Commercial risk will be a critical catalyst of progress – it’s complicated, but is it possible? We think so.

Blog Post

Hackers struck 45 UK medical facilities. Follow these best practices to avoid being next.

May 23, 2017

    The cyberattack that swept the internet earlier this month had a surreal quality, as though ripped from a spy thriller.

    Computers in 45 medical facilities across the United Kingdom were knocked offline by hackers who demanded a ransom to restore the systems' functionality.

    A National Health Service staffer told BBC, "Patients will almost certainly suffer and die because of this." Some hospitals couldn't even print nametags for newborns.

    In total, hackers struck at least 75,000 computer systems across 99 countries. To add an element of spy-versus-spy drama, the hackers apparently exploited a security flaw first discovered by the NSA that was leaked earlier this year.

    But while the details of the attacks are extraordinary, so-called "ransomware"—which encrypts a user's files and demands a payment for the decryption key—is becoming frighteningly familiar to hospitals around the world.

    Ransomware incident response: Managing in minutes

    In a single day last year, three U.S. hospitals were struck by ransomware. In a separate incident, a California hospital paid $17,000 to bring its critical systems back online. More than half of hospitals surveyed say they've faced attempted ransomware attacks.

    Hospitals are especially vulnerable because of their need to maintain access to patient data, but the threat isn't limited to health care or even to the corporate world. In fact, individual users may be at even greater risk, since they don't have an IT department to help keep them safe.

    Faced with such a threat, what's a health care provider, company, or a normal internet user to do?

    First, the bad news: Once you've been struck by ransomware, it's probably too late. Although researchers have found ways to reverse some ransomware varieties, in most cases, there's no way to decrypt your own files.

    You could pay the ransom. But the FBI discourages it, in part because there's no guarantee you'll receive a decryption key in the end, and in part because every ransom paid makes the hackers' work more profitable. (If your organization does choose to pay, consider hiring a reputable information security firm to manage the transaction.)

    We've found, through our work with 4,500 hospitals and health systems, that the better plan is to prepare upfront—before ransomware strikes.

    The first best practice: Back up your files, and save them somewhere that is not connected to your computer. As long as you maintain a copy where the ransomware can't spread, you can restore your files with relative ease.

    Second, keep your operating system and other software up to date. Yes, that requires obeying demands from Windows to restart your computer for updates. It's annoying—but bear in mind that this month's attacks exploited a Windows vulnerability that Microsoft patched in March. If your software was up to date, you already were largely protected.

    Third, filter your email. Most ransomware reaches its victims through email attachments, so spam-blocking software—the kind built into most web-based email systems, such as Gmail—offers some protection. In particular, block attachment types such as JavaScript and Visual Basic for Applications that malware often exploits, and consider disabling those file types.

    Larger organizations with sensitive data, including hospitals, should consider further steps. One is to limit access points to your network by, for instance, disconnecting systems from the internet or your internal network wherever possible. The fewer ways that ransomware can slip in, the less vulnerable you'll be.

    A more technical and potentially impactful option is to use "whitelisting" software that allows a system to use only applications and websites known to be secure. This can frustrate users, but it greatly reduces their risk of executing malicious software.

    Organizations also should ensure leadership is fully aware of your plans for maintaining backups and restoring files should ransomware strike. Your CEO doesn't want to learn mid-crisis that your backups are a month old and that you'll need a week to recover that data. Similarly, prepare staff on what to do if computer systems crash. We know of several cases in health care organizations where clinical staff weren't familiar with procedures and had difficulties delivering care as a result.

    Does all of this preparation sound tedious? It is. But ask yourself: If you had to pay $300 or $500 or $10,000 to access the only copy of your most valuable professional and private files, would you pay up?

    Hackers are betting you'll say "yes." The best way to disappoint them is to ensure you never find yourself in that situation.

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.