Ransomware has grown into a new kind of threat to corporations, and it’s only getting stronger. In fact, Symantec Security Response reports that it saw a 300% increase in daily ransomware attacks in Q1 of 2016 alone, with these numbers particularly hitting the health sector. In this guest post, Phil Richards, chief security officer at a software provider that helps organizations balance user requirements with the need to secure critical data, highlights the essential elements hospitals need in their remediation plan.
Ransomware takes a company’s files and systems hostage until financial demands are met. While these demands are often small for healthcare providers, cyber criminals are increasingly becoming greedier. Hollywood Presbyterian Medical Center announced it paid $17,000 to hackers in February after being infected by a ransomware attack. As the number of ransomware attacks grow, healthcare providers can no longer afford to pay these browbeaters. And once they know you’ll pay, they know you can pay again.
The healthcare industry has become a victim of ransomware because it has many smaller organizations, hospitals and clinics with smaller security infrastructure that’s easier to rupture. What’s more, healthcare companies can’t function without daily access to their patient records and other sensitive data. This need for immediate access to files, accompanied by network and infrastructure challenges for any smaller organization, makes healthcare companies quite alluring to malicious hacker.
Ransomware attacks even happen to companies that have implemented all the protocols, firewalls and education recommended by the FBI, security organizations and others. Since healthcare companies have become a special target, it’s more important now than ever that they have a plan in place to recover their data in the event of an attack.
To avoid inevitable panic that comes from discovering malware in your system, your healthcare company should compose a plan through collaboration between top executives, the IT and security team, the HR department and others, and rehearse this plan often.
Here are important elements healthcare companies can consider including in their plan to remediate the damage caused by ransomware.
Recovery when attacks strike
When there is a ransomware incident, there are a few incident response steps companies are recommended take:
- Isolate and power-off infected systems. If you have sufficient network and system hardening in place, such as patch operating systems and firewalls, the ransomware can be more easily contained in one system, like only one wing of the castle successfully infiltrated. Quarantining the malware-ridden wing (or system) ensures the rest of the system isn’t affected.
- Secure backup data. If you have backups for your files, then you have options. You may be able to recover your locked information from your archives without cooperating with the cyber criminals at all. Determine how long the retrieval of your files will take and how recent a backup has been performed, and then contemplate your next steps from there. For some companies, a full recovery can take multiple days, which may not be the optimal approach for a clinic or hospital that needs immediate access. Of course this step is only beneficial if you frequently store auxiliary information.
- Contact law enforcement. The FBI doesn’t take ransomware lightly, and should be informed when such an event occurs.
- Collect and secure all evidence. This step will help in your case with law enforcement and possibly help inform the path to identifying and charging hackers.
- Change accounts, passwords and network access. Think about a complete refresh of all the permissions on your sensitive data. Consider categorizing your data into different security levels and make sure only the employees who need particular information to perform their jobs have access to it; this strategy is called the least privilege principle.
- Clean infected systems while off-line. Engage your security and IT team to give your systems a nice spring cleaning.
- Research recovery options that don’t require paying ransom. In the best cases, this step should be done before a ransomware attack. Pinpointing free solutions before an attack helps your healthcare company come prepared with a better, less-expensive option to recovering data.
Should we just pay?
While each situation is different, the resounding answer would be to do everything you can to not pay the ransom. However, because the nature of healthcare requires continual access to data, sometimes companies may need to contemplate the option of fulfilling the demands.
Keep in mind that paying the ransom doesn’t guarantee the encryption will be removed. Remember, the reason ransomware exists is because somebody, somewhere paid the ransom.
Unfortunately, ransomware attacks aren’t diminishing, and companies should be prepared. Even if all the safety precautions are implemented, you may still find yourself staring at a ransomware note down the line. With the above steps in mind, you can establish a concrete plan that will help you successfully retrieve your data.
Phil Richards is the chief security officer at LANDESK, a software provider that helps organizations balance rapidly-evolving user requirements with the need to secure critical assets and data.