Dealing with a Ransomware Attack
Jeannine LeCompte, Compliance Research Specialist
All healthcare facilities should have a pre-planned and practiced emergency routine to deal with a ransomware attack in case their preventative measures fail. This plan, which should be known to all administrative staff, must be able to be activated the moment that a breach is detected.
For example, an employee, who when switching on their workstation notices that all their usual desktop icons are gone, or the system is otherwise unresponsive, should be trained to immediately alert supervisors, and not “try to restart” on their own. Most often, the first sign of ransomware is in the startup programs, which affect the first things seen when computer systems are switched on.
The next step is to isolate the infection by immediately taking the affected device or devices offline. In a wired or Wi-Fi linked environment, this means switching off the router, or in a larger office environment, whichever system of internet/intranet signal distribution is being used. If this step is done in time, it might stop the ransomware from spreading.
Once an attack has been identified, a system must be in place for all employees to be immediately notified. Obviously, a workplace email alert is not going to work, so a telephonic system of alerts needs to be pre-planned, along with a list of department heads who can be reached quickly, and then they can contact everyone who reports to them.
If a system is compromised, it is very important to take a photograph of the ransom note which might appear on the screen of affected workstations. This will aid not only with investigation, but will provide evidence of the attack which is necessary for filing any later insurance claims. In this regard, facilities should also consider reading their current insurance policies carefully, as it is commonplace for insurance companies to exclude “business interruption” as a basis for a claim. In other words, make sure that IT disruption through malware is explicitly mentioned.
If infected, get an expert in to try to identify the ransomware strain used in the attack. Many of the programs have been cracked with decryption tools available online, and others are fakes that don’t actually encrypt data.
A website that is very handy in that process is called “ID Ransomware” which can be found at
https://id-ransomware.malwarehunterteam.com/.
ID Ransomware can help identity the encryption software being used through reading uploaded photographs of the ransom note, copies of encrypted files, or even email addresses or hyperlinks which the ransomware provided for contacting the criminals.
If a system is completely encrypted, and there is no immediate solution which can be provided by “ID Ransomware,” then there are two choices open to an affected facility: either to back up from the offline daily segmented backups (of course, such a policy should have already been implemented), or pay the ransom.
The recommended option is to start with a backup. This will mean wiping the facility’s system as this is the only real way to remove ransomware. Once the system has been restored, the backed up data can then be restored. Such a process can take days or weeks, and the facility should be prepared to deal with such a disruption.
The second option is pay the ransom. There are a number of issues in this regard. Some IT experts argue strongly against paying ransoms, because, they say with a certain degree of accuracy, this will only encourage the criminals to carry out other attacks.
In reality, however, many facilities have decided to pay the ransom, mostly out of a hope of getting back online sooner, and also to prevent the hackers from releasing all the personal health information to the public domain. That of course, could incur severe penalties from the state under the HIPAA regulations.
The well-known IT specialist publication ZDNet, in an article titled “Ransomware attacks: Why and when it makes sense to pay the ransom” (June 27, 2019), argued that “paying ransomware should be viewed as a viable option and evaluated like any other business decision.” Organizations should, ZDNet noted, “weigh everything from their ability to recover to consultant costs to recovery plans as well as cybersecurity insurance and whether it’ll cover ransom.”
Paying ransoms is also tricky because there is no guarantee that the hackers will supply the decryption keys necessary to unlock the system—another factor which has to be taken into account. Ultimately, there is no clear-cut answer—but whatever is decided, the facility will only have itself to blame if no offline backup system is in place. An offline backup system is a crucial line of defense in the war against cybercriminals.
If HIPAA has been violated in response to a phishing or ransomware attack, the healthcare facility becomes liable for penalties, and must follow guidelines for reporting the data breach and notifying the individuals whose data has been improperly released.
