Modern health care organizations face many cyber threats. One of the most significant threats in 2016 is ransomware -- a form of cyber attack that encrypts (or locks) data until the owner pays a ransom to the attackers. Once encrypted, that data – whether it is emails, accounting information, or patient treatment information – is unavailable to the organization, often severely disrupting operations.
According to an FBI notice released in April of this year, “[r]ansomware attacks are not only proliferating, they are becoming more sophisticated.” The FBI further warned that "the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don't prepare for these attacks in advance." This proliferation is no surprise to security experts, who have seen how lucrative ransomware can be for criminals – one variation of ransomware alone reportedly netted attackers over $18 million between 2014 and 2015.
In its April notice, the FBI specifically referenced hospitals as one of the "entities impacted recently by ransomware." Indeed, in the past two years, ransomware attackers have increasingly targeted health care providers. Numerous health care organizations – including MedStar Health, Chino Valley Medical Center, Desert Valley Medical Center, Methodist Hospital in Kentucky, Hollywood Presbyterian Hospital, and Kansas Heart Hospital – have reported ransomware attacks. Some have admitted to paying a ransom to decrypt the affected data, although the FBI recommends against paying such demands. At least one hospital system reported they paid the demanded ransom, only for the attackers to demand more money and refuse to decrypt any files – something the FBI reports has also happened in other industries.
The prevalence of these attacks in the health care sector shows that health care organizations of all sizes must be vigilant. But in the face of growing criminal activity, and with the FBI advising against paying the ransomware demands, what can your organization be expected to do?
Broadly, health care organizations should consider two categories of action, consistent with the FBI's recommendations: (1) take measures to reduce the risk of ransomware attacks, and (2) prepare your ransomware incident response in advance. There are numerous details to take into consideration, but the paragraphs below provide a non-exhaustive overview to help guide your efforts.
Health care organizations should take measures to prevent cyber attacks of all varieties, including ransomware. Key among these measures is training all employees and other individuals with access to your systems about the existence of malware and ransomware, how to recognize it, how to avoid it, and what to do in the case of suspected infection. Information security policies and procedures should be put in place to ensure that your organization is protecting its systems and data from attack. These policies should be maintained by an information security team, and should include guidelines on preventative measures as well as policies governing business continuity, disaster recovery, backups, and incident response. In addition, your information security team should oversee basic technical measures, such as patching operating systems and updating antivirus software, to help prevent attacks. Organizations facing significant risks should also consider obtaining a cyber security vendor to help monitor systems and detect potential attacks as soon as they are made.
Health care organizations should also plan in advance for the eventuality of a ransomware attack. Having a detailed ransomware response plan prior to any attack will dramatically increase the likelihood that your organization can navigate an attack efficiently and with a minimal amount of damage. From a technical perspective, ransomware attack preparations should include backing up all data on a regular basis, securing those backups, and segregating them from the rest of your systems so that attacks cannot spread to them. From a practical perspective, you should develop a written ransomware incident response plan and coordinate in advance with all key players, including legal counsel, cybersecurity vendors, public relations consultants, and senior management, so that the plan can be executed as soon as possible after the discovery of a ransomware attack.
The FBI and numerous security consultants anticipate that ransomware attacks, especially in the health care field, are only likely to increase in the near future. The only sensible response is to prepare in advance, because once a ransomware attack hits, it is too late.