Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test?
Ransomware is not a new cybersecurity threat; it has been around for over a decade. But the growing sophistication of this malicious scheme and increasing frequency of attacks have security professionals and law enforcement concerned. In 2015, the FBI issued a formal warning that ransomware attacks were on the rise. The agency made clear that this was not a threat limited to home computers – businesses, financial institutions, government, and other organizations have all been victimized. In early 2016, healthcare providers were added to the list. In the first 3 months of the year alone, ransomware incidents have been disclosed at 5 hospitals.
Ransomware is a type of malware that restricts access to a computer system’s data in some way – most often by encrypting the files on the systems’ hard drive – and then demanding a payment for the key to decrypt or unlock the files. More advanced versions of ransomware such as CryptoWall can not only encrypt files on the victim’s computer but also any external or shared drives that connect to that computer. This makes health providers particularly vulnerable since such a ransomware attack could shut down access to electronic health records and potentially interfere with patient treatment and care.
The more successful these cybercriminals are, the more likely additional ransomware attacks will follow. With the stakes so high, many healthcare organizations want to know what precautions they can take to combat this emerging threat. In an effort to help, HHS’ Office of Civil Rights (OCR) featured ransomware as the very first topic in a new Cyber-Awareness initiative launched in early February 2016.
OCR offered the following recommendations to HIPAA-covered entities and business associates to reduce the threat of ransomware:
- Backing up data onto segmented networks or external devices and making sure backups are current
- Ensuring software patches and anti-virus are current and updated
- Installing pop-up blockers and ad-blocking software
- Implementing browser filters and smart email practices
While we applaud OCR’s efforts to raise cybersecurity awareness and recognize that their monthly bulletin is not intended to be a full security advisory service, we thought it prudent to expand on the above recommendations and offer a few observations of our own.
First, consider that ransomware schemes, more than any other type of hacking attack, generally follow the laws of economics. Victims are inclined to pay the ransom if they calculate that the amount is less than the cost of restoring the system through some other means.
In February 2016, Hollywood Presbyterian Medical Center (HPMC) suffered a ransomware attack that disabled access to its network, email, and patient data. According to some reports, its radiation oncology department was also completely shut down. After 10 days of crippled operation, the hospital paid a ransom of 40 Bitcoins (the equivalent of approximately $17,000) to restore its systems to normal. In a public statement, HPMC’s CEO stated that “the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.”
This suggests to us that ransomware attack scenarios should now be considered in every healthcare organization’s disaster recovery plan. For reference purposes, the Contingency Plan Standard under the HIPAA Security Rule’s Administrative Safeguards reads as follows:
- 164.308(a) (7) “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”
Just as organizations develop contingency plans for natural disasters, we now recommend widening that scope to include ransomware attacks since they can render critical data and systems unavailable. Under HIPAA, there are three required objectives for contingency planning: data backup, disaster recovery, and emergency mode operation. The need for offsite data backup is self-evident. Specific policies regarding the frequency of complete system backups and the length of time for retention of data are also important. Even in a ransomware attack, there can be a gap in time between the latest backup and the recognition of a system compromise.
Similarly, incident response plans should be updated to include the possibility of a ransomware attack. A specific ransomware “playbook” is warranted given the unique attributes of such an attack. Creating this in advance minimizes the chances that employees will panic, making key missteps that could undermine future investigative efforts, have legal implications, or even slow the recovery process itself.
Remember, ransomware attacks are targeted at those who are considered most likely to pay. You may be a target but you don’t have to be a victim. For an attack to be successful, ransomware has to infiltrate your network. Typically, ransomware begins as a Trojan, finding its way into a system through a vulnerability in a network service or via a file downloaded by employees. Consistent and rigorous patching of operating systems and software applications will limit avenues of attack. Implementing an IT security program that includes regular vulnerability scanning and/or penetration testing will further lower risks across the board.
The hardest security challenge today is preventing your workforce from inadvertently enabling the attackers. This is now known as protecting the people perimeter. To do so, you must first protect employees from themselves. Although it sounds obvious, maintaining up-to-date anti-virus software is a must. Filter Internet traffic to exclude domains that are less than 3 days old or originate from countries that are known hacker havens. Next, embark on a program of thorough, comprehensive security awareness education. Through social engineering exercises such as mock phishing attacks, you can begin to train your employees to recognize email scams and bogus websites. The most effective programs combine training and testing with both positive and negative reinforcement.
Taking proactive, aggressive steps to combat ransomware is now a necessity. Clearly, attackers have made healthcare organizations a target. Both preventative measures and robust contingency plans can keep ransomware attacks from becoming the “new normal” in healthcare.