Healthcare organizations are no stranger to cyberattacks, as private health information has become a valuable commodity...
for hackers. But the threat of a ransomware infection can go beyond a conventional data breach and cause a hospital's operations, for example, to grind to a complete halt. The first article in this series described the threat of ransomware attacks and explained what it means for healthcare organizations. This article offers advice to those organizations on how to prevent and respond to ransomware infections.
The general guidance from the FBI in its trifold brochure on ransomware, from KnowBe4 in its Ransomware Hostage Rescue Manual and in the National Institute of Standards and Technology's Computer Security Incident Handling Guide is to place primary focus on preparation and prevention, and then on response.
Preparing for ransomware attacks
- Users: First and foremost, companies need to recognize that their first line of defense against a ransomware infection includes every one of their users -- employees, vendors, contractors and volunteers who use networked computers for email and internet browsing. Companies need to educate their users about ransomware, phishing attacks and subtle malware attacks. Otherwise, they can probably expect continuing issues with attacks or near-misses with ransomware and other viruses or worms attempting to infect their systems.
- Account privileges: Manage and limit the number and scope of privileged acounts in your enterprise's user base. This way, an attack would most likely be against a user with limited privileges and its impact would be minimized, as opposed to an attack on a system administrator or highly privileged computer user which could lead to substantial damage and greater "depth" of the ransomware infection on your systems.
- Software: Take advantage of the various technical capabilities of your software and operating systems. These preparatory actions include:
- Ensuring you are using a firewall -- block known malicious internet protocol addresses;
- Implementing antispam and anti-phishing;
- Ensuring all systems have up-to-date antivirus -- it is even better to add application whitelisting and heuristics here too;
- Implementing highly disciplined and timely patching of operating systems and applications;
- Disabling macro scripts in Microsoft Office files transmitted via email to best minimize the possibility of document macros downloading ransomware; and
- Scanning incoming and outgoing email to detect threats and filter executable files to prevent them from reaching end users.
- Backups: A key defense for malware is having recent backups of all working files and data readily available. If you don't have these backup files segregated from your network but available when ransomware hits, you may wind up paying the ransom rather than rebuilding your systems without payment to the evildoer. Therefore, ensure all possible data you will need access to run your hospital or enterprise is backed up and segregated from the network -- this includes USB and mobile storage.
- Be certain your backups are not connected permanently to computers and networks being backed up or they will be subject to the ransomware's scans and attack paths.
- Regularly test your backup recovery functions and test the data integrity of physical backups. This is just as important as having a viable backup to restore.
Step 1: Disconnect everything and implement the cyber emergency response plan
How to respond to a ransomware infection
If your computer begins to display the symptoms of ransomware or malware compromise, unplug the computer from the network and turn off wireless functionality such as Wi-Fi, Bluetooth and near-field communication. However, do not turn off the machine or you will lose the ability to perform forensics on the machine later on.
Step 2: Determine the scope of the infection
Ascertain if the ransomware has infected any of the following:
- Mapped or shared drives;
- Mapped or shared folders in other computers;
- Network storage devices of any kind;
- External hard drives;
- USB storage devices including USB sticks, attached phones and cameras; and
- Cloud-based storage such as Drop Box and Google Drive.
Step 3: Determine ransomware strain
You can probably skip this step in some incident response scenarios but it may be helpful for the FBI or law enforcement response -- and even your antivirus or cybersecurity vendor -- to know what type of ransomware they are dealing with. One ready asset you can immediately examine is the Bleeping Computer website, where you can view examples of different ransom note screens and make a more educated guess as to the type of ransomware you have been infected with.
Step 4: Evaluate your responses
The FBI recommends contacting your nearest FBI field office immediately after detecting a ransomware attack. Telling the FBI is not conceding defeat but is instead a way of reaching out to get some experienced and expert advice on the ransomware attack.
Your other options may include:
- Restoring bare-metal systems from a recent, uncontaminated backup (preferred);
- Decrypting files using a third-party ransomware decryption tool (low probability);
- Doing nothing and losing your data -- and suffering the legal/business consequences; and
- Negotiating and paying the ransom.
It should be noted that the FBI does not support paying a ransom to the attacker.
Step 5: Restoration
In this step, your focus is on restoring your systems to normal. Ensure all traces of the ransomware infection are removed -- even from old backups and backups of backups.
Also, conduct an after-action review of the attack and responses and be sure to take positive action on lessons learned.
Maintaining compliance after a ransomware infection
The U.S. Health and Human Services (HHS) Department has released a fact sheet on ransomware and HIPAA. This fact sheet is a fairly straightforward read; however, their recommendation is that "…an entity infected with ransomware contact its local FBI or United States Secret Service field office." Additionally, as far as HHS is concerned, if your hospital/medical organization has been hit with ransomware you should immediately presume a breach has occurred and you must comply with the applicable breach notification provisions in accordance with HIPAA breach notification requirements.
Read how the cloud may provide defense against hospital ransomware attacks