccessible.
“Unfortunately, what we see in many instances, is everyone kind of moves immediately to ‘Oh it just needs a software solution to this.’ Or ‘We need to use better anti virus software and all will be well,’” Overly explained. “I think those organizations are not going to serve themselves well with that kind of approach.”
The FTC panelists also said that should an organization come under attack, it would not be well-advised to pay the ransom. Even if the money is paid, there is no guarantee that the encrypted data will be returned.
“In some cases the attackers simply increase their demands once a victim expresses a willingness to pay,” the blog post summarized. “Despite the serious risks to consider before paying a ransom, panelists also recognized that businesses may need to evaluate all possible options in the event of a crippling ransomware attack that limits the organization’s ability to function.”
Healthcare privacy and security experts have also argued against paying the requested ransom.
Institute for Critical Infrastructure Technology (ICIT) contributor Travis Farral stated in a November 2016 webcast that the default response should always be to not pay the money.
“Every situation is dependent on understanding the risks of paying versus potentially not having access to the information again,” Farral said. “If you’re a healthcare organization and there’s a risk in not paying because there weren’t ample backups, or there wasn’t a way to recover that system, is that the cost is a couple hundred bucks, you’re probably going to go ahead and just pay it. They need to get that system back online.”
This is why backup plans are so critical, he added. That way, a provider can work toward ensuring that patient lives will never be at risk if a healthcare system is attacked. The organization can know that it can continue with its backups and not have to pause caring for patients.