By Elizabeth Snell

July 18, 2017 - With each week seeming to bring in a report of a new ransomware attack, healthcare organizations cannot afford to assume that this type of cybersecurity issue will never affect them. Preparing for ransomware attacks in the healthcare industry needs to be a top priority for organizations of all sizes.

Developing a comprehensive approach to data security needs to evolve with the cybersecurity threats plaguing the industry. It is not enough to just check off items on a list and say that an organization is compliant.

Failing to have current data backups, using unpatched or outdated software, and not properly or regularly training employees can all have catastrophic results for covered entities and their business associates.

Regularly back up data

Losing information that had been stored on a network, in an EHR (including patient medical records), or in a database is one of the potential outcomes from a healthcare organization falling victim to a ransomware attack.

However, if a hospital can restore its encrypted or deleted data because it has a secure backup, it can more quickly return to normal operations.

READ MORE: How Ransomware Affects Hospital Data Security

CERT Division Senior Research Scientist Alexander Volynkin explained in a blog post for the Software Engineering Institute (SEI) at Carnegie Mellon University that regular system backups and verification is the most effective approach in ransomware prevention.

“Conduct regular backups of your system and store the backups offline and preferably offsite so that they cannot be accessed through your network,” Volynkin wrote, along with co-authors Jose Morales and Angela Horneman. “For ransomware, offline is more important. For other events, offsite is more important.”

ICIT Co-founder and Senior Fellow James Scott explained in a previous interview with HealthITSecurity.com that failing to have data properly backed up is one of the first mistakes an organization can make.

“It’s not enough to just back up your data in real time,” Scott maintained. “You have to have an auto disconnect of that external server or hard drive because a worm will find its way in to that backup system.”

Scott added that individual files and the entire PC should be backed up. Entities should also have a system image, which is a snapshot of all the files and applications on a system at a particular time.

READ MORE: How Evolving Healthcare Cybersecurity Threats Affect Providers

Even a large-scale ransomware attack is more recoverable when there is a backup in place.

Urology Austin reported a ransomware attack in March 2017, saying that it experienced an ransomware attack on January 22, 2017. The incident potentially exposed patient data that was stored on the compromised server. Nearly 280,000 individuals were affected by the attack.

However, Urology Austin said it became aware of the incident within minutes of the attack and shut down its computer network. An organization representative also told local news station KXAN that Urology Austin did not pay the requested ransom and was able to restore patient information from a backup.

Maintain updated software, perform system patches

Healthcare organizations must also ensure they are regularly updating their software and patch systems as needed. Failing to maintain software could allow hackers to gain access to a network.

For example, the May 2017 WannaCry ransomware attack targeted Windows-based operating systems (OS), largely spreading through email attachments and malicious links.

READ MORE: NH-ISAC Issues Petya Ransomware Vaccine, Mitigation

ECRI released guidance stressing the necessity of software updates and patches to work toward preventing such an incident from recurring.

“Common best practices should always be followed when dealing with software updates and suspicious e-mails containing links and attachments as the first line of defense against any ransomware or other malware,” ECRI stated. “Continuing education should also be provided frequently to all levels of staff to promote awareness of and compliance with these best practices.”

Medical device vulnerabilities could be particularly harmful to healthcare organizations, ECRI added. Windows-based medical device systems potentially remained susceptible to similar types of attacks. This was potentially because the devices operate on older Windows versions that cannot be upgraded or the devices have not been validated with the latest security patches.

In June 2017, concerns over Petya ransomware attacks caused the Department of Homeland Security (DHS) to issue its own warning on unpatched and unsupported software.

Petya would encrypt the master boot records of infected Windows computers, and exploit vulnerabilities in Server Message Block (SMB) to make devices unusable, DHS explained. However, Microsoft released a security update for its Microsoft Server Message Block 1.0 (SMBv1) server in March 2017.

“This security update resolves vulnerabilities in Microsoft Windows,” Microsoft said on its website. “The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to [an SMBv1] server.”

The ransomware attack on MedStar Health was also reportedly from a well-known security vulnerability in an application server.

MedStar was using JBoss, an application server with a recognized design flaw. Hackers then used a virus-like software to scan the Internet for vulnerable JBoss servers. Numerous groups, including the US government, released warnings about the security issue in February 2007 and March 2010.

The warnings explicitly stated that the security problem could allow unauthorized users to access confidential information and potentially disrupt business operations.

Conduct regular employee training

Information security training for employees is another top area for healthcare organizations to implement into their overall approach to cybersecurity.

Employees at all levels must be able to recognize potential phishing attempts, and know who to notify and how to handle the situation. It just takes one individual to click on a malicious link or attachment for an organization to become infected with ransomware.

The WannaCry incident is just one example of where better training could have aided entities, according to Foley & Lardner LLP Partner Mike Overly.

“If you layer on top of [implementing software patches], simply training personnel to be a bit more careful when they're clicking through attachments or links in emails, you would have addressed an even greater percentage of the WannaCry problem,” he told HealthITSecurity.com in a previous interview. “WannaCry could have been reduced to a relatively trivial problem if people had just addressed those two very fundamental information security approaches.”

Employee training and basic security patching don’t require the investment of large sums of money and are key fundamentals to building stronger information security, Overly maintained.

A recent HIMSS Analytics and Level 3 Communications, Inc. study also found that 80 percent of surveyed health IT executives and professionals find that employee security awareness is their greatest concern regarding healthcare data security.

Impact to clinical workflows, employee awareness and training, and in-house expertise were part of the top five security program barriers, the survey found.

Level 3 Global Security Services SVP Chris Richter said in a statement that the healthcare security threats are only going to continue to evolve.

“Aside from fostering and maintaining a culture of security, which includes regular employee security training, healthcare organizations should implement a security governance framework and appropriate technology controls,” Richter said. “These include threat intelligence, DDoS mitigation and next generation firewalling and sandboxing – all critical next steps for healthcare providers to secure their networks."

Healthcare organizations cannot guarantee that a ransomware attack will never occur, but they can take critical steps toward lessening the likelihood of such an incident happening. Entities can also implement necessary technical aspects to help ensure a speedy recovery and prevent data from being permanently affected.