Intelice Solutions: Blog
Ransomware Attacks in a Healthcare Setting
Ransomware is currently the top malware threat facing healthcare IT settings. When it comes to defending against it, prevention is the key.
In March 2017, a Wisconsin-based urology group discovered it was the victim of a ransomware attack. Fortunately, they were able to hire an international IT company that was able to remove the infection and restore the group’s computer systems. Unfortunately, it’s possible that before that, the records for over 17,000 patients were compromised.
Protected health information (PHI), including patients’ full names, account numbers, procedural codes, provider identification numbers, and in a few cases, even social security numbers, were potentially accessed by the attacker.
This was an expensive experience for the practice. In addition to hiring specialized IT help on an emergency basis to address the attack, they had to notify all of the affected patients. They also offered the patients 12 months of personal credit monitoring to help protect against identity theft and fraud.
Even so, the urology group was fortunate; they were able to restore their data, without paying a ransom fee. Often, that doesn’t happen.
Ransomware is a particularly painful form of malware. Once it infects a system, it encrypts all of the data it can find and demands a ransom for its recovery. In some cases, a technically skilled team can reverse the encryption. Often, however, reversing it is impossible without purchasing the key from the attacker, and the only option is to restore data from system backups.
Even when good backups exist, the victim incurs the expense of downtime while restoring them. Restoring the infected computers can take days or weeks and some data may be irretrievably lost.
Sources of Infection
Since it can invade a system through many vectors, and it often bypasses standard antivirus software, it’s challenging to defend against ransomware. Leading sources of infection include:
- Phishing emails: These emails appear legitimate but either contain malicious attachments or trick users into clicking a link that will infect their computer.
- Drive-by downloads: A user with an outdated or unpatched program visits a compromised website, which detects the weakness and downloads an exploit kit. Infected ads on legitimate sites can capitalize on weaknesses to download code too, without the user even clicking on them.
- Free software downloads: A user intentionally downloads a file, not realizing that it’s infected.
Both email and web attacks first download and install an exploit kit, which scans the target system for weaknesses. The kit then makes a callback to a remote resource and downloads a payload that can take advantage of an identified vulnerability. Once the payload is installed, it makes another call to the remote source – this time for the encryption key – and then the data on the victim’s computer is encrypted.
Once it’s done its dirty work, the ransomware displays a message informing the victim their data is being held hostage, along with instructions on how to purchase the decryption key. Payment is usually demanded in the digital currency Bitcoin, which is tough to trace.
Defending Against Ransomware
The best defense against ransomware is to avoid getting infected in the first place. Significant protective measures include:
- Keep systems patched and updated: Make sure all web browsers and the operating system on every computer are updated with all security patches. Remove outdated or unused plugins and add-ons.
- Use an ad blocker: Prevent potential infection from malicious ads by blocking all ads.
- Educate users: Teach users good security practices, such as avoiding unrecognized opening emails and only visiting work-related websites.
- Employ self-updating anti-virus software: Make sure your antivirus solution uses real-time protection and includes automatic updates. This won’t stop all malware, but it will help.
- Control account permissions: Limit user permissions so users can’t install unauthorized software, intentionally or unintentionally.
In addition to these basics, it’s also worthwhile to consider installing a traffic filtering solution to protect the entire network. Several cybersecurity and networking companies offer cloud-based, real-time traffic monitoring that can detect when a ransomware attack has been initiated and block it.
Of course, keeping solid, tested backups, along with procedures for their use is imperative, just in case. The backup repository should be disconnected when not in active use, as ransomware will reach out and encrypt it, too, if it’s accessible from a compromised machine.
If ransomware strikes, unplug and isolate the infected machine immediately. It takes some time for the encryption to complete and you may be able to interrupt the process. Ransomware can spread to connected devices, including backup drives and even medical devices connected to the same network.
Some variants of ransomware encryption can be reversed by an antivirus company, although many cannot. If you have backups available, use them. Otherwise, if you can’t reverse the encryption, you’ll have to choose between losing the data or complying with the ransom demand.
Ransomware has become favored business model of cyber criminals, so much so that it’s currently the biggest malware threat facing IT systems. In healthcare environments, especially, there’s a lot at stake. The combination of connected medical devices, mobile technology, widespread Wi-Fi use, and PHI means there are many points of potential vulnerability. This isn’t a problem that’s likely to go away anytime soon, so it’s up to IT professionals to understand how infection happens and implement measures to defend against it.