Preventing Ransomware Attacks: IT Education in the Healthcare Industry
By: Betty Frandsen, MHA, RN, NHA, CDONA, FACDONA, C-NE, IP-BCDirector of Education, Med-Net Compliance, LLC and Jeannine LeCompte, Compliance Research Specialist, Med-Net Compliance, LLC
Fully-updated software systems are, unfortunately, not enough to prevent a repeat of recent worldwide ransomware attacks-because the greatest vulnerability to such intrusions remains ignorance about how these viruses are spread. While much media attention is focused on the need to have fully updated software systems in order to “beat” attacks (because the recent “Wannacry” ransomware attack exploited a vulnerability in old versions of the Windows operating system-and had no effect upon Windows 10 systems which had been updated with the very latest patches), this is no guarantee that an IT system is safe from ransomware attacks.
Cyber criminals are constantly working on new ways to gain access to IT systems, and the sensitive nature of the healthcare industry’s records makes it particularly vulnerable to ransomware attacks. A “patched” system is only as secure as the people operating it-which means that it is just as important to ensure that all staff, both frontline and administrative, are urgently educated on how to spot and prevent attacks. Although last week’s attack brought the issue of ransomware firmly into focus, the threat has long been in existence. Before the latest attack, ransomware intrusions had already increased 16,000 percent worldwide over the last year, and had become a $1 billion industry. Furthermore, cyber criminals have quickly realized the vulnerability of the healthcare industry due to the confidential, and often times critical nature of patient records held online.
Not only are all data breaches reportable in terms of the Health Insurance Portability and Accountability Act (HIPAA), but the chaos which can ensue when IT systems in a healthcare setting go offline, places huge pressure on companies to seek the quickest solution-which is, in the criminal’s mind, at least, to pay-up. The number of attacks is astonishing. Last year SonicWall reported 638 million ransomware attacks-a staggering 16,689 percent increase over 2015. The FBI says that it does not matter if “earnings” from individual ransomware attacks still tend to be small, because the sheer number of attacks means that in 2016 cyber criminals took in at least $1 billion.
Ransomware’s methodology is simple-and this is where the critical need for education becomes paramount. The first step to gaining access to an IT network is to get an employee to open or click upon an executable file in an email, attachment, or on a website. The “WannaCry” ransomware, exploiting a vulnerability in old and unpatched Windows systems, was able to spread by itself after this initial infection. The fact that a patched system will not allow the virus to spread in this way is no guarantee that hackers won’t work out a new way to spread the virus-or perhaps even exploit some other, as of yet unknown, vulnerability. This is why the human element-or rather, the human error element-is so important. Emails have become the primary method of spreading ransomware. Millions of malicious “phishing” emails are sent every second, using a variety of lures to encourage victims to open a ransomware email. These include offers of financial bonuses, fake online receipts, job applications from prospective employees, travel itineraries, patient records, etc.
What then, in addition to updating software systems, are the measures which all institutions and companies should urgently introduce? First, it is important that data backups are done on a regular basis and that the backed-up drives are stored in a manner which ensures that they are offline-such as a removable or portable hard drive system. These backups should be of the complete system, not just the data, as this will allow a full restoration in a much quicker time than otherwise possible. Second, educate your staff. Teach them that it is never a good idea to allow macros to run in any document attachment received via email, even if the email appears to be from a known contact. Using an application such as Microsoft Office Viewer will allow a reader to see what documents look like without opening them in Word or Excel. Such viewer software does not support macros, so they cannot be accidentally enabled. In fact, it is a good idea to disable macros on all Microsoft Office environments so employees can’t unwittingly run a ransomware file. Third, as many viruses require administrator rights to infect an entire system, it is never a good idea for any account holder with administration rights to be logged into the system longer than necessary. Fourth, all staff need to be taught and constantly refreshed about how to detect potential phishing emails. This should include the creation of a reporting procedure for suspicious emails. Fifth, staff should be vigilant with company devices entrusted to their care, and be made aware of the HIPAA violation penalties which data losses can incur. This should include having strict rules set in place that limit all personal use of company computers.
The Department of Health and Human Services will soon have its own version of the DHS’s National Cybersecurity and Communications Integration Center (NCCIC), to be called the Health Cybersecurity and Communications Integration Center (HCCIC). It will have as its mission the education of all health organizations and consumers about the risks involved with using mobile applications and data. This center should be operational by next month, June 2017.
And if you think ransomware is a new threat to the healthcare industry, think again. Some recent prominent cases of healthcare institutions hit by ransomware attacks include:
April 2017: The Erie County Medical Center shut down its entire computer system after an attack, and the staff had to resort to manual, paper-based processes to complete patient-related activities. Due to an ongoing FBI investigation, ECMC officials refuse to confirm or deny that the incident was a ransomware attack, but local media quoted anonymous employees confirming that it was.
October 2016: Marin General Healthcare District and Prima Medical Group in Greenbrae, Calif., lost data relating to over 5,000 patients after a ransomware attack. A ransom was paid to the attackers.
August 2016: Keck Medicine in Los Angeles, part of University of Southern California, reported two servers were hit with ransomware in August, encrypting files and making them inaccessible to employees. The hospitals did not pay any ransom.
May 2016: Kansas Heart Hospital in Wichita was struck by a ransomware attack. The hospital paid the unspecified ransom, but hackers didn’t fully unlock the computer files, and demanded more money to do so.
For more information regarding this article, call 609-454-5020 or email info@mednetconcepts.com.
