Surviving Ransomware – Know What to Do Before, During and After

For more than a week in February 2016, normal operations at a Hollywood, California hospital came to a sudden and potentially dangerous stand-still. Hackers had successfully encrypted much of the hospital’s data, preventing hospital staff from accessing patient medical records.

The hackers demand: pay a ransom of 40 Bitcoin, or almost $17,000, for the release of some 4.5 million private health records. While patient care was never compromised during the 10-day standoff, Hollywood Presbyterian hospital was forced to revert to pen and paper to register patients and chart medical records. Ultimately, hospital administrators decided to pay the ransom and obtain the decryption key. It was the quickest and most efficient way to restore their systems and administrative functions to normal operations, said the hospital’s Chief Executive Officer.

Ransomware – a Malicious Type of Software

The chaos that ensued at Hollywood Presbyterian was due to a type of malicious software called ransomware that encrypts data so it can only be unlocked with a decryption key. Ransomware, like other malware that exploits vulnerabilities in an organization’s computer system, first surfaced in 2013. Since then, more than 56 types of ransomware have appeared, which means one of as many as 50 gangs could have been behind the Hollywood Presbyterian attack, according to Kevin Haley, director of Security Response at Symantec.

 

The hospital was open to attack either because of vulnerabilities in any one of many different software programs in use at the hospital, or because someone on staff inadvertently invited the ransomware in by clicking on a web link or by opening an infected email. According to the FBI, email with malicious attachments or hyperlinks accounts for 85% of all ransomware detected. The most popular hiding places for the malware are blogs and online advertisements. Probably with a single click, the malicious software was launched and started encrypting data on Hollywood Presbyterian servers, setting the hacker’s scheme in motion.

 

Why Ransomware is Surging

Hackers continue to cast their nets across ever-widening distribution channels. Ransomware is cheaper than ever to build, creating economies of scale that result in higher rates of success. With the ability to scale, hackers can target more lucrative targets that are highly motivated to pay the ransom. The ransom itself has become easier to collect, thanks to the advent of Bitcoin and other digital currency that provides criminals an anonymous way to get paid.

Healthcare: A Prime Target for Cybercriminals

The Hollywood Presbyterian ransomware attack came just months after research firm Forrester singled out the healthcare industry as the number one target for ransomware in 2016. Nearly 100 million healthcare records were compromised last year – the number of cyberattacks against healthcare organizations grew by 68 percent over prior year. Ransomware has been particularly costly to the healthcare industry: each healthcare record breached costs the victimized organization approximately $363, according to industry experts – more than twice the average cost per breach across all industries.

Hollywood Presbyterian, of course, is just one of many healthcare organization to have suffered a hit. Recently, other high-profile healthcare attacks making headlines have included: Banner Health (3.6 million electronic protected health information (ePHI) records breached); Newkirk Products (3.4 million ePHI records breached); 21^st Century Oncology (2.2 million ePHI records breached); and Valley Anesthesiology Consultants (880,000 ePHI records breached). Just this month, Ashland Women’s Health, an OB-GYN practice in Ashland, Kentucky, reported a hacking incident that affected 19,727 of its patients. Since 2010, federal records show at least 159 healthcare institutions have reported being hacked or experiencing information technology issues that compromised patient records. It’s become a growing epidemic.

Most Healthcare Organizations are Ill-prepared to Deal with an Attack

According to a 2016 Sophos Group study, the healthcare sector is appealing to hackers because of the alarming laxity in many healthcare organizations’ approach to data security. The report also indicates U.S. hospitals lack new technology and best practices to defend against current cyber threats.

A HIMMS study from that same year reports that most healthcare organizations fail to adopt even basic safeguards like anti-malware tools, firewalls and encryption. Of all industries, healthcare had the lowest rate of data encryption. According to the HIMSS study, only 31% of healthcare organizations report extensive use of encryption; 20% reported no use of encryption at all.

The HIMSS report concluded that healthcare providers’ traditional view is they are in the business of saving lives. It follows, then, that IT security staff have a difficult time competing for budget dollars. Unless industry leaders re-examine their funding priorities for IT security, hackers will continue to have the upper hand.

The Best Defense is a Strong Offense

Perhaps it’s easier said than done: be prepared. Know in advance what you will do if your organization becomes the target of ransomware. Preventing ransomware before it occurs is, frankly, more important than how to recover your data. This is because if ransomware encrypts ePHI it is considered a data breach even if the ePHI can be restored from backup, according to the United States Department of Health and Human Services.

How to prevent ransomware:

• Conduct regular network risk assessments. Assessing the security risk of your network is key to preventing security related issues, including ransomware. It’s also a requirement of HIPAA/HITECH.
• Conduct regular network vulnerability assessments. These should be run on a quarterly basis at minimum, and your team should take immediate action to resolve issues that were identified.
• Implement an enterprise grade Web Content Filtering solution. Ransomware is often downloaded and installed inadvertently. Web Content Filtering solutions are designed to prevent your workforce from gaining access to sites that may contain ransomware, malware, viruses, and inappropriate content on the Internet.
• Regularly patch and update all applications and systems. All devices should be up-to-date. Your team should produce a report showing that all devices are patched on a monthly basis.
• Invest in robust security solutions. Every device should have the latest antivirus/malware software installed, and it should be regularly updated and monitored by a professional. Additionally, ensuring that intrusion detection systems are in place and working throughout your network is key.
• Implement an enterprise grade Log Management System. When problems occur, it is critical for your incident response team and law enforcement to have access to all logs. These logs will inform professionals about the incident and can help in determining whether or not a security breach has occurred.
• Continually back up your data utilizing the 3-2-1 rule. While preventing ransomware in a healthcare organization is key to preventing a data breach, being able to restore data without having to pay a ransom is a must. When it comes to backups, make sure to follow the 3-2-1 rule. This means that you must have 3 copies of your data; store the copies on 2 different media; and keep 1 copy offsite. Also, make sure that you never backup to a mapped network drive on a server or computer that also has access to your production data.
• Train and educate your staff. Your people should know what to do, what not to do, how to avoid ransomware, and how to report it. HIPAA/HITECH requires regular privacy and security training and awareness anyway; so, consider making ransomware one of your next training topics.

What to do during a ransomware attack:

• Call the FBI. Visit www.fbi.gov/contact-us/field to locate your closest field office and report the attack right away.
• Report the incident to the proper authorities. If ransomware has encrypted files with ePHI, or even if you suspect ePHI has been involved in any way, report it. Breach notification provisions require notification to the Office for Civil Rights at HHS, to the media, and to the affected individuals without unreasonable delay. If you fail to notify in time, you could face hefty fines.
• Report the incident to your insurance company. Most policies only provide coverage from the day a claim was filed. Even if you suspect that there won’t be a claim, file one anyway. It’s better to close the claim than not be covered for expenses incurred during your investigation.
• Disconnect from the network. If you receive alerts on your computer or server, or for any reason you suspect there is a security problem or instance of ransomware, disconnect the device from the network and notify your IT department and/or your information security officer.
• Determine the scope of the problem. Your response hinges on several factors: the type of attack, who in your network is compromised and what data was compromised. Your security professionals, assuming they have access to all logs, will be able to determine the scope of the problem rather quickly. If they can’t, then you haven’t properly prepared for a ransomware attack.
• Orchestrate a response. You should have an incident response plan in place. During a ransomware attack, a multi-disciplinary team should be assembled to determine the proper course of action.
• Don’t count on free ransomware decryption tools. Most free tools work only for a single strain of ransomware. In today’s environment, relying on free decryption tools is being penny wise and pound foolish!

AFTER the breach:

• Begin the cleanup process. Closely examine your system for hidden threats that you may have overlooked during the chaos.
• Conduct a post-mortem review. You will have no way of stopping the next attack unless you determine how the hackers got through.
• Assess user awareness. Your last line of defense is a well-informed employee.
• Risk Analysis and Vulnerability Assessment review. In light of the recent event, you should conduct another risk analysis and vulnerability assessment. Before you do, review the findings of your most recent reports and determine if action items on those reports were simply not followed or discovered.

The best strategy for preventing a ransomware attack, of course, is to avoid this extortion altogether. This is well within the power of most organizations, but it requires planning and action – before the crisis hits.