Earlier this year, the Institute for Critical Infrastructure Technology (ICIT) predicted that 2016 would be the year of ransomware.û So far, their forecast is proving accurate, as a recent government interagency report revealed that there is an average of more than 4,000 ransomware attacks in the U.S. every day. That’s a 300% increase from 2015.²
Because they rely on real-time information to deliver care, hospitals and health systems have become particularly inviting targets. This past February, Hollywood Presbyterian Medical Center made headlines when they had to pay a hacker approximately $17,000 in bitcoin to unlock their systems and restore operations.
That’s why healthcare organizations everywhere are looking for ways to protect themselves against these debilitating attacks. There are no silver bullets, but there are a number of things that every hospital or health system can do to both minimize their risk and mitigate the damage should they fall prey to a strain of this malicious malware.
Start with a Plan
There’s no shortage of good of advice out there to keep your organization protected, but where do you begin? A thorough risk assessment will provide you with a good starting point, revealing potential vulnerabilities and allowing you to see how the maturity level of your security program stacks up against industry best practices and HIPAA and PCI compliance requirements.
Ideally, this would be conducted by an objective and experienced third-party who is trained to look for the specific targets in your information technology (IT) infrastructure that ransomware is designed to exploit.
A risk assessment might disclose that you’re doing a great job with technical controls but show that you have a ways to go on user education or how you handle data. Whatever the evaluation, it will give your organization a good baseline to start from and measure the progress of your policies and procedures towards meeting the goal of maximizing protection.
Consistency is Key
The technical side of vulnerability management is often easier said than done, as many healthcare organizations simply lack the funds and staff to meet the continuously evolving security landscape. Not doing so, however, can have devastating consequences for your organization. A good foundation for all healthcare providers starts with taking care of the basics.
For some, this can mean creating a plan to retire all outdated or obsolete operating systems, like Windows XP, since they cannot be patched and are susceptible to foreign intrusion. Make sure that all of your anti-virus and anti-malware software is regularly updated and backed up by effective firewalls and spam filters to stop potentially troublesome messages from getting through and wreaking havoc.
Regularly update the patches on your operating systems, software and devices. Many hospitals and health systems often neglect this area due to both the complexity of the implementation process and the inconvenience of downtime to their end-users. However, doing this routinely will help you secure many of the weak points that malware was created to manipulate.
Develop and enforce policies and procedures that meet compliance standards. If you’ve got a policy that says that no personal devices are allowed on the network but don’t enforce it, you are providing cybercriminals with additional entry points to attack — not to mention the viruses that may be contained on those devices before they gain entry into the system.
Your First and Last Line of Defense
Your organization can pour all of the money in the world into your security budget, but it only takes one person clicking on the wrong link or attachment to put all of your information in jeopardy. So, it’s important to have a comprehensive security awareness training program that addresses everyone from your C-Suite level down, especially given the sophisticated nature of today’s spear phishing campaigns.
End-user education should explain the threat of ransomware to everyone in your organization and identify potential facilitators of those threats like phishing attacks, reminding all employees not to click on links or email attachments from unfamiliar sources. Good backups to this training include having your security team test your users with simulated phishing emails or implementing application whitelisting that allows for only approved programs to be loaded onto your networks.
The Backup Plan
While no one likes to think about it, you have to prepare for the worst. Having a well-documented incident management process in place can prove invaluable in the event that disaster strikes. This process should include the technical precautions you will take as well as address the communications between your clients, users and community.
In the event of a ransomware attack, your only remediation is either paying the cybercriminals or restoring your data through backups. Is your backup strategy adequate? How much data is acceptable to lose? All of this can be fleshed out during the risk assessment. Since some malware is constructed to infiltrate backups, it’s important to backup information offline.
Both your backups and your incident management processes should be practiced regularly to ensure that they work. These are not things you want to do on the fly.
Jim Hunter is director of privacy and security at CareTech Solutions.
1. Scott, James, and Spaniel Daniel. The ICIT Ransomware Report. Rep. Washington, D.C.: Institute for Critical Infrastructure Technology, 2016. Print.
2. United States Government Interagency Guidance Document, How to Protect Your Networks from Ransomware.