Headlines continue to be filled with stories of new ransomware attacks on businesses of all sizes in all industries. Unfortunately, it appears that this trend will continue with a twist—ransomware attackers are now targeting healthcare providers more frequently than in the past.
Ransomware is a specific type of computer virus that locks users out of their files using strong encryption and then keeps the files locked until the user pays a ransom to unlock the files. Even if the user pays the ransom, there’s no guarantee that the ransomware attacker will unlock the files.
What makes ransomware even more dangerous is that it can be used to not only lock user files stored on the user’s personal computer (PC) hard drive, but it can lock files stored on any attached removable media, such as thumb drives or external hard drives, network drives mapped from servers and even cloud storage—depending on how the cloud storage is accessed. Once a single PC is infected with ransomware, more often than not, the ransomware will try to spread itself to other PCs attached to the same network in order to propagate and lock user files on those PC’s as well.
The ransom demanded by the attacker is almost always demanded in Bitcoin, so that the attacker can remain hidden by the anonymous nature of Bitcoin and other cryptocurrencies. The Federal Bureau of Investigation, local law enforcement agencies and security experts uniformly advise users and businesses not to pay the ransom, because there is no guarantee the attacker will unlock the files. Paying the ransom only confirms the attack was successful thereby encouraging the attacker to continue their attacks.
Healthcare providers have increasingly become targets of ransomware for two main reasons:
- Confidential patient health information is very valuable to the provider, so higher ransoms can be demanded versus other types of businesses.
- Many small to medium size healthcare providers lack the resources required to adequately implement and maintain a robust security program, which is what is required to protect against ransomware and other threats.
What can Healthcare Providers do to Protect Themselves from Ransomware Attacks?
The simple answer is to implement the requirements of the HIPAA Security Standard which will result in a comprehensive security program being enacted with multiple layers of defense to protect against ransomware and many other threats.
Initial steps to take:
- Perform a Security Risk Assessment (SRA) in order to determine what threats are present, the risks associated with those threats, and what can be done to reduce or eliminate those risks altogether. A SRA should be performed annually in order to maintain the effectiveness of the overall security program.
- Implement a thorough data backup plan to properly back up all data in a manner that is appropriate for the criticality of that data and the threats to that data. This allows data to be restored in the event a ransomware attack is successful.
- Implement a computer virus and malware protection solution that protects all systems used by the provider and automatically stays current as new threats arise. This can prevent ransomware attacks from being successful.
- Enable a system and network activity monitoring solution to help detect abnormal activities that could be related to ransomware or other malware. This should include real-time monitoring and log analysis.
- Enforce a detailed security incident reporting and response plan so that if an attack occurs, the damage from it can be kept to a minimum or prevented completely.
- Establish an annual security awareness training program that teaches all employees about computer security and what their responsibilities are when it comes to protecting the business from threats and data breaches.
- Ensure Business Associate contracts are in place and confirm that all Business Associates are fully compliant with the HIPAA Security Standard, which by law they must be.
What to Do If You're the Victim of a Ransomware Attack
If you’re the victim of a ransomware attack you should follow your security incident response plan and business continuity plan. At a minimum, this should include isolating the infected system(s), evaluating the extent of the damage, restoring the locked files from the most recent data backups and contacting law enforcement. For more information, facilities can read “Ransomware: What It Is and What To Do About It” and visit the website No More Ransom. LW Consulting, Inc. can also assist with this effort via our security partner, Binary Decisions.
For more information on how to protect your facility from a ransomware attack, contact Deborah Alexander at 717-213-3122 or email DAlexander@LW-Consult.com.