Ransomware - Social Engineering that Hurts

Ransomware, a form of social engineering, is not new but it’s ever increasing use to blackmail healthcare organizations should place ransomware attacks as a definite possibility and a risk that needs to be mitigated. It’s critical for healthcare organizations to prepare for such malicious attacks. Preventing and quickly responding to malicious attacks should be a part of any healthcare organization’s risk management strategy.

The first place to start is with staff education. Phishing and spear phishing can and are leading to more than ransomware attacks. It can lead to network compromise, breach and an inability to address critical patient care. Staff need to know how to spot malicious links and email and what is and isn’t safe to click on. Training is one of the key steps in addressing ransomware. 

As part of the training, healthcare organizations should run mock phishing exercises. A mock phishing exercise is a form of social engineering and it can be used to determine how many staff click on malicious links without harming the organization. This exercise helps identify staff who may need remedial training and it makes it real for staff. This should not be a onetime exercise.  Ongoing training and social engineering exercises keep the threat of phishing in the forefront of staff’s minds.

It’s important to implement a solid backup plan. A backup plan should cover all critical applications and data and backups of data should occur on a daily basis. Backup media should be stored offline or a better way to say it is the media should not be accessible from the Internet to avoid malicious access to the media. Backup media should be stored offsite and encrypted. If the media is stored offsite at a secure location, it is less likely that the media is accessible to unauthorized individuals.  

All healthcare organizations need to develop and implement a formal security incident response plan. The time to plan is not when the ransomware attack occurs. A formal incident response team needs to be appointed and trained. A lot can go wrong in the event of a ransomware attack if a plan isn’t in place and a team has not been formally trained. The FBI stated healthcare organizations should not pay the ransom and should engage law enforcement if an attack occurs. That’s good advice but healthcare organizations need to know at what point the ransom needs to be paid to protect patients and provide needed patient care. You don’t know what that point is if you don’t have a plan and you don’t test the plan before a malicious attack occurs.

Developing a sound disaster recovery and business continuity plan is another step healthcare organizations can take to reduce the impact of a ransomware attack. Ideally healthcare organizations will maintain what is called a hot site – an alternate location that can be switched over to in the event of a ransomware attack. That is not always feasible especially for smaller healthcare organizations because of the cost. Alternately, a sound and tested plan can be used to identity critical assets such as EHRs and what steps need to be taken to continue the business of healthcare while the data is inaccessible and how to recover. Plans include such things as what vendors need to be contacted for replacement servers and other assets and what steps will be taken to rebuild a network and hardware to eradicate the malicious code.

In the end, it is key to make sure staff is trained, phishing tests run and that plans are in place to address malicious attacks before they happen. It’s more than a regulatory requirement. It is just sound business practice and is needed to provide patient care before, during and after a malicious attack. This is not a onetime event. The types of risk change over time resulting in the need to periodically test and update plans. People are the most significant risk hence ongoing training is also required. 

Ransomware, a form of social engineering, is not new but it’s ever increasing use to blackmail healthcare organizations should place ransomware attacks as a definite possibility and a risk that needs to be mitigated. It’s critical for healthcare organizations to prepare for such malicious attacks. Preventing and quickly responding to malicious attacks should be a part of any healthcare organization’s risk management strategy.

The first place to start is with staff education. Phishing and spear phishing can and are leading to more than ransomware attacks. It can lead to network compromise, breach and an inability to address critical patient care. Staff need to know how to spot malicious links and email and what is and isn’t safe to click on. Training is one of the key steps in addressing ransomware. 

As part of the training, healthcare organizations should run mock phishing exercises. A mock phishing exercise is a form of social engineering and it can be used to determine how many staff click on malicious links without harming the organization. This exercise helps identify staff who may need remedial training and it makes it real for staff. This should not be a onetime exercise.  Ongoing training and social engineering exercises keep the threat of phishing in the forefront of staff’s minds.

It’s important to implement a solid backup plan. A backup plan should cover all critical applications and data and backups of data should occur on a daily basis. Backup media should be stored offline or a better way to say it is the media should not be accessible from the Internet to avoid malicious access to the media. Backup media should be stored offsite and encrypted. If the media is stored offsite at a secure location, it is less likely that the media is accessible to unauthorized individuals.  

All healthcare organizations need to develop and implement a formal security incident response plan. The time to plan is not when the ransomware attack occurs. A formal incident response team needs to be appointed and trained. A lot can go wrong in the event of a ransomware attack if a plan isn’t in place and a team has not been formally trained. The FBI stated healthcare organizations should not pay the ransom and should engage law enforcement if an attack occurs. That’s good advice but healthcare organizations need to know at what point the ransom needs to be paid to protect patients and provide needed patient care. You don’t know what that point is if you don’t have a plan and you don’t test the plan before a malicious attack occurs.

Developing a sound disaster recovery and business continuity plan is another step healthcare organizations can take to reduce the impact of a ransomware attack. Ideally healthcare organizations will maintain what is called a hot site – an alternate location that can be switched over to in the event of a ransomware attack. That is not always feasible especially for smaller healthcare organizations because of the cost. Alternately, a sound and tested plan can be used to identity critical assets such as EHRs and what steps need to be taken to continue the business of healthcare while the data is inaccessible and how to recover. Plans include such things as what vendors need to be contacted for replacement servers and other assets and what steps will be taken to rebuild a network and hardware to eradicate the malicious code.

In the end, it is key to make sure staff is trained, phishing tests run and that plans are in place to address malicious attacks before they happen. It’s more than a regulatory requirement. It is just sound business practice and is needed to provide patient care before, during and after a malicious attack. This is not a onetime event. The types of risk change over time resulting in the need to periodically test and update plans. People are the most significant risk hence ongoing training is also required.