Ransomware: How to Safeguard Your Practice Against Threats

Ransomware attacks have increased over 97% in the past two years

Most individuals have heard of malware through their personal devices pinging with potential threats when questionable websites are visited, but what is ransomware?

Ransomware¹ is malware. Hackers use encryption tools to lock up your data and hold your information hostage until you agree to pay a ransom. Ransoms are typically in the form of bitcoin. In a medical practice setting, this could affect one singular machine, or it could infect your server thus encrypting all of your files on all devices connected to that server. Hackers will establish a ransom that must be paid within a specific time frame. If the ransom is not acquired, your data will not be unlocked, and if you do pay the ransom, they ‘should’ send you a decrypt key.

With these attacks becoming more and more frequent, it is important to know what to be vigilant of, how to spot vulnerabilities within your practice, and how to safeguard against ransomware attacks.

Kristen Heffernan, General Manager of Henry Schein MicroMD, previously had a role focused on directing the strategic marketing initiatives for a cybersecurity company serving the Fortune 500. As your trusted advisers, we conducted a mini interview with Kristen to gain better insight into what ransomware is and the safeguards your practice can take to avoid becoming victims to this form of malware.

Interview with Kristen:

Why are medical offices becoming targets more and more frequently?

• Healthcare data is extremely lucrative. The data elements typically captured and stored by a medical office can fill in gaps of demographic and unique identifier data that allows malicious actors to not only pull off one time financial fraud, but to also up their game to full identity fraud. If someone only obtains a name and zip code paired with a credit card number and security code they can conduct financial transactions. If someone steals a name, social security number, age, DOB, and address, they could get a driver’s license in your name, get a job, open credit accounts, and file taxes. Healthcare data offers a more robust data set of identifiers hackers need to be able to sell the data for more money. Medical offices – especially smaller practices housing data on their own servers – are being increasingly targeted. This is because hackers know they are less likely to have cybersecurity precautions and data backups in place which make it more likely that the data can be accessed and encrypted and that the practice will pay the ransom.

How is ransomware typically spread?

• The easiest way is to email a link or attachment that an unsuspecting employee opens that installs and/or spreads the malware.

What should people be vigilant of?

• Avoid opening email attachments from or clicking links in the email from incorrect, unknown, or suspect senders. Do not download and run applications that are not legitimate. Sometimes it’s too late. Once you click on something, the ransomware auto-installs and the user may not even know until their anti-virus software catches it. Or worse, a ransom message pops up. Cyber criminals are becoming more sophisticated using phone calls and other social engineering methods to get individuals to play along; make the lies seem more real; engage victims to do something they shouldn’t for reasons they think are legitimate.

How do you detect a ransomware ploy?

• Users are often the first targets and the first line of defense. Ask your employees to forward suspicious emails to someone qualified to review and permanently delete them from their computers. Monitor and act on alerts from your antivirus software. Monitor your networks for known ransomware file names/extensions. Look for increases in file renames. Set up a sacrificial shared network on slow drives with lots of small random files. Ransomware usually starts with encrypting local files then moves on to shared network files. The slow drive and small files can confuse the cipher and slow the progress of encryption and spread, as well as allow for additional time to be alerted to things that can indicate a ransomware attack.

What do you do if you become a victim of ransomware? Do you pay the ransom? Do you not pay the ransom? How do you weigh these options? What should you consider?

• The first step is in identifying the threat as quickly as possible and stopping it before it can spread. When it comes to making the decision on paying the ransom, this depends on a number of considerations. Are you sure your data at rest was encrypted? How far reaching is the data encryption? Do you have a recent backup of your critical files? Does the encryption impact files on a single computer or an entire network of files? How quickly is access to the data needed? Does the data need to be kept secured and is there a threat of publishing or sharing the data? For example, if your sensitive data at rest on your network is always encrypted, you’ve backed up the data you need. You can restore it in a time frame that supports your practice operations, you could chose to not pay. If not, pay the ransom. If you don’t have an option to restore a backup or pay, you can choose to reset your network systems and start from scratch though that’s not realistic for a medical practice. Finally keep in mind that paying the ransom doesn’t guarantee the criminals will deliver a decryption key. There is typically “honor among thieves” with regards to ransomware as they wouldn’t have a business model anymore if they didn’t deliver what they promised, but they are called “thieves” for are reason.

What safeguards can practices put in place to prevent these types of attacks?

• If you’re not already hosting your data in a secure Cloud environment, consider it. If you’re planning on continuing to manage your own sensitive data on your own systems, start with implementing detection software and intrusion prevention software. Always stay current with system and antivirus updates, especially operating systems like Microsoft. Back up your data daily so if you do get infected, you at least have a copy of fairly recent data to back up to. Use antivirus software to scan attachments and applications before opening or installation. Review and update your employee access controls. If there is no legitimate business reason for a front desk team member to have administrative network access, they shouldn’t. Train your teams in avoiding ransomware especially suspicious things to look for in emails and phone calls. Segregate your practice networks that house sensitive data behind strong firewalls. Consider moving your sensitive network systems and software to a Cloud data center environment. Data centers have more sophisticated monitoring, detection, backup, and recovery tools in place than the average doctor’s office.

What should everyone know about ransomware attacks?

• If it hasn’t happened to you yet, it’s only a matter of time. Most often, malicious activity starts with hackers just determining vulnerabilities in staff and or networks. No system is impervious or guaranteed to be hack-free. However, the more safeguards you put in place and document, the more ammunition you’ll have to prevent an attack or recover from one.

https://www.trendmicro.com/vinfo/us/security/definition/ransomware ¹