Ransomware incident response: Managing in minutes
In a single day last year, three U.S. hospitals were struck by ransomware. In a separate incident, a California hospital paid $17,000 to bring its critical systems back online. More than half of hospitals surveyed say they've faced attempted ransomware attacks.
Hospitals are especially vulnerable because of their need to maintain access to patient data, but the threat isn't limited to health care or even to the corporate world. In fact, individual users may be at even greater risk, since they don't have an IT department to help keep them safe.
Faced with such a threat, what's a health care provider, company, or a normal internet user to do?
First, the bad news: Once you've been struck by ransomware, it's probably too late. Although researchers have found ways to reverse some ransomware varieties, in most cases, there's no way to decrypt your own files.
You could pay the ransom. But the FBI discourages it, in part because there's no guarantee you'll receive a decryption key in the end, and in part because every ransom paid makes the hackers' work more profitable. (If your organization does choose to pay, consider hiring a reputable information security firm to manage the transaction.)
We've found, through our work with 4,500 hospitals and health systems, that the better plan is to prepare upfront—before ransomware strikes.
The first best practice: Back up your files, and save them somewhere that is not connected to your computer. As long as you maintain a copy where the ransomware can't spread, you can restore your files with relative ease.
Second, keep your operating system and other software up to date. Yes, that requires obeying demands from Windows to restart your computer for updates. It's annoying—but bear in mind that this month's attacks exploited a Windows vulnerability that Microsoft patched in March. If your software was up to date, you already were largely protected.
Third, filter your email. Most ransomware reaches its victims through email attachments, so spam-blocking software—the kind built into most web-based email systems, such as Gmail—offers some protection. In particular, block attachment types such as JavaScript and Visual Basic for Applications that malware often exploits, and consider disabling those file types.
Larger organizations with sensitive data, including hospitals, should consider further steps. One is to limit access points to your network by, for instance, disconnecting systems from the internet or your internal network wherever possible. The fewer ways that ransomware can slip in, the less vulnerable you'll be.
A more technical and potentially impactful option is to use "whitelisting" software that allows a system to use only applications and websites known to be secure. This can frustrate users, but it greatly reduces their risk of executing malicious software.
Organizations also should ensure leadership is fully aware of your plans for maintaining backups and restoring files should ransomware strike. Your CEO doesn't want to learn mid-crisis that your backups are a month old and that you'll need a week to recover that data. Similarly, prepare staff on what to do if computer systems crash. We know of several cases in health care organizations where clinical staff weren't familiar with procedures and had difficulties delivering care as a result.
Does all of this preparation sound tedious? It is. But ask yourself: If you had to pay $300 or $500 or $10,000 to access the only copy of your most valuable professional and private files, would you pay up?
Hackers are betting you'll say "yes." The best way to disappoint them is to ensure you never find yourself in that situation.