Part Two: Ransomware Attack
Cyberattacks are a growing threat across all sectors. For the healthcare industry, cyberattacks are particularly troubling because they threaten not only the security of an organization’s systems and information, but also the health and safety of patients. No healthcare organization can escape this reality. Most try to avert cyberattacks, but even the most hypervigilant healthcare organizations are vulnerable to attackers that are adapting to increased security measures, systems, and processes.
The Department of Health and Human Services recently published a report entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” See https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf. The Department collaborated with industry partners to develop “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes, ranging from local clinics, regional hospital systems, to large healthcare systems.” These organizations determined it was not feasible to address every cybersecurity threat across the entire U.S. healthcare industry; thus, the report focuses on the five most prevalent threats. This is the second of five articles that will discuss the report’s findings. The first article discussed email phishing attacks. This second article discusses the threat of ransomware attacks.
I. What is ransomware?
According to to the Department of Health and Human Services, “ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.” After the data is encrypted, the ransomware directs the user to pay the ransom to the hacker, usually in cryptocurrency, such as Bitcoin, in order to receive a decryption key. However, hackers may deploy ransomware that destroys or exfiltrates data, or ransomware in conjunction with other malware that does so. Paying the ransom does not guarantee the hacker will unencrypt or unlock the stolen data. Ransomware threats may incorporate tactics or techniques that are the same or identical to other threats. For example, successful phishing email attacks may lead to the installation of ransomware.
II. Vulnerabilities and negative impact of a ransomware attack
An organization’s vulnerabilities to ransomware attacks include (i) a lack of system backup, (ii) lack of anti-phishing capabilities, (iii) unpatched software, (iv) lack of anti-malware detection and remediation tools, (v) lack of testing and proven data back-up restoration, and (vi) lack of network security controls such as segmentation and access control An organization affected by an email phishing attack might suffer partial or complete clinical and service disruption, patient care and safety concerns, and expenses for recovery. Further, the presence of ransomware or malware on a covered entity’s or business associate’s systems is a security incident pursuant to the Health Insurance Portability and Accountability Act Security Rule.
III. Practices and tips to consider
The report discussed several practices an organization should consider to reduce vulnerability to a ransomware attack:
- Ensure users understand authorized patching procedures;
- Patch software according to authorized procedures;
- Be clear which computers may access and store sensitive or patient data;
- Use strong/unique usernames and passwords;
- Limit users who can log in from remote desktops;
- Limit the rate of allowed authentication attempts to thwart brute-force attacks;
- Deploy anti-malware detection and remediation tools;
- Separate critical or vulnerable systems from threats;
- Maintain a complete and updated inventory of assets
- Implement a proven and tested data backup and restoration test;
- Implement a backup strategy and secure the backups, so they are not accessible on the network they are backing up;
- Implement proven and tested incident response procedures;
- Establish cyber threat information sharing with other healthcare organizations;
- Develop a ransomware recovery playbook and test it regularly; and
- Once ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures.
The report also discussed quick tips for when you believe you have encountered a ransomware attack, including:
- Most ransomware attacks are sent in phishing emails asking the user to either open an attachment or click an embedded link. Be sure your staff know how to identify these phishing emails. Review our first article discussing phishing emails for a refresher on how to spot them.
- Stay alert when an email requests the user to enter his or her credentials. As a preventative measure, check to see whether the computer and network to which the computer is connected have the proper intrusion prevention system or software in place.
- What to ask?
- Do I have a high-performance firewall?
- Do I have my firewall configured to only allow certain ports to be open?
- Is there training I should be aware of to understand my organization’s security policies?
- When to ask?
- Provide users awareness and compliance training during the onboarding process or when purchasing a new laptop or desktop equipment.
- If you discover your computer has been infected, immediately disconnect from the network and notify your IT security team!
- Do not power off or shut down the computer or server, in case a volatile (RAM) memory image needs to be collected for forensics and incident response investigations.
- Who to ask?
- Due to the severity and time sensitivity of these types of attacks, it is in the organization’s best interest to always seek out professional IT security or a similar point of contact to help when you think your computer is infested with malware.
Ransomware attacks are the one of the most severe and dangerous forms of cybersecurity attacks. With proper training to identify potential phishing emails, intrusion prevention software, and data backups, healthcare organizations can easily protect themselves from this type of attack.
For more information on how ransomware affects a healthcare organization’s HIPAA compliance, see the Fact Sheet published by the Department of Health and Human Services’s Office for Civil Rights.
Our next blog will discuss another common cyberattack threatening the healthcare industry: Loss or theft of equipment or data.
Follow us on for more content updates