HealthCare IT News recently reported that over half of hospitals in the US have been affected by Ransomware, and the remaining 25% of those polled were unsure of if they had been impacted, or had no way to detect the attack [1].  Given the level and continuing evolution of the threat vector it’s reasonable to assume all HealthCare institutions will be affected in the near term.

Ransomware comes in all shapes and sizes.  The most popular technique today is to send an email link to an unsuspecting user.  The user clicks the link and is taken to a web site that downloads a binary or macro enabled office document.  A binary is created on the PC that encrypts certain types of files and changes the screensaver to a notice demanding payment in bitcoin [2].

Some forms of Ransomware are smart enough to traverse network drives and one affected user’s mistake can impact an entire department.  Imagine the damage in the clinical setting [3]!  All of this from a simple email clicked by an unsuspecting user.

There is no magic bullet for Ransomware, but our hope is that if you pay attention to the five focus areas in this article you will at least be able to reduce your risks and protect the patients in your care.

Build Awareness and Train Your staff

The number one thing you can do to improve your chances of not being affected by Ransomware is to build awareness throughout the organization.  Given that the easiest possible way to infect an organization is phish its employees, making them aware of the outcome of clicking web links, running executables, or opening office documents with macros enabled is key to avoiding being infected [4].

Effective awareness programs require a continuous effort conducted by a responsible individual such as the Chief Privacy Officer or the HIPAA Security Officer and involve multi-modal approaches.  It’s not enough to send out an email once a month and expect people to read it – chances are that’s not going to happen.  Mixing it up at town hall meetings with interesting anecdotes of how real hospitals were exploited, management by walking around (MBWA), talking to staff about security practices at the water cooler, posting flyers on the walls, and leading by example are all key.

Remember that this education effort must also include your IT department.  While they may be more clued into social engineering, they represent the greatest risk if infected.  After all, if Ransomware runs in the context of a domain admin account all the files in your enterprise can be encrypted.  By ensuring your IT admins are using least privilege accounts and remaining aware of their higher level of risk you can reduce your overall corporate exposure.

IT must also be aware that while having tools to detect Ransomware such as firewalls, IDS/IPS and data loss prevention is essential, it’s not enough.  After all; the tools can only tell you what they are programmed to detect.  IT must also actively check the environment using manual scanning on a daily basis so that they can find the things that the tools might miss.

Run a Real World Scenario

There is no more effective way to build awareness than to stage Ransomware “events” as part of your disaster recovery process.  This can be as simple as scheduling an event when you tell a set of employees they cannot access their files for the day and having them go into manual mode (if they can), or running a full enterprise wide disaster simulation [5].

Unlike other failure modes in your disaster plan, Ransomware has a statistically higher likelihood combined with a potentially higher cost, leading to the need to test your ability to manage this form of failure more frequently that perhaps you might for incidents such as fire or flooding.

Build Relationships with Consultants

Regardless of the quality of your security staff, you are going to need to build relationships with outside experts who can come in and advise in the event of a major Ransomware incident.  It’s literally impossible in this day and age to stay current with every possible threat vector so having people who are specialists in these areas on call is vital to your success.

In addition to IT consultants, you may identify a need for an outside public relations firm, and perhaps even specialist legal assistance in the area of cyber crime response.  Identifying these people up front and building solid relationships now will make it easier to respond to threats when they occur.

Get your HIPAA Affairs in Order

At this point every healthcare institution should have Ransomware in its Risk Assessment, as well as the proposed approach for dealing with the outbreak documented in their Incident Response Plan and their Disaster Recovery Plan.  If you haven’t taken the time to make these updates, I strongly recommend you do this as soon as possible.  Health and Human Services are well aware of the risks of Ransomware and will be looking for your approach as part of any post-incident or surveillance audit they conduct [6].  Not having an adequate response may lead to fines or other forms of sanctions.

Practice Safe Data Protection

As I researched this article, I came across many references to backups, and the idea that recovery is as simple as erasing the errant PCs and restoring from a prior backup.  However, given that many Ransomware programs also encrypt network drives this may not be quite as simple as you might think.

The worst case is that backups are kept online, and that the infection occurs from an admin account.  In such cases, it’s possible that the backup itself may become encrypted, and recovery to a useful point in time objective is essentially impossible.

It’s vitally important to make sure that your backups are stored somewhere segregated from the rest of your network, or that you use snapshots that are not accessible as file systems.  Otherwise, the game is basically over.

Using versioning file systems such as those provided by box.com and other cloud network companies offers a neat solution to the recovery problem that can be handled by the end-users themselves instead of having to rely on IT to restore to a point in time.

While versioning file systems may help, don’t rely on the windows volume snapshot service as some Ransomware is programmed to delete these files; thus removing your ability to roll back to different versions.

In Conclusion

Ransomware poses a real risk to the healthcare environment and without taking appropriate mitigation steps you will certainly be affected.  It’s our hope that by following the five basic principles we’ve listed in this article you will never face that reality.

References

[1] http://www.healthcareitnews.com/news/more-half-hospitals-hit-ransomware-last-12-months

[2] https://www.google.com/?ion=1&espv=2#safe=active&q=types+of+ransomware

[3] http://www.darkreading.com/partner-perspectives/intel/healthcare-organizations-must-consider-the-financial-impact-of-ransomware-attacks/a/d-id/1325030

[4] http://www-935.ibm.com/services/us/iss/pdf/phishing-guide-wp.pdf

[5] https://en.wikipedia.org/wiki/Disaster_recovery

[6] http://www.natlawreview.com/article/ransomware-scandals-rock-hospital-systems-hhs-proposed-rule-may-help

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s