Ransomware on the rise

Tuesday, October 10, 2017 – Ellen Gardner

Rogue criminals have figured out that the best way to extort money from your healthcare organization isn’t to steal your data but to lock it up for as long as it takes. It’s a pretty simple business model and can do a lot of damage if you’re unprepared.

Self-professed white hat hacker – “which means a good one” – Kevin Magee dispenses advice about protecting your organization from a ransomware attack in a friendly and approachable way. But don’t let his smile deceive you; in the new world of aggressive technology attacks, there is plenty to be afraid of.

“This is not just a random kid you’re up against,” he said. “This is an industry that has huge amounts of greed and will do anything to get money, even if it means people die in the process.” Magee, former board member of the Brant Community Healthcare System and a Global Security Strategist, delivered his powerful message at the OHA Financial Management Conference held in Toronto in September.

It’s precisely the nature of healthcare organizations that make them the perfect target, says Magee. They typically make a lower investment in protection than in industries like banking and insurance and they have something of high value – large amounts of data and increasingly complex digital systems that perform critical functions in the organization. But most important, they have staff who care. “If you have patients, you are much more likely to panic than if you sell sheet metal,” he said.

Which is precisely what ransomware criminals prey on. “They want to find the most susceptible person who they can trick into getting money,” he says.

A devious virus that encrypts your data

Contrary to what the name implies, ransomware isn’t your standard threatening note with letters clipped from the newspaper. A ransomware attack is a devious virus that encrypts your data so you can’t read it and keeps burrowing further into the system to the point where it can cripple your entire network. “How it typically happens,” says Magee, “is an employee gets duped into clicking on a link in an email or visits an infected website, but instead of trying to trick you into buying antivirus software, the bad guys lock up your data and demand ransom to get it back. It’s a remarkably simple model.”

For a hospital, there is nothing worse than having a criminal in charge of your network. After a ransomware attack in 2016, Hollywood Presbyterian Medical Center was completely shut down for two weeks after they lost access to email, medical records and could not share x-rays, CT scans and other medical tests. Hackers were demanding $3.6 million to restore access.

As leaders or frontline staff, Magee says we often put too much burden on and too much trust in our CIOs when they tell us they’ve installed the latest firewalls and “not to worry, it’s all good”. “Would you accept that same comment from your CFO about the financial state of your hospital? Probably not.”

A hospital is no longer just a building, it’s a gigantic system with a myriad of connected parts – and they’re all connected to the Internet. A ransomware attack can throw that entire system into chaos in a matter of hours, says Magee. The hackers’ efforts are geared to pushing you to the breaking point – and when that moment arrives help is available. Just not from where you’d expect.

“Unlike some telecom companies, these criminals understand the value of customer service,” says Magee. “They’ve created call centres and the customer support they provide is excellent!”

Contrary to your mental image of the glamourous criminal, the perpetrators of ransomware have quite a different profile. “They’re usually poorly paid kids living on the outskirts of Moscow, in their mid-20s, working their first jobs, coming to work from Monday to Friday like the rest of us,” says Magee. Their target is hospitals and it doesn’t matter if you’re the Mayo Clinic or a rural hospital in Manitoba, you’re still a mark. “You have to be vigilant in keeping these attacks at bay,” he says.

Effective vigilance Magee says begins with preparation before the attack. “Not being prepared will result not just in downtime during the attack but a loss of reputation and the time to restore systems after it’s over,” he says. “The recovery can take weeks.”

“Have the discussion now, advises Magee, “because if a ransomware issue prevents you from providing basic care, the entire mission of your organization is compromised.”

By Ellen Gardner, Senior Specialist, Communications and Marketing, HIROC

How to protect your organization

With the heightened risk to healthcare organizations, delegates at the OHA conference paid careful attention to Magee’s parting advice on how to avoid attacks or protect yourself after an attack:

  1. Make sure your firewalls and antivirus software are up to date. Maintaining a strong firewall and keeping your security software up-to-date are critical.
  2. Back up, back up, back up! Employees should be taught to regularly – hourly or daily – back up their files to a reputable storage backup service at a location external to your organization.
  3. Exercise caution. Ultimately it comes down to staff in your organization knowing what to do when clicking through items in their inbox. Educate them not to click on links inside emails and avoid suspicious websites. Use social engineering to send ‘test’ emails so staff learn not to click on suspicious links.
  4. Do ‘walk through’ scenarios. Staff need to know what the risks are and how to respond to them. Doing mock scenarios will show you where the gaps are and will also empower people to ask questions. Staff need to feel it’s safe to share information without penalty.
  5. Have manual processes available. When the systems shut down at Hollywood Presbyterian Medical Center, staff had to fire up fax machines and log registrations and medical records on paper. Magee advises having access to manual processes and old-fashioned systems.
  6. Alert your IT department and the authorities immediately. Ransomware is a serious form of extortion. Law enforcement and cybersecurity experts typically advise against paying ransom in ransomware cases. If you are hacked, make sure you have alerted the proper people inside your organization and that they contact the police and the proper authorities.