Ransomware, the holding hostage of computers or data in exchange for money, is dramatically on the rise all across the world. Any business in any industry is vulnerable, including healthcare. Or perhaps we should say, “especially healthcare,” as attacks on hospitals and other medical establishments are exploding; Symantec reported that the healthcare sector had the highest number of data breaches in 2015 and ransomware attacks grew overall by 35%.

At least 10 hospitals have been hit in the U.S., with Hollywood Presbyterian Hospital making international headlines for giving in and paying the $17,000 ransom to unlock their critical data. Don’t be forced into making the same life-or-death decision; instead, educate your employees about the looming threat of ransomware to reduce risk of becoming victim. Here are some important ideas to help get you started.

Why Are They Attacking Hospitals with Ransomware?

It seems particularly cruel for phishers to target hospitals and healthcare institutions, but the reason is not just that they are heartless. According to an article on HIStalk, a website dedicated to healthcare-related IT news, the transition to digital and a modernization of equipment has created an opportunity that wasn’t there before when most hospitals relied on written internal records.

As part of the Meaningful Use clause of the Affordable Care Act, EMR systems have become commonplace. More hospitals now have websites that allow patients as well as doctors and medical providers access to more information. Unfortunately, these new benefits have also provided thieves with more private, sensitive data to exploit. Most of these healthcare systems aren’t connected to banks or payment processing, so monetary theft or credit card data is rarely the issue.

But because the information they do contain can be critical to day-to-day operations and literally life or death to some patients, the vital necessity of access is being used as leverage.

Many of these ransomware attacks are for small amounts, usually around $500 (Hollywood Presbyterian being the exception, so far). When weighing the paltry ransom amount against the potential harm to patients, it’s easy to see why many hospitals give in.

How Ransomware Occurs

The most common ransomware attack starts with a phishing scam. Hackers will send tainted emails to thousands of hospitals whose information they’ve scraped. Patrick Uptham, director of threat intelligence at Digital Guardian explained in the HIStalk article: “All it would take is one user to click one link, visit one page, or open one document crafted with certain healthcare terminology to infect a machine. Combined with a self-propagating mechanism, a single infection could take its toll on a hospital.”

Therefore, because vulnerabilities exist at all levels, it’s essential that all personnel are both aware of the threat and know how to detect, avoid, and alert if there is a ransomware or phishing attack.

Knowledge Is Power

First, many people on staff may not know enough about ransomware and how it works, so the primary task is general awareness. To that effect, SecurityIQ has written several articles on ransomware including its history and methods, which could be sent out to all employees [include link]. But we know that hospital staff members are often busy and under time pressure, so ensuring that each and every person has read the entire article and understood what they need to do to protect themselves can be a challenge in and of itself.

That’s why there is a second step that can quickly illuminate who in the organization is more prone to an accidental click. Our SecurityIQ website has developed PhishSim, an automated phishing simulation program that will send emails to selected groups of employees (called “learners”) which are designed to look and act like a real phishing attack.

1

This is just a photo of one sample email in the library. Those that read the entire email will realize it’s a test, but recipients who don’t look at the fine print carefully and click on the “View Folder” button are transferred to the SecurityIQ site, where a short video plays, notifying them they’ve been “hooked” (their click is also logged into your database). These emails can be customized, or created from scratch to better mimic an attack more specific to your hospital or other medical establishment.

Since one phishing email may or may not alert you to every less savvy user, SecurityIQ allows its members to create a series of campaigns that have a battery of different templates and can be sent and monitored over a set period of time. Those that fail any of the tests can be required to take the next level of training, called AwareED. The length and content of these learning modules can be configured. The default campaign is five courses, a total of 82:34 minutes, and 36 exercises.

Signage at Workstations

One of the quickest ways to raise awareness about phishing and ransomware attacks is to place signage at workstations and send paper memos to doctors, nurses, and other busy staff. Berkeley College in Oakland, CA has implemented a very aggressive phishing awareness campaign for their students, faculty, and employees, and puts on their website a variety of posters, postcards, and sticker templates they encourage all departments to download; any type of organization could use these ideas as examples and create their own.

2

Source: http://berkeley.edu

For the general public as well as businesses and government entities, a campaign and website called Stop. Think. Connect. was created with input from corporations such as Google, Facebook, and AT&T. They have created a variety of printable materials on phishing and security that can be freely downloaded, printed, and distributed.

Secure the Network

According to Ira Mentem, president of Secure Mentem in a Computer Weekly article on network protection, humans represent just 2 out of 10 possible entry points. “Users only fail if technologies have failed first or if the right controls have not been implemented by internet service providers or in mail servers,” he was quoted as saying.

However, the reality is that these infrastructures, particularly in healthcare, are woefully unprepared for a ransomware or phishing attack. A recent survey conducted by MeritTalk, a public-private company focused on improving IT in healthcare and government, found that 82 percent are not fully prepared for a data disaster such as ransomware.

Therefore, don’t just assume your IT department has a handle on the problem. (And if you’re reading this and are in healthcare IT, you know you’re not as prepared as you should be.) Instead, take matters into your hands and schedule a meeting to discuss the necessary steps to better strengthen the entire network’s security.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires all hospitals and medical facilities to be secure and they can receive no payments for Medicare or Medicaid until they are. To help facilities achieve full compliance, the U.S. Department of Health and Human Services has released an assessment tool that can be downloaded here. Documentation and videos guide users through the steps, and a printout of results can be made available to auditors.

Another important set of protocols was developed as part of a public-private collaboration between the Center for Internet Security (CIS) and the SANS institute, an information security certification group. Together they created a list of the top 20 security controls that they have found are the most effective in reducing attacks from phishing and ransomware. These controls are constantly updated by top security experts in companies such as Verizon and Symantec to help guard against the latest threats.

In addition, The Advisory Board Company has boiled it down to four basic steps to prevent ransomware, which they included in a handy infographic that can be downloaded and printed. Number one: back up your data.

3

Incentives to Prevent Phishing/Ransomware

In addition to making the entire facility aware of the dangers of phishing and ransomware, it’s also essential to keep them vigilant. This involves not putting blame or shame on anyone that inadvertently clicked on a link. Fear of reprisal could also delay reporting of any breaches, making recovery more difficult. These hackers often infect a computer network and then lay in wait for days, if not weeks or months before they strike.

Therefore, it’s not only important to implement a “no judgment” rule, but to also reward employees that flag any suspicious emails or events before something goes horribly wrong. A small monetary incentive, perhaps, is much better than paying a ransom.

What to Do If Ransomwared or Phished

In spite of all these safeguards and protocols, it is still possible for your facility to be ransomwared, either through cunning new advancements by the bad guys or simple human error. Because of this, as with any potential disaster, it’s important to have a recovery plan.

Healthcare IT News suggested that hospitals create a risk analysis of all systems, with different tiers of severity: Tier Zero being the most critical for immediate operations, Tier One being systems that can be out for an hour or two, etc. All medical facilities should also have a “gold image” of all systems and configurations, which could be used to completely reset the entire facility.

If and when a phishing attack occurs, instruct staff to notify IT immediately, especially if the link has been clicked. If the email can be identified before anyone has clicked the link, alerts can be sent out to all personnel. If the link was clicked, the email can be analyzed and perhaps damage can be mitigated.

If someone turns on their terminal and sees the evil CryptoLocker screen commonly used in many ransomware scams and contains the ransom demand and instructions, don’t panic. Instead, turn off the computer, alert IT, and call your local police department. While the police may not be of immediate help, it’s important to spread the word about the attack so others can prepare.

4

The screen of doom
Photo: http://www.aliencg.com/journal/2013/11/24/cryptolocker

If you do have backups and a gold image, recovery could be fairly painless. If not, it will be time for an administrator to make a painful decision on whether to pay the ransom or not. While many experts caution against paying the ransomware because there is no guarantee that the malware will truly be removed from the system, surprisingly the FBI recommends paying if you have no other choice. Payment usually involves using Bitcoin, an untraceable form of currency, although prepaid cash cards are becoming more common.

Drill, Baby, Drill!

Once the network is secure, the backups are in place, and the employees are trained, it’s time to have a preparedness drill. Like a fire drill or any other type of emergency simulation, this kind of participatory event can do wonders for getting everyone up to speed and working together.

Once the drill is completed, the entire operation can be assessed to see what worked and what didn’t. Steps can then be taken to fix any weak links and another drill could be scheduled.

Repeat as regularly as possible so the procedures are as fixed in everyone’s mind in much the same way they are trained to save lives.

Concluding Thoughts

Ransomware is a very real, menacing, and debilitating threat that is attacking hospitals, medical offices, and other healthcare facilities at an alarming rate. Because of the vulnerabilities of the new EMR systems, relative inexperience of staff, and the incapacitating ability of these attacks, many hospitals have capitulated and paid the ransom.

But paying the ransom is not only a dangerous precedent, it’s also not a guarantee they haven’t completely compromised your system; because of the interconnectivities with other hospitals and networks, you are also possibly exposing others to breaches.

Therefore, it is crucial that you and your organization take a number of steps towards preventing ransomware attacks from being successful. While some of the burden is on IT to ensure that as many safeguards are up to date and in place, such as backups, firewalls, and email filters, the bottom line is that everyone from the CEO to the front desk needs to be aware and educated.

We’ve outlined many best practices for your review in this article, including introducing SecurityIQ PhishSim phishing simulator and AwareED training. Other critical tools include HIPAA compliance software and the 20 steps outlined by CIS. It would also be advisable to consult with a security analyst firm to make sure you are as safe as possible.

Signage, regular staff communication, and ransomware drills round out our list of suggested education and awareness methods. With all these in place, you and your employees will be fully prepared if and when you are attacked.