What would you do if your practice suddenly lost the ability to access your electronic health record (EHR) and/or practice management system? What if you couldn’t regain control for two weeks and had to use downtime procedures in the interim? This is exactly what could happen if hackers attack your system using ransomware.
What is ransomware?
Ransomware is a type of malicious software that encrypts files and holds them hostage. Hackers often demand that users pay a ransom in the form of bitcoins—an online currency—to remove the encryption so the files can be used again.
Most recently, Hollywood Presbyterian Medical Center in Los Angeles, CA paid $17,000 in bitcoins to regain access to its data after hackers deployed ransomware to infect CT machines, systems essential for laboratory work, and emergency room systems. The hospital used downtime procedures for almost two weeks as a result of the incident.
Ransomware is a major and rapidly-growing threat in 2016, according to the McAfee Labs 2016 Threats Predictions Report. It’s responsible for 406,887 attempted infections, and it accounts for a total of approximately $325 million in damages, according to a November 2015 report by the Cyber Threat Alliance.
“All recent attacks demonstrate the real immaturity of security controls and limitations of safeguards in healthcare,” wrote Stephanie Crabb during a recent cybersecurity Twitter chat hosted by Kareo.
Ransomware is a problem in every healthcare setting, agrees John Rogers, CISSP, manager of professional services at Sage Data Security. This includes independent physician practices as well as those practices that are connected to hospital technology and infrastructure via network VPNs. Rogers says hackers don’t usually target a particular type of provider—they simply look for vulnerabilities to exploit opportunistically.
“Hackers are not interested in spending more effort than they have to,” he says. “So they’re going to look for the unlocked car door before they smash any windows. Unfortunately, there are a lot of unlocked doors out there.”
What makes practices vulnerable?
The most significant vulnerabilities are unpatched operating systems, unpatched third-party applications, misconfigured firewalls, and unpatched firewalls, says Rogers.
A firewall is a system that monitors and controls incoming and outgoing network traffic. It establishes a barrier between a trusted, secure internal network and another outside—and presumably unsecured—network, such as the Internet. A patch updates a firewall to address new security vulnerabilities.
Adobe Flash Player and Internet Explorer® were among the top targets in 2014, according to TrendMicro™. The company published a white paper titled Evolution of Exploit Kits: Exploring Past Trends and Current Improvements that describes infection techniques in greater detail.
Internet- or Bluetooth-enabled medical devices are also vulnerable. These include pacemakers, insulin pumps, and other medication dispersion systems. Ransomware often uses the open connection to infect the IoT device, according to a 2016 report published by the Institute for Critical Infrastructure Technology titled Combatting the Ransomware Blitzkrieg.
How does a ransomware attack occur?
There are many potential scenarios, Rogers explains. For example, hackers could first gain access to a system by exploiting a vulnerability in a firewall or Internet-facing system to deploy an exploit kit that may identify and disable security software. Next, they would simply download malware onto the system. In other scenarios, the hacker might exploit a vulnerability after someone unknowingly clicks on an infected link through a phishing scheme, visits an infected website, or even provides confidential information over the phone to someone posing as an IT professional.
Rogers says approximately 50 variants of ransomware exist today. “But those are main variants,” he adds. “There could be sub-variants of these released at any given time. That’s how this works. Once we understand a certain variant and how to look for it and how to detect it, they’re going to alter it in some way so it can escape detection. It’s always a game of cat and mouse, and unfortunately we’re the mouse.”
Older variants tend to infect one machine, issue one encryption key, and then try to encrypt files on that machine as well as files stored on shared-drives accessible from that one point of infection. Newer variants are capable of enumerating all host computers listed in the Active Directory database and then issuing a distinct encryption key for each.
“It’s a lot harder to unwind, and it can actually go after infrastructure and encrypt firmware, which takes computers down so they’re not operable,” says Rogers. “It’s more dramatic, and it can encrypt more types of files—including databases and backups—not just Microsoft Office files, PDFs, and images.”
What can physicians do to mitigate risk?
Rogers says it doesn’t take a lot of money to make a big difference in terms of security. “The simplest controls are the most effective,” he adds. Consider the following tips to protect your practice against ransomware:
- Perform a security risk assessment. This is required for Meaningful Use, and it can also help pinpoint specific cybersecurity vulnerabilities within your practice, says Rogers.
- Identify an airgap data backup strategy. This allows practices to essentially perform a data backup, then take the backup offline so it is undetectable by malicious software, Rogers explains.
- Purchase cybersecurity insurance. Ask whether the policy covers specific types of attack scenarios and what is included in that coverage. Some policies, for example, may cover a forensic investigation, losses incurred, costs associated with building a bitcoin infrastructure, or payroll during downtime.
- Create a policy and procedure for patch management. Create an inventory of all operating systems, software programs, and devices used in the practice. Establish a process to check for security updates on a daily or weekly basis.
- Raise awareness of phishing schemes. For example, reiterate the importance of hovering over any hyperlinks before actually clicking on them. Does the URL actually match the hyperlink’s text description? For suspicious phone calls, do employees know that they should first offer to call the individual back? Will the caller provide contact information? If a number is provided, Google it first to determine whether it matches the organization’s legitimate number. Employees should not provide any confidential information when they haven’t initiated the conversation.
- Educate employees. Be sure to address the following topics:
- Encrypting and securing wireless networks, mobile devices, emails, and servers
- Implementing physical security controls
- Installing and maintaining anti-virus software
- Using strong passwords that are updated regularly
For more information about how practices can ensure cybersecurity, view these top 10 tips published by HealthIT.gov.