Healthcare Information Security

Cybersecurity News

How Can Covered Entities Best Prepare for Ransomware Threats?

Healthcare organizations cannot assume that ransomware threats will not affect them, and need to create comprehensive data protection plans.

By Bill Kleyman

- Please don’t turn a blind eye to ransomware threats, or think “it won’t happen to me.” Because it can, and it very well may.

Healthcare organizations cannot afford to ignore ransomware threats

Today, healthcare has already become a digital entity with more digital assets and very sensitive information. In fact, ransomware may target healthcare data points even more than others. In a recent article from Elizabeth Snell, we saw that a survey found that healthcare ransomware attacks are targeted above the average ransomware penetration rate.

The article points out that, specifically, 53 percent of surveyed healthcare organizations reported a ransomware attack in the past 12 months, according to an Osterman Research survey report that was sponsored by Malwarebytes. The average ransomware penetration rate was 39 percent.

Furthermore, Osterman Research published a survey ‘Understanding the Depth of the Global Ransomware Problem’ where they interviewed organizations in the US, Canada, Germany, and the UK. Respondents had to be a CIO, IT manager, IT director, CISO, or in a related role.

Overall, 39 percent of respondents said they had been impacted by ransomware in the past 12 months. The attacks were most common in healthcare and the financial services industry, and were also the most common in the UK - 54 percent of organizations there had been impacted in the last year.

READ MORE: How Ransomware Affects Hospital Data Security

Finally, just this past month, USC Keck and Norris Hospitals reported that they had been the victims of a ransomware attack after detecting the malware on two servers. The ransomware was noticed on August 1, 2016, and encrypted the files on both servers, according to a Keck statement signed by Keck Medicine COO and Keck Hospitals CEO Rod Hanners. The attack was contained and the ransomware did not spread to other servers.

Here’s the good news about that attack: “The impacted servers do not store Keck’s electronic medical record system. Rather, many of the folders that were encrypted by the malware are departmental files that contain internal operational documents and that are intended to be used and shared by and among hospital clinic and personnel, such as templates, training manuals, human resource materials and other information needed for hospital operations,” Hanners said.

However, the encrypted documents did contain certain sensitive information, including names and demographic information, dates of birth, identifiable health information, including treatment and diagnosis for some patients, and Social Security numbers in some cases.

Ransomware: A Quick History

Today, ransomware is one of the biggest cyber threats in 2016, according to McAfee Labs and Trend Micro. But, before we go on too much further, let’s take a look at ransomware and where it first got its roots.

READ MORE: Utilizing Network Security to Prevent Ransomware Attacks

Attacks seeking access to data or other valuable systems aren’t anything new. What is new, however, is that data being held for ransom. The very first, recorded iteration of a ransomware virus was created by Harvard-trained Joseph L. Popp in 1989. Called the AIDS Trojan, some 20,000 infected diskettes were distributed to the World Health Organization’s international AIDS conference attendees. The Trojan’s main weapon was symmetric cryptography. However, it didn’t take very long for decryption tools to recover the file names, but this effort set in motion over almost three decades of ransomware attacks.

In 2012, Trend Micro discovered a new type of ransomware variant: TROJ_RANSOM.AQB. Growing more dangerous and sophisticated, the method of infection was to replace the Master Boot Record (MBR) of Windows with its unique malicious code. When the computer booted up, the user would see a ransom message written in Russian, demanding payment. When paid, the victim would get a code, which would allow them to restore their computer to normal.

Moving into the end of the 2000s and into the start of the 2010 decade, ransomware grew even more sophisticated and began to be realized as a real-world international security threat.

Types of Ransomware

Locker ransomware (computer locker): Denies access to the computer or device. This type of ransomware would impersonate law enforcement in order to extract ransoms.

READ MORE: HHS Urges Caution in Wake of WannaCry Ransomware Attack

Crypto ransomware (data locker): Prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does.

As a result, victims have only two options to get their files back: recover them from a backup or give into the attackers’ demands. Even if the victims do pay the ransom, there is no guarantee the attackers will provide the decryption key and decoder needed to decrypt the files.

It doesn’t stop there. Already there have been other variants. Onion, for example uses the Tor network to avoid detection. Others, like KeRanger, specifically target Mac users and their files. Detected in March 2016, it is believed to be the first fully functional ransomware seen on the OS X platform.

Fighting Ransomware in Healthcare

First of all, there is no silver bullet capable of encompassing ALL healthcare security requirements. However, you can properly secure your data and ensure that you plug any IT holes which might cause a ransomware attack.

When working within healthcare – here are 6 tips for protecting yourself against a ransomware attack.

Where is your sensitive data? How safe is it, really? Many organizations have lost silos of data or storage repositories which might be sitting on a different network segment. To that extent, do you really know where all of your data is? And, do you know how it’s being secured or segmented? Run a deep analysis against your entire healthcare data ecosystem. Find lost data points, folders, user accounts, and even apps, and proceed to lock it all down.

How good are your backups? Have they been tested? I’ll keep this simple – your backup strategy will directly impact your ability to recover from a ransomware attack. Even more easy is the 3-2-1 backup rule. That is: You must have at least three copies of your corporate data. Those copies must be stored on at least two different types of media. At least one must remain offsite. Remember, for your offsite option, cloud is very much a possibility! Just work with a provider that can support PHI and HIPAA requirements. Today’s backup and recovery capabilities are truly next-gen. Make sure you’re leveraging these technologies.

How trained are your end-users and how secure are your end-points? If your users are just clicking on anything, or bringing in devices that probably shouldn’t be in the environment, you might have a culture and an IT issue. A lot of times a ransomware attack happens because of an attachment, a bad link, malware, and so on. Training your users is critical to ensure they know security best practices as it applies to them. Finally, have a good end-point management policy and ensure you lock down peripherals, USB ports, and even how users interact with shares on the network.

Is your network protected? Speaking of networks – security at this level is absolutely critical. Your network acts as the ‘central nervous system’ of your data center and controls data distribution. Segment your network and make sure you have good monitoring enabled. There are powerful next-generation security technologies which help with visibility, proactive controls, and even cloud integration.

What are you doing for granular access controls? Access control is critical for data, network locations, servers, apps, and even virtual desktops. You have the capabilities to lock down access into all critical points within your healthcare ecosystem. Make sure to audit your access controls to ensure you don’t have any rogue user, or, worse yet – rogue admins!

If an attack does happen – are you prepared? Let’s not sugarcoat this – an attack may very well happen against your healthcare environment. What do you do if something does happen? It’s at this point that you’ll either be sweating bullets or will be completely calm. Whatever you do, do your absolute best NOT to pay. Work with local and federal authorities, try to rebuild your data, check your backups, and try to recover your data. Furthermore, working with good security organizations can help as well. You’ll find that some ransomware software already has decryption tools from the good guys. Leverage this if possible. Either way – have a plan ready for these types of attacks.

I’ll reiterate an important point – if an attack does happen, do whatever you can to not pay. Submitting to ransom demands absolutely bolsters the attackers and they will definitely go after more targets. The only way to stop ransomware is to have preventive measures in place to completely mitigate the impacts of the attack.

I have worked as an architect and a senior advisor with healthcare organizations that have experienced ransomware attacks. There usually two types of admins: ones that will sweat bullets when the attacks occur, and one that’s simply annoyed but has a plan in action.

One hospital took their backup procedure very seriously. And as a result, was able quickly recover file and data repositories impacted by a ransomware attack. In fact, they lost only two hours-worth of non-critical data, which was not a part of the last backup cycle.

Moving forward advanced, sophisticated, attacks against healthcare organizations won’t stop. However, there are powerful best practices and methods where you can protect your data, your users, and your entire healthcare organization. Simply put: Take action now, so you don’t have to pay later.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks