There’s a new crime in town. Ransomware takes cybercrimes to a multi-million dollar level. Early cybercrimes of the 1980’s, like the “AIDS” Trojan (also known as “PC Cyborg”), triggered a payload claiming that the user’s license to use a certain piece of software had expired, encrypted file names on the hard drive, and required the user to pay $189 to “PC Cyborg Corporation” for the means to unlock the system. Today, Ransomware attacks are exponentially more brutal and often lock up servers from the entire organization with ransoms of several million dollars. Some companies, especially healthcare systems, pay the ransom because access to their electronic medical records literally is life and death.
Healthcare is a popular focus for Ransomware attacks because unlike credit cards or bank accounts, medical records cannot be easily closed and restarted elsewhere. Experts report that while a credit card nets $6 on the black market, a medical record can garner between $50 -$250. Some say healthcare organizations are less prepared than other industries for these technology attacks, with vulnerable systems and less than stringent protocols for guarding PHI.
“In today’s connected electronic environment, healthcare organizations are big targets for phishing attacks, ransomware attacks and unauthorized third-party network hacking,” says Rick Adams, Vice President of IT and HIPAA Privacy and Compliance Officer at Harmony Healthcare IT. “IT teams need to be prepared like never before. It’s not a matter of “if” there will be an attack, but “when” — and the entire organization needs to be trained to be on-guard and prepared.”
Phishing for Dollars
Ransomware essentially is a virus that is transmitted through email attachments. Often, an unsuspecting employee will click on an attachment and unknowingly launch a virus that can attach to the network and encrypt all of its files. Likely a pop up will launch on the screen instructing the user that there is a ransom for the code needed to unlock the files. Essentially, one bad move by one employee can shut down an entire organization.
About one in every 965 emails is expected to be “phishing” which means, looking for someone to bite and open the virus-infected email. The average cost to recover from a phishing attack is upwards of $600,000 according to industry experts.
How to Protect Your Healthcare Organization from Ransomware Attacks
1. Prevention –
• Keep your organization’s anti-virus protection services up to date. That said, just like vaccines, anti-virus protection only protects your healthcare organization from currently known viruses and attacks.
• Utilize better email filtering programs to scan for problem emails before they get to users. We recommend not accepting email from domains that are under 72 hours old and to strip away the most likely infected email types: .exe, .scr, .zip and .pdf.
• Consider creating a geo-fencing strategy and not accepting emails or web links from countries where you are not doing business.
• Purchase any web domains that are similar to your organization’s name, since sometimes attackers will create email or web links that look very similar to the real company domain name to trick employees into opening it.
2. Create a Human Firewall – Provide ongoing training for employees about the dangers of phishing emails. Employees should understand that they should not open attachments or click on website links from unknown domains. Some organizations launch fake phishing campaigns to identify and retrain employees who click on potentially harmful email attachments and links. Read more information about free phishing training.
3. Back Ups – While the current files on your network are at risk, ransomware gurus have done their homework and sometimes set an attack to lay dormant for several days, so that when it launches it infects the network and the backups. Many healthcare organizations today have a multi-tiered approach to their back up strategy that includes keeping file history for 30-60 days and utilizing multiple back up methods and offline locations. Storage, backup and recovery strategy and execution are more mission critical today than ever before.
4. Limit File Sharing Access – Do not give every employee in the organization full access to the complete network. It makes sense to invest the time upfront to have a permission system in place to allow workflow productivity, but limit exposure to enterprise-wide network risks. If the unlikely event of an attack does happen, the ransomware can only attach itself to the parts of the network where the user has permissions.
5. Vette the Vendors – Outside contractors and business associates are predicted to be responsible for allowing up to 20 percent of all ransomware attacks. It is critical to ensure your vendors have a solid virus protection plan in place and follow HIPAA guidelines for compliance and security of PHI.
6. Stay up to Date on Latest Emerging Attacks – Have a dedicated team within your organization that researches new products and services to better protect your data. Join InfraGard – the collective effort between IT professionals and the FBI, and provide an easy way for employees to report suspected phishing emails. Participate in webinars and industry conferences for new information.
The Future of Healthcare Cybercrimes
“Some organizations are already taking healthcare knowledge and thinking of ways to apply it in security. Tools developed to deal with human disease outbreaks might be applicable to containing computer viruses. One such protocol, developed by the World Health Organization in the aftermath of the Ebola crisis, encourages data sharing during pandemics to facilitate better response coordination. Systems for sharing data on healthcare industry computer virus outbreaks could provide similar benefits, but most companies have historically swept these incidents under the rug to avoid embarrassment.” – reports Will Greene, digital health entrepreneur and researcher in a recent online article in Techonomy.
Like many emerging technology issues, it makes sense to work together within your organization as well as with industry professionals, and in this case, law enforcement to steward your organization through new territory. IT security cannot be overlooked and a health audit of your email and data systems can be a good start. Every employee must be informed and trained to understand the risks of how a simple click here could be a multi-million dollar mistake that could temporarily wipe out the entire organization.
Rick Adams is Vice President of IT and HIPAA Privacy and Compliance Officer at Harmony Healthcare IT (HHIT), a leading data extraction, migration, archival, integration and analytics company headquartered in South Bend, Indiana.
HHIT, the makers of Health Data Archiver, has extracted demographic, financial, clinical and administrative data for hundreds of systems, billions of records and terabytes of data to provide its clients with trusted and seamless data solutions.
Adams has more than 20 years of experience in health information technology. As a partner at Harmony Healthcare IT, he has developed products and services that focus exclusively on the secure management of legacy data and the decommissioning of legacy systems both at the acute and ambulatory care level.