Hospitals are increasingly the target of hackers, particularly in the form of “ransomware.”  What follows is a primer on ransomware and how to avoid being a target of it.

What is ransomware? 

Ransomware is a type of malware that limits users’ access to their computer systems. It functions by locking a user’s system and/or encrypting its files.  Once ransomware gains access to a single workstation, it can “travel across [a] network and encrypt any files located on both mapped and unmapped network drives . . . lead[ing] to a catastrophic situation whereby one infected user can bring a department or an entire organization to a halt.”  The user (or organization) is then required to pay a ransom, often in Bitcoin, to restore access.

Why is ransomware relevant?

Ransomware attackers have been increasingly targeting the health care sector, which Bill Siwicki in Healthcare IT News rather bluntly terms a “sitting duck” for such attacks.  Hospitals are especially vulnerable to ransomware “because they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives, and other information, patient care can get delayed and halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.”  Health care providers recently targeted by ransomware attacks include MedStar Health in Washington DC and Maryland, Hollywood Presbyterian in Los Angeles, King’s Daughters’ Health in Indiana, and Ottawa Hospital in Ottawa, Canada.

How can health care providers avoid being hit by ransomware?

There are a variety of things that health care providers can do to avoid being hit by ransomware.  Here are five:

1. Back up data: A recent article in Newsweek states that it is crucial “to have a backup system, whether in a cloud network or some reserve outside the IT network where hackers can’t get to it.”  Cybersecurity firm KnowBe4, Inc. recommends having an off-site or redundant backup, because backups that are easily accessible to a ransomware-infected computer might be encrypted along with the files that they are intended to backstop.  Hospitals should have the ability to perform backups in real time, and should both perform and test their backups
2. Restrict Network Access: According to KnowBe4, the most important thing hospitals can do to protect themselves is to “restrict permissions to areas of the network.” KnowBe4 recommends breaking the network into smaller parts as opposed to having everyone in a large organization using a single server to access files.  That way, even if a server gets infected, it will not spread ransomware throughout the organization.  Similarly, the United States Computer Emergency Readiness Team (US-CERT) recommends applying the “least privilege principle” to systems and services and limiting users’ permissions to install and run unwanted software applications.
3. Train employees: Cybersecurity experts stress the point that “[a]ll it takes is one uneducated system user” to give ransomware a way in. Bill Carey, a VP at GoodSync (a backup and synchronization software company), notes that ransomware is usually sent in the form of an innocuous file attached to a seemingly routine email.  He accentuates the importance of “periodic cyber safety trainings for ”  Going beyond basic security training, Carey encourages organizations to train employees never to use USB flash drives not obtained from a reliable source.  Another suggestion for organizations, including health care entities, is to conduct simulated phishing attacks to build employee awareness and care.
4. Whitelist applications: CERT suggests using application whitelisting to block ransomware. A whitelisted computer “allows only specified programs to run, while blocking all others.”  Stu Sjouwerman, KnowBe4’s CEO, cautions that “enforcing whitelisting in an organization . . . is a political exercise and not just a technical one” since it involves strict organizational control over what programs employees use.  It is also a labor-intensive process, especially in large
5. Use up-to-date antivirus software and operating systems: CERT recommends keeping antivirus software up to date and scanning all software downloaded from the internet before executing it. Just as important is to maintain up-to-date operating systems, since these have advanced identity and access management technology that decreases the risk of intruders getting in.  CERT stresses the importance of patching operating systems and, indeed, all software.  One particular concern for hospitals is that medical devices running old, unpatched operating systems can serve as “vectors” for delivery of ransomware and other malware onto larger hospital  Hospitals and medical device manufacturers should be aware of FDA’s January draft guidelines for postmarket medical device cybersecurity.

Additional Resources:

US Computer Emergency Readiness Team (US-CERT) Alert (TA16-091A): Ransomware and Recent Variants, Mar. 31, 2016.

Adam Alessandrini, Ransomware Hostage Rescue Manual, KnowBe4.

Bill Siwicki, Tips for Protecting Hospitals from Ransomware as Cyberattacks Surge, Healthcare IT News, Apr. 6, 2016.

Kim Zetter, Why Hospitals are the Perfect Targets for Ransomware, Wired, Mar. 30, 2016.