- An increasingly popular area of concern for healthcare organizations is whether or not they should give into potential healthcare ransomware demands. Should a hospital pay thousands of dollars to regain access to data, or should it just move on? What if there were not proper backups in place? How does this affect an organization’s decision.
Those issues and more were covered in the recent HealthITSecurity.com webcast, “Prepare and Respond to Healthcare Ransomware Attacks,”which was presented by Institute for Critical Infrastructure Technology (ICIT) contributor Travis Farral and Foley & Lardner LLP Partner Mike Overly.
The two agreed that determining whether or not to pay a healthcare ransomware demand is a complicated issue. However, the default answer should always be not to pay, Farral explained during the question and answer portion of the webcast.
As ransomware continues to evolve and become more intricate and more damaging, an organization does not necessarily want to reward the attackers by paying.
“Every situation is dependent on understanding the risks of paying versus potentially not having access to the information again,” Farral said. “If you’re a healthcare organization and there’s a risk in not paying because there weren’t ample backups, or there wasn’t a way to recover that system, is that the cost is a couple hundred bucks, you’re probably going to go ahead and just pay it. They need to get that system back online.”
Individual lives could also be at stake, and no healthcare organization wants patient care to have to be put on hold because of a ransomware attack, he added. This is why comprehensive preparation methods are essential, so a provider can work toward never being put in a situation where it feels like it needs to pay.
Overly agreed that it is an extremely difficult decision for a provider to have to make. Depending on the amount of demanded money, an organization could easily decide to go with that option to hopefully regain access to their data quickly.
“There’s a lot of risk in making that decision,” Overly cautioned. “Unfortunately, you may have little alternatives available to you at the time.”
Recognizing potential ransomware attacks, how they affect healthcare
There can be certain indicators that ransomware has infiltrated a system. Farral explained in the presentation that an increase in hard drive activity or an increase in network activity could mean that malware has made its way in.
For example, if there is lots of file access from a single computer to a shared drive, a type of ransomware may be at work. If this is the case, an organization should make sure that it isolates the potentially infected devices or systems, to try and keep it from spreading further.
An organization may not always be able to immediately identify what type of ransomware has infected its system. It will also depend on the type of variant of ransomware as to whether an organization can immediately determine if data is being exfiltrated or is being encrypted.
“Being able to tell depends on the level of logging inside an organization,” said Farral. “If you can see that a tremendous amount of information went out from that system, more than just some identifying information and encryption keys, then there’s a good likelihood that something was exfiltrated from that system.”
Overly also noted how healthcare organizations should be aware of whether or not a ransomware attack necessarily constitutes a HIPAA data breach. The Department of Health and Human Services (HHS) recently published guidance on the very topic, he pointed out.
“It comes down to a pretty emphatic yes,” Overly said in terms of if a ransomware attack was a breach. “Unless the healthcare provider has extremely high confidence that there was no actual disclosure of unencrypted PHI. The problem with that great confidence is, it takes awhile to determine that.”
Organizations will need to bring in a security expert that can make an assessment by looking at logs and other things to see if there’s been an actual compromise, he added. Typically, it’s not a very obvious thing to determine, in which case it would likely fall into a reportable situation.
Employee education is also an essential aspect to preparing for a potential healthcare ransomware attack, Farral and Overly said in the webcast. All staff members should be trained, Overly maintained, but not necessarily receive the same level of education.
He explained that one of the best ways to hammer home to individuals about the importance of recognizing ransomware is to tie it into their personal lives as well. If a person understands how to spot suspicious activity on their home computer, which is perhaps storing wedding photos they don’t want to lose, it will be easier to carry that same concern over to their work life.
“If an employee can recognize that, they can learn to recognize that at work when something like this happens,” Overly said. “Then they know how to avoid it and how to report it.”