IT's New Nightmare: Will Ransomware Hold Your Data Hostage?
Ransomware has moved center stage as a concern for healthcare organizations in particular, and experts fear that more incidents with providers are possible because of inadequate defenses.
The use of ransomware to extort funds from Hollywood Presbyterian Medical Center received nationwide attention, and sparked worries from hospital executives, concerned about the susceptibility of their organizations to similar attacks.
The new ransomware threat on healthcare is worrisome because hospitals are not designed to fight cyber risks, says Rahul Kashyap, chief security architect at Bromium, which monitors treat data and analyzes threats. “IT security in hospitals is not architected to ward off these threats—hospital attacks will rise.”
At Hollywood Presbyterian, the ransomware attack started on February 5, crippling access to electronic health records and interrupting the flow of clinical information.
The facility resolved the situation by paying the equivalent of $17,000 in ransom to obtain a decryption key and put its information systems back online, said Allen Stefanek, its CEO. Access to data in the electronic record was restored on Monday, February 15, he said.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said Stefanek in a statement released by the organization. “In the best interest of restoring normal operations, we did this.”
Ransomware has evolved rapidly in the last 10 years, moving from preying on individuals to aiming at organizations, which are likely to pay bigger amounts. It works by either disabling access and control of an individual computer (locker ransomware) or by encrypting data (crypto ransomware). With both approaches, criminals don’t relinquish control until an extortion fee is paid.
Ransomware’s access to a computer or system is part of a class of security threats that depend on someone being duped into providing network credentials, primarily through phishing attacks.
Incidents of ransomware are rising quickly, particularly in the healthcare arena, says Tom Pendergast, chief strategist on information security, data privacy and compliance at MediaPro, a vendor of online employee education programs.
Ransomware primarily was aimed at individuals and small businesses until a few years ago, when criminals began targeting larger corporations, Pendergast notes. While ransomware attacks in the past required small payments to resolve--$300 to $700 were typical amounts-- the Hollywood Presbyterian attack shows that as targets get bigger, so does the level of extortion, Kashyap says.
Victims frequently pay the ransom, he adds, because it makes the problem go away. Victims may fear being held responsible and losing their jobs, or an organization didn’t have up-to-date backup procedures in place, and thus had no choice but to pay. Overall, Kashyap says, attackers generally avoid making the ransom too expensive, hoping that victims will want to avoid frustration or business disruption and pay quickly.
Stephen Cobb, senior security researcher at security firm ESET, says good data backup policies will go a long way toward being able to recover from attacks.
“The impact of ransomware that does penetrate your defenses will depend largely on how you have been managing your backup and recovery systems,” Cobb says. “Backups don’t need to be sophisticated, they just need to be done regularly and then periodically tested for usability. If these are appropriately configured and routinely tested, you may well be able to replace the files that the ransomware encrypted with relatively current versions. Most operating systems have some basic backup functionality already baked in, and the cost is just the personnel power it takes to set it up.”
Many recent information security incidents—both at healthcare organizations and at large retailers, such as Target—have demonstrated that employees can be a weak link in information network defenses, when they are subjected to phishing attacks that look plausible and ask for credentials that enable access to networks.
Traditionally, security training in healthcare on focused on educating employees once a year on HIPAA and demonstrating a minimum level of compliance with HIPAA’s many regulations governing the uses and protections of patient information.
Now, there’s increasing focus on cybercrime, including ransomware, and healthcare organizations have to ramp up their training to educate employees and sell them on the necessity of always being alert to potential phishing attacks, Pendergast believes.
Maintaining this heighten sense of awareness will require frequent, if not continuous, efforts to keep security at high levels in healthcare organizations, he adds. For example, an organization can use email reminders about vigilance to employees, or it can simulate a phishing attacks to see how employees respond and immediately showing those who gave credentials where they went wrong, Other awareness approaches include putting posters in break rooms or having the CEO constantly remind team members to be alert to criminal gambits.
Behavioral analytics also can be a strong weapon in the cyber war, Pendergast says. Analyzing records of employee network activity can identify risky behavior in the workplace—unintentionally or otherwise. The IT department can then come in and provide “just-in-time training” to employees, soon after risky behavior occurs.
Kate Borten, president of health information security consultancy Marblehead Group, sees more clients doing their own simulated phishing attacks against employees. One hospital IT department phished the CEO, which is a good way to raise awareness in the C-suite. Another good way to protect against attacks, Borten says, is to teach all employees how to check the URL of an email before opening it.
The more employees that can be trained to spot phishing, the better off the organization and its staff will be, Borten says. “This is a life skill. You don’t want to get phished at home when you are in your bank account.”
(This article appears courtesy of our sister publication, Health Data Management)