Ransomware is becoming more common and the healthcare industry has recently been a favorite target of hackers. With five ransomware attacks on healthcare organizations in the last month, healthcare organizations need to pay more attention to combatting ransomware.
RELATED: The Ransomware Explosion is Hitting Healthcare Hard, Part 1
Ransomware Alert Issued for Healthcare Providers
Last week, the Department of Homeland Security and the Canadian Cyber Incident Response Centre (CCIRC) issued a joint alert regarding this sudden surge in the frequency of ransomware attacks against healthcare organizations.
Here are the steps (recommended in the alert) that they feel should be taken by all healthcare organizations, as set down by the US Computer Emergency Readiness Team (US-CERT), in order to prevent or counter ransomware attacks:
- Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data/system loss and to expedite recovery processes. Ideally, data should be kept on a separate device and stored offline.
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting allows only specified programs to run while blocking all others, including malicious software.
- Keep operating systems and software up-to-date with security patches.
- Maintain up-to-date anti-virus software and scan all software downloaded from the internet prior to executing.
- Restrict user permissions to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute that malware. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
- Follow safe practices when browsing the Web.
- Do not follow unsolicited links, especially in emails.
- Avoid Social Engineering and Phishing attacks
The Ransomware Debate: To Pay or Not to Pay?
The increasing frequency of ransomware attacks has led to a fierce debate in the cybersecurity industry—should victims just pay the ransom or should they refuse? After all, not paying the ransom means dealing with the combined costs of lost revenues, paying staff to do manual data entry (since it forces everyone to temporarily revert to paper records that need to be put in the EMR later), and the downtime caused by the process of doing a recovery-from-backup.
On one side of the debate, you have government cybersecurity agencies and law enforcement entities. If you ask them, they will almost certainly tell you that no, you should never pay to unlock ransomware. And can you blame them? The groups who engage in these sorts of activities are sometimes funding global organized crime syndicates and/or terrorist organizations. Endorsing payouts that might encourage criminal behavior is not something you are likely to see from agencies such as the FBI, DHS, NSA, et al. Keep in mind that such agencies are viewing ransomware from a law enforcement standpoint. However, it is not their data and/or livelihood being put at risk… it’s yours.
This argument also becomes pretty flimsy when you consider the fact that Joseph Bonavolonta, the Assistant Special Agent in Charge of Cyber and Counterintelligence at the FBI, has already been quoted as saying “Ransomware is that good. To be honest, we often advise people to just pay the ransom.” He was also quoted as conceding that, if you pay the ransom, “You do get your access back.”
Taking this side of things is made even more difficult by the fact that multiple law enforcement departments have been hit by ransomware attacks and paid the ransoms. For example, the Swansea Police Department in MA or the Dickinson County Sheriff’s Office in TN. I think many people find it difficult to take seriously the “no-pay” stance of law enforcement when it always seems to be a case of “Do as we say, not as we do.”
Proponents on the flipside of this debate are mostly private-sector cybersecurity experts and white hat hackers. They tend to view things from more of a “cost/risk vs benefit” point of view. Most of these experts would likely tell you that there is nothing wrong with paying a ransom, though it is best not to pay if possible. For example, if victims are willing and able to restore their systems without paying, then they should consider doing so and not give in to ransom demands. However, if the amount being demanded is worth recovering the particular data at risk and/or is less than the overall costs of doing a full recovery-from-backup (and the resulting lost time/revenue)… they argue that paying the ransom is the most reasonable way to go.
Whether or not you choose to pay out in order to resolve a ransomware attack is up to you. I do not think anyone can make that decision until they are in that situation. Hopefully, none of you will ever have to find out what that situation is like. For now, I would highly recommend you take the US-CERT precautions listed earlier in this article and make sure you and your staff are being extra vigilant in watching out for spear-phishing emails and social engineering attacks.
If the last few months are any indication… this is just the beginning of the ransomware surge. And I fear things are going to get worse before they get better. I predict that far more of these sorts of attacks are coming for those in the healthcare industry, and I fear they are coming soon. All any of us can do is suit up and get ready for the storm.
Also…. I am very sorry that, once again, I do not have any good news to report.
