4 Steps for Fighting Ransomware in Healthcare

How to deal with the most common cyber attacks to healthcare networks

Malware is bad news for any venture, but healthcare seems particularly vulnerable.

Due to air-tight HIPAA regulations, a data breach or data loss by a healthcare facility costs more than just the ransom or the price of restoration. The fines for HIPAA breaches, just on their own, have been rising in price every year.

Studies from Cybersecurity Ventures show that the damage caused by ransomware was estimated at $8 billion in 2018. So how does a healthcare group or facility fight this rising tide? How can a hospital protect its medical computers systems, patient data, and bottom line?

What is Ransomware?

When a virus infects a computer system and makes either the whole system or just a part of it inaccessible, that’s ransomware.

The malicious software does this by essentially encrypting a portion of the victim’s hard drive so that it becomes inaccessible to the original user. Ransomware, true to the name, usually includes a message that the malware will hold the computer or data hostage until they’ve been paid a certain sum of cash (or, more accurately, bitcoin).

A variation of the practice is sometimes called “leakware,” where instead of locking away your files and selling them back to you, the program steals sensitive information and demands money in exchange for not releasing the data out into the world.

1. Limit Exposure to Ransomware

Step 1 of fighting ransomware is to not get infected by it. Sounds easy, of course, but the internet is a minefield of malware that brooks not the slightest slip in security.

In that case, the real step 1 of limiting exposure is training healthcare employees on how to handle emails. It seems a silly thing, but a doctor, nurse, or receptionist clicking the wrong email could compromise not only their PC, but every EMR computer, medical tablet, mobile device, and internet-connected device in the entire building (or further).

The “State of the Phish,” an annual report published by Proofpoint Security, found that in 2017, over 75% percent of organizations had been targeted by email phishing attacks. Phishing is the act of sending a seemingly-legitimate email from a business partner, bank, or other organization, in an attempt to trick employees into giving up personal information of their own volition. It doesn’t require an ounce of malicious software, just a clever hacker and an untrained employee.

Clinicians must be warned about proper email etiquette. Never open an attachment, if you can help it. Consider sharing files and PDFs through the proper encrypted cloud service instead. If you must open an attachment, only do so from a trusted source, and make sure you have an anti-virus program scan any downloaded files before opening them.

Also, Hackers can break into email accounts, and even spoof email addresses to appear to be someone they aren’t. If an email with an attachment from a trusted source feels suspect, it may be wise to call or text the individual who sent it to confirm that they really did.

2. Regulate Access to Medical Computer Systems

Once employees are trained we move on to step 2: limiting access to medical computers, file systems, and EMR programs by untrained individuals. If a section of hospital staff hasn’t been trained on these procedures, and in fact shouldn’t be accessing the medical computers in the first place, a strong security policy on computer access could further prevent damage from ransomware. It also lowers any potential HIPAA violations the hospital would otherwise be courting.

Passwords alone are seldom enough — they’re often broken, given away, or written down somewhere. Instead, make sure that all medical cart computers, tablets, and medical PCs on the network are locked down with two-factor authentication. Consider all-in-one medical PCs that come with RFID, Smart Card, and barcode readers built right into them to maximize security while minimizing unnecessary and cluttery peripherals.

3. Prevent the Spread of Ransomware

The third step for hospital administrators and HIT to take is to create a system where the spread of malware is much more difficult. That way, if one computer is infected with ransomware, it can’t necessarily grab everything on the entire network.

Instead of a single network with a hard outer shell (ie, the firewall or other exterior security measures) and an entirely unprotected internal structure, a segmented network splits everything into many individual networks that have their own security measures.

Imagine the fire doors in a hospital, hotel, or large apartment building — in the event of a fire in the building, the fire doors seal automatically to contain the blaze to the smallest area it can. A segmented medical computer network performs the same function.

Most healthcare facilities (and other industries) put all of their connected gear on the same network — it’s much easier to manage for IT. However, do the computers in the billing department really need to be on the same network as the cart computers in the ICU or the medical tablets in the maternity ward?

Instead, considering separating all of the departments into their own separate networks to prevent any one room fire from burning down the whole building, so to speak. It’s a bit more work for IT, but it could pay huge dividends in the long run.

4. Restore Data After a Ransomware Attack

This is the step no one wants to think about, but the fact remains, sometimes the hackers get through. Sometimes ransomware can infect even the most secure network — all it takes is one clinician downloading something from the wrong site or opening the wrong email.

In the case of a successful attack, much of the damage caused by ransomware can be mitigated by a strong backup strategy. In the case of “leakware,” where sensitive information is stolen and threatened with public release, an encrypted cloud backup isn’t going to do much good. But in most ransomware cases, where the data is made inaccessible, a strong, redundant back-up policy may allow your HIT department a quick escape hatch.

Instead of trying to break the malware, figure out the encryption key, or paying the ransom, the IT department can simply nuke the affected medical computers right to the ground and then reimage them in minutes. Then, once the computer is verified clean and the operating system reinstalled, they can simply access the backup storage and return the computer to its old fighting weight.

Beating Ransomware Before the Fight Even Starts

To paraphrase an old saying, the best time to create a comprehensive ransomware strategy is yesterday. The second best time is right now.

Interested in increasing the security of your medical computer systems, and learning about medical computers and tablet that come with integrated security features like biometric scanners and RFID? Contact Cybernet today to learn more.