Fighting Back Against the Ransomware Threat in Health Care
Words like hacking and ransomware are probably too benign-sounding when what we’re really talking about is extortion, blackmail and grand larceny. But they’ve become big business and they’re getting bigger.
The bad news is you’re the target. The worse news is that the situation is getting worse.
Not only are these criminals often thousands of miles offshore and virtually untouchable by law enforcement, but they no longer even require sophisticated computer skills. Thanks to “ransomware-as-a-service (RaaS)” providers operating on the dark web, any mildly ambitious miscreant can become a threat. That’s right. For a mere $39, or perhaps a percentage of the profits, just about anyone can get into the crime business.
And not surprisingly, healthcare, with its troves of valuable patient data, is the No. 1 target. In fact, according to Chubb, personal health information is 10 times more valuable than data stolen from other industries on the black market. It’s no wonder that, according to Chubb, 38% of “cyber incidents” in the last 10 years have targeted healthcare, far more than any other sector.
It’s daunting, but you’re not helpless. There are steps you can—or must—take to protect yourself and your organization. The software company Digital Guardian recently asked 44 security professionals and business leaders how best to guard against ransomware attacks. The lengthy list of suggestions and admonitions they provided can be found here. Here are some of the more common and pointed suggestions:
- Repeatedly educate and train employees. Security awareness training should be given on a regular basis, says Lyle Liberman, of IT security firm Janus Associates. “Studies have shown that the effectiveness of training is long forgotten after 90 days, so it is important to keep reminding your team in short 15-minute sessions of the do’s and don’ts of good cyber hygiene.”
“Most ransomware is delivered by spear phishing,” says Steven Weisman, an expert in scams, identity theft and cybersecurity. “Have an ongoing education program for all employees about how to recognize and avoid spear phishing.”
- Diligently back up all data and know the related pitfalls. Backup files can also become completely encrypted [by ransomware] if you back up everything and replace the previous backup, says Aviv Raff, of Seculert, an attack detection and analytics platform. “With this in mind, you should do incremental backups (or keep previous versions), and keep the backup in locations with no immediate access (e.g., the cloud).”
“While most businesses think they’re backing up data, many may not be aware how ineffective their backup programs are,” says Adrienne Johnson, an IT veteran. “Since ransomware encrypts data on all attached and mapped drives, including mapped cloud storage and USB flash drives, these must be backed up as well.” Be wary of tape backups, she adds: “While the actual percentage is disputed, it is widely accepted that tape backups have a significant failure rate.”
Always verify the integrity of your backups, adds Greg Kelley, of Vestige, Ltd. “If you are just relying on your backup program to tell you it worked properly, you’re setting yourself up for a big disappointment. The only way to know that you have good backups is to restore some of the data.”
The best defense, says Weisman, “is to back up all of your data each day. In fact, my rule is to have three backup copies, using two different formats with one offsite.”
- Don’t rely on employee-generated passwords. “The most popular password in the world is 123456”, says Steve Manzuik, of Duo Labs. “Passwords are easily guessed and easily bypassed,” he adds. “Instead, use a password manager that automates the generation of complex passwords and stores them so memorization is no longer an issue.”
Require strong passwords for company databases, agrees Cosette Jarrett, of HighSpeedInternet.com. Keeping track of strong passwords is difficult, she adds, but worthwhile. And PC World offers a guide to help employees securely store them.
Pondurance co-founder Ron Pelletier suggests setting up multifactor authentication systems that require, for example, passwords, fingerprint scans and randomly generated tokens from an application like Google Authenticator.
- Restrict privileges. “Any given account should have the least amount of privilege required to perform appropriate tasks,” says Jeffery Lauria, of iCorps Technologies. “All users, including IT admin personnel, should log in using a non-privileged account, and escalate privilege as needed using a secondary account… The key to this concept is that malicious software most often runs using the privilege level of the currently logged in user. If that user is an admin, so is the malicious software.”
Ray Walsh, a journalist and blogger, agrees: Staff should be “given the least authority in company systems as is possible,” adding that it’s also advisable to ban staff from going on unnecessary web pages.
To pay or not to pay?
One other piece of advice from the experts: If you still get compromised, don’t pay unless you have absolutely no other choice.
Citing a report from Symantec, John Simek, of Sensei Enterprises, says that fewer than half of those who paid ransoms in 2017 actually got what they were paying for: a working decryption key. “And there’s no toll-free number for customer support,” he adds.
“Do not pay the ransom,” agrees Paul Kubler of Lifars. “The reason criminals keep utilizing this form of blackmailing attacks is that people keep paying.”