We read a frightening article over the weekend concerning a so-called ransomware attack on a large Los Angeles hospital in which the hospital eventually agreed to fork over $17,000 dollars to the thieves to restore access to its electronic communication systems. Though the ransomware attack at no time disrupted effective medical care during the time it was in place, nor did it ever compromise confidential data, it did “lock out” users of its email servers and other forms of electronic communication. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said Allen Stefanek, the president of Hollywood Presbyterian.
Another attack on a small hospital in Texas completely locked out medical staff from accessing patient medical records. In that case as well, the hospital paid the ransom.
Ransomware is the new go-to software for would-be electronic criminals. It is not interested in stealing information, which has by-and-large become more difficult for thieves due to sophisticated encryption tools, firewalls, and anti-intrusion protocols, but rather because it can hold an electronic system “hostage” by locking out its users until a relatively small ransom is paid. For health-care providers, ransomware is inconvenient at best and life-threatening at worst, but ultimately, the thieves know that it is in health-care provider’s short-term interests to pay the smaller “ransom” rather than risk the safety of its patients and any potential malpractice claims resulting from a disruption of service. In addition, should a health-care provider choose to fight a ransomware attack, they are looking at spending both an unknown quantity of money and time to fix the problem, rather than a known quantity of money to restore access to their electronic systems.
Health-care providers, and other industries that deal with public safety or critical infrastructure, such as school districts and police forces, have been increasingly targeted by ransomware attacks. But health-care providers are getting it the worst. Katherine Keefe, the head of security-breach response services at Beazley, an insurance company, said that of the 1,200 breaches she and her team investigated in 2015, about half of them have occurred at health-care providers in one form or another, and that those attacks have ramped up in frequency in the past 8 months.
Of course the scariest part about the whole thing is that there are no guarantees that the thieves will restore access to your data, so as the old adage goes, “an ounce of prevention is worth a pound of cure.”
What can a health-care provider do to shore up its defenses against a ransomware attack before one occurs? This is a very broad subject, but this article summarized a few key implementations that could make all the difference in a ransomware attack:
- Have robust data back-up protocols. If an organization is unwilling to pay the ransom, having back-ups of everything is the only surefire way for an organization to recover its data.
- Authenticate all inbound email. Make sure you know who is sending you emails. Don’t open emails from sources you do not trust, especially ones containing attachments or executable files
- Install ad blocking software if your employees are operating on a network with unrestricted access to the internet. Ransomware operators have become more sophisticated by placing “malvertisements” served up on websites where they know their potential victim’s will congregate. If you want your employees to be able to operate on a network with unrestricted access to the internet, you may want to consider having that occur on a completely separate network from the one where important data is secured.
- Monitor file activity across all servers for patterns of malicious activity. An attack on an individual can quickly escalate into an attack on an entire organization due to the ability of a ransomware virus to quickly spread through shared files. Early detection will allow your organization to quickly go into quarantine mode to lessen potential damages.
- Have a response plan in place. You don’t want to be searching google for a forensic data recovery specialist in the middle of the night.
Make sure you understand how a potential technology breach could affect you and your own personal liability. It is important to note that at DDI, while we provide separate limits for cyber-liability coverage in our medical malpractice insurance policies, this coverage does not cover ransomware attacks. Click here to contact us and learn what we can do for you and your organization to help avoid a ransomware attack.