Ransomware Prevention & Mitigation in Healthcare

Ransomware is one of the most aggressive, damaging, adaptable and agile cyber attacks. It evolves fast; it is also easy to create; it scales well; it is easy money for the hackers.

A 2016 survey by SentinelOne says 50% of organizations suffered a ransomware attack last year, and 85% of them on multiple occasions. 70% of respondents had to increase IT spending, 65% changed their cyber security strategies. 52% said they had lost faith in anti-virus solutions. Cato Networks reports 73% of CIOs view ransomware preparation and mitigation as one of their top priorities for 2017.

Ransomware attacks, according to cybersecurity pros, are mostly of two types – random and targeted. In a random attack, the hackers know nothing about the value or content of the data they hold for ransom. In targeted attacks, the bad guys are well-aware. That is why healthcare organizations are so lucrative – locking down a hospital’s access to its files is a matter of life and death of many people.

What Can Healthcare Organizations Do To Protect Themselves Against Ransomware?

Healthcare facilities and their business associates have a massive digital footprint, and consequently, numerous areas to cover when it comes to safeguarding against ransomware. The “anti-virus plus firewall” solution is obsolete and insufficient. Organizations need to address the cybersecurity issue holistically, and view it as a problem with multiple components, the major ones being a) the human factor; b) the technological factor.

Addressing The Technological Factor

  • Regular data backups are a must. So, if an organization’s servers or an individual employee’s device gets locked by ransomware, they have the available unencrypted copies that would enable them to carry on with their operations uninterrupted.
  • Patching early and often is vital, especially since browser exploits are a dime a dozen.
  • Monitor inbound attachments in emails.
  • Review and bring to order your users’ rights/permissions, consider centralized identity management solutions. Often, all facility’s personnel has admin rights or advanced access to files/directories they do not need to perform their duties.
  • Deploy up-to-date security systems, & configure them correctly. Anti-virus, firewalls, email gateways, IPS, as well as IoT smart devices need to have a secure configuration that removes default settings.
  • Segment network adequately – locate workstations and servers on different networks.
  • Block .exe files in emails, disable macros & other active content in MS Office.
  • Enable file extensions to make it easier for the user to identify file types that are suspicious, such as JavaScript, .exe, and others.
  • Virtualized sandboxing has proven to be effective against ransomware – some forms of ransomware infections scan the target machine for virtualized instances, & if they find them, ransomware declines to install.
  • Ensure users log out when done working – email, EHR system, internal chat, or any platforms that require logging in.
  • Stay up-to-date with security options in your existing fleet of software and devices. For example, Office 2016 enables admins to block macros from running in files downloaded from the Internet. Windows 10 has ample security and control features that allow admins to control devices remotely. Windows-powered medical grade tablets allow sandboxing, remote patching and wiping, as well as advanced authentication with Kensington lock, Smart Card, CAC or biometric scanner.
  • Deploy anti-spam solutions at your email gateways.
  • Install browser add-ons that block malicious websites from loading, even if your users click on links leading to them.
  • On the firewall and web gateway level, deploy solutions that filter ransomware hosting websites, & their command and control servers.
  • Bullet-proof your servers – whitelist authorized software, set rules for what it can change/update, and block everything that is not whitelisted.
  • Deploy solutions that detect malicious traffic and prevent ransomware from contacting command and control servers.
  • Make cybersecurity metrics a part of your business metrics, and analyze it religiously to pinpoint suspicious activity, weak points, as well as identify which strategies work, and which don’t.
  • Address the ELOFANT problem – a side issue of the mishandled identity management. Employee Left or Fired Access Not Terminated factor means that former employees keep their access to organization’s data long after they left. Sometimes, they trade corporate secrets to competitors; other times disclose confidential information via public media. Sometimes, a lost, stolen device of a former employee or a device infected with malware in a random attack can be the entry point of an attack.
  • Address your device management strategy. Bring Your Own Device (BYOD) can be cheap, but it is virtually impossible to safeguard personal devices of your staff against cyber threats. Finding the right balance between security, affordability, liabilities, and productivity requires a closer look at the problem of BYOD and security of patient health information (PHI) & the overall security of the facility.

Addressing The Human Factor

  • Make employee training on cybersecurity basics a part of your operations. The acute lack of cybersecurity awareness is one of the leading reasons why ransomware is so successful. Make sure to cover topics like how to spot a malicious email, and what to do about it, what is phishing, or what types of documents in attachments can be malicious.
  • Provide regular training and access to professional courses to your IT staff. Lack of IT security knowledge may be a part of the problem for many healthcare facilities as skilled cybersecurity professionals leave for other, better-paying sectors, says a study by ESG/ISSA.
  • Prioritize security. It is not uncommon when organizations opt for less secure configurations to simplify usability. Enable two-step authentication, deploy CAC, Smart Card or biometric authentication in addition to secure passwords. Never leave the default settings on, and explain the liabilities and implications of not following your security guidelines to your employees.
  • Ensure that user identity, authentication and authorization are consistent. People always seek ways to bypass anything they deem as complicated, so providing them with security protocols that are simple, quick and secure solves the problem. With mobile devices increasingly used in healthcare to access PHI, consider moving to secure devices, such as Windows medical-grade tablets with disk encryption, and advanced authentication via CAC, Smart Card or biometric readers.
  • Deploy simulated phishing attacks (widely available as free online services) that test unsuspecting employees and generate reports on who opens malicious emails, how fast and what it can mean for your organization if the attack was real.

Final Words

Should your organization fall victim to a ransomware attack, be advised that paying the ransom should be your last consideration. The majority of ransomware attacks share a single modus operandi – they aim to cause panic (i.e. countdown timers until your files are deleted) so that the victim pays up quickly. Don’t give the attackers the satisfaction, says security journalist David Bisson.

Check your recovery options from a backup, & see if you can remove the infection from your system. Some infections are simplistic enough to be wiped by anti-ransomware tools in Safe Mode or from a clean USB stick. Security researchers continuously work to develop free utilities that help ransomware victims regain access to locked files.

Windows OS (starting XP and up) has a feature called Shadow Volume Copy Service (VSS), which automatically takes a snapshot of every file and saves them in the Shadow Volume Copy container. See if you can use that to restore the files using the Windows utility.

As you can see, when security is a priority, Windows is the operating system that provides a full set of tools and features to safeguard your data against ransomware, or facilitates mitigation should an attack occur.

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload the CAPTCHA.