In the first quarter of 2016, the healthcare industry experienced an alarming increase in the prevalence of ransomware. Numerous providers across the United States were forced to temporarily work offline while combating the debilitating strain of malware. Ransomware in particular is known for restricting computer and network access until victims pay the demanded ransom or find an alternate solution for restoring system connectivity. Past victims have even reported paying the ransom and remaining locked out of their systems. Thankfully, it appears the first incidents of 2016 reached a more favorable resolution.
Hollywood Presbyterian Medical Center was among the first victims of the year, facing system downtime for over a week in February before finally paying the 40-bitcoin ransom to decrypt their systems. The digital currency translates to a payment of roughly $17,000.00. Two additional facilities in California were infected less than a month later, namely Chino Valley Medical Center and Desert Valley Hospital. Other well-known attacks include Kentucky provider Methodist Hospital’s five-day internal state of emergency that began on March 18 and the MedStar Health incident at the end of March. Methodist Hospital was eventually able to return to normal operations without paying the ransom by restoring its affected systems from backups. MedStar Health also reports that it was able to regain the functionality of its 10 hospitals’ information systems without paying the ransom, though they’ve closely guarded the details of the attack.
The trend of targeting healthcare providers necessitates a closer look at how the community can optimize its defenses and preparedness. Many of the steps an organization can take are easily conceptualized in terms of HIPAA, which provides a recognizable foundation for individuals who are less familiar with cybersecurity, a close cousin of information security. Furthermore, Boehm & Associates recognizes the important role that communication plays in protecting covered entities, business associates, and ultimately the individuals whose information we maintain.
First, security awareness training is invaluable for any organization. Ransomware typically propagates as a result of social engineering. A staff well-equipped to recognize suspicious emails, links, and file extensions will have the wherewithal to thwart such predatory attacks without compromising network security. Stringent acceptable use policies further reduce the probability of an individual being pressured or manipulated into deviating from secure procedures.
Dedication to security on the technical front will also pay off in the event of a successful social engineering scheme. Up-to-date internet browsers and plugins can address a number of vulnerabilities that ransomware attempts to exploit without an individual realizing their system has been infiltrated. Additionally, HIPAA’s Minimum Necessary rule may greatly reduce the spreading of an infection across the network because Minimum Necessary mirrors the information security principle of least privilege. Restricting user privileges to the minimum necessary may prevent the infected system from accessing certain areas of an organization’s network while limiting attack options available on the host system. Finally, performing routine system backups is crucial to the recovery process and key to avoiding payment of the ransom—that is, as long as the backups are isolated from the infected systems.
For those still skeptical about the changing security landscape, McAfee’s quarterly Threats Report from Mach 2016 provides statistics and analysis related to ransomware and other cybercriminal activity. Boehm & Associates is committed to continually developing and improving its security practices to keep apace as technology evolves and will keep a close eye on legislative developments that are sure to follow.