By Aly Seidel, Daily Briefing
Hackers are increasingly holding hospitals for ransom—and they show no signs of slowing down.
Several hospitals this year have fallen victim to "ransomware" attacks, in which hackers encrypt an organization's files and demand ransom for a decryption key.
In some instances, hospitals managed to recover their data without paying the ransom. In others, hospitals paid tens of thousands of dollars to return to business as usual.
The incidents that received press coverage may just be the tip of the iceberg. A recent HIMSS Analytics survey found that about 50 percent of hospitals have been targeted by ransomware in the past year—a finding that some experts say is alarming but not particularly surprising.
LA hospital pays hackers ransom to regain access to IT network
"Two years ago, it was already well-known that ransomware is basically the future of malware," says Phil Beyer, senior director of information security at The Advisory Board Company. "It was clear as day to any of us in the security profession."
According to Beyer, hospitals are "ripe for the picking" for two reasons.
First, hackers see hospitals—which are becoming increasingly reliant on computers for day-to-day operations—as more likely than many organizations to pay ransoms if necessary to maintain patient care.
Second, ransomware software is relatively easy for hackers to access. It can be purchased for just a few hundred dollars and is easy for most people to use. "It's available to more than just the most advanced bad guys," Beyer says.
Two more hospitals hit with ransomware attacks
Luckily, there are ways to defend your hospital's systems. Our experts explain—in order of importance—what hospitals and health systems should do to protect themselves from ransomware.
1. Back up your data
The best way to overcome a ransomware attack is to have offline backups of your servers and staff workstations.
"The bad guys are taking advantage of the fact that you want to get access to your data and don't have another way to do it except paying the ransom," Beyer says. "First and foremost, back up your data. It's really the only thing you can leverage in this situation."
While regular backups won't stop your systems from being hit with ransomware, they will allow you to make a quick recovery. Michael Gough, lead incident response engineer with the Advisory Board, recommends two types of backups: end-point backups—which store data from a specific workstation, such as the computers nurses use during rounds—and server backups, which store centrally accessed data.
2. Limit system access
Ransomware exploits the fact that your patient data can be accessed from many points in your network.
Any computer, tablet, phone, or workstation that is connected to your server is vulnerable to attack—and ransomware can slip through any one of these thousands of entry points. If just one computer is infected, whether via a malicious email attachment or a compromised website, the malware can quickly spread through the entire hospital.
One solution is to cut down on the number of access points. "The fewer exposure points, the better," Beyer says.
Take a nursing station. The station's computers have access to large amounts of patient data, and it would be devastating if this information were lost in an attack. To protect this mission-critical data, Gough recommends isolating one or more computers from the hospital's network. Nurses can then use the designated machines for any potentially dangerous activity, such as opening email attachments.
"If that computer is infected by ransomware, it wouldn't have the ability to access data on the wider hospital network," Gough says. And if you've been doing your end-point backups, you can restore that targeted computer.
3. Install email filters
The majority of ransomware arrives via email, so organizations should set up their email gateway to screen as many malicious messages as possible. Don't just rely on basic email filters: You can enable specific add-ons that can catch malicious attachments.
"All of an organization's mail comes through the gateway," Beyer explains. "You can think of it as a post office. It takes a look at everything and tries to determine if it's good or bad—and there are features you can enable to tell the post office workers, 'Don't send this through.'"
"There's no reason a .JS file should ever be passed onto a user," Gough says. "The bad guys are taking advantage of it."
And while email filters are "far from perfect," Beyer says they are tools that, used in conjunction with others, can help limit risk.
4. Keep a whitelist of websites and applications
Dangerous websites and applications are constantly proliferating, and it's almost impossible to individually block every avenue for attack. So some organizations take the opposite approach: Rather than blacklisting dangerous activities, they whitelist certain websites and applications and limit workstations to accessing only items on that list.
The ability to whitelist is built into most operating systems–but Gough and Beyer warn that, while it's normally cost-free, it's labor-intensive.
"Whitelisting has gotten easier to use," Beyer says. "But the big caveat with this one is it's still difficult for the average person to use this kind of software. You need, at least, a moderately capable IT team to implement this kind of solution across an entire hospital or an entire system."
As long as hackers continue to target health care, hospitals and health systems need to be on the defensive.
"Bad guys are using advanced strategies to cripple traditionally laggard sectors, like health care," Beyer says. "The only way to combat this is to advance quicker."
To help you protect your data from hackers, download Health Care IT Advisor's executive research briefing, "Ransomware Incident Response: Managing in Minutes," which includes a six-step response plan to bolster your organization's cyber defenses.
Next in the Daily Briefing
Q&A: Medicare's payment model for primary care is a big deal. Here's why.