Ransomware Best Practices: Beating Cybercriminals at their Own Game
Author: Frank Siepmann, Senior Cybersecurity Advisor
An international study reports nearly 40 percent of businesses experienced a ransomware attack in the last year. A recent U.S. government interagency report indicates that, on average, nearly 4,000 daily ransomware attacks have occurred since early 2016, representing a 300 percent increase over the 1,000 daily ransomware attacks reported in 2015.
In our digital healthcare world, this extortion threat to hospitals and health systems is escalating as wars between professional cybergangs intensify their efforts. These hackers are ever evolving creative encryption schemes to hold electronic protected health data (ePHI) hostage, until a ransom is paid. Proactive security measures have never been more critical.
Before your provider organization finds itself in a position of vulnerability at a hacker’s hand on your watch, implement these three phased steps to prepare for and manage ransomware (or any malware):
- Proactively implement ransomware attack best practices (see below).
- Activate your incident response plan to tackle the ransomware incident as it happens.
- Analyze shortcomings, post incident, spotted during the investigation to better understand and communicate the “lessons learned” and to enact new action steps in preparation of future attacks. For instance, your “security awareness” team can visually demonstrate to employees how the opening of phishing email scams automatically downloads ransomware onto the server.
These proven ransomware best practices can help thwart sophisticated cybercriminals’ threats:
- Backup and recovery data protection program. Clearly a HIPAA Security Rule, a provider organization’s optimal backup and recovery data protection program will involve testing regularly in a secure location. What’s more, importantly part of a disaster recovery or data protection continuity plan are two elements as explained in “Understanding RPO and RTO”: 1) Recovery Point Objective (RPO) is the variable amount of data that will be lost or will have to be re-entered during network downtime. 2) Recovery Time Objective (RTO) designates the amount of real time that can pass before the disruption seriously harms and unacceptably impedes the flow of normal business operations. The RTO/RPO must meet your business objectives deemed critical for a backup solution in case of a hardware, software or communications failure.
- A well-oiled instant response program. Some ransomware attacks comes with a deadline to respond within 12 or 24 hours, depending on the hacker’s level of aggressiveness. Rather than risk having your data deleted and losing it forever, it’s vital that instant response is timely and that critical decisions are made. You may even have to potentially pay—an FBI recommendation in fact; however, there is no true guarantee of safeguarding a true recovery in such cases. Tools for antivirus and malware detection including Kaspersky Lab, for example, also are available for eliminating old ransomware. Likewise, determining the type of ransomware that you are up against and whether the tools to eradicate it are readily available should be part of your instant response program.
- IT and data asset inventory. In order to effectively manage your organization’s assets, take stock of your owned number of personal computers, medical devices, mobile devices, the software and network programs running, and the archived ePHI and operations data—essentially all physical and virtual technology and information assets. Keeping account of this all-too-common process problem can be resolved through regular inventory maintenance checks.
- Set apart medical devices. SelectUSA reports more than 6,500 medical device companies in the U.S. Most are small- and medium-sized companies, with 80 percent hiring fewer than 50 employees. Many, notably start-up firms, have little or no sales revenue. Considered fragile in lacking outdated platforms and prohibited from implementing basic security measures, many medical devices are often excluded from a provider’s asset inventory. One solution is to isolate the devices to a dedicated network, mitigating risk to human life.
- Organizational behavior change toward security. We are all part of a shared environment. We’re all connected. But just one employee’s decision to bypass security protocol can have a consequential impact on the entire network. A number of reputable studies support broad consensus that human error is the No. 1 cause of data breaches. Education on security polices and procedures, awareness, disciplinary actions and attitude change are needed—not more technology. Employees lacking understanding of why security measures are in place can be highly creative, circumventing security controls and opening the door to innocent, costly breaches in data. Healthcare professionals in particular underestimate the importance of registering mobile, apps or other devices with their hospital’s security department, loading them onto their provider network with no thought of plans to maintain them. Sooner or later the devices are seized for malicious activity use.
Ransomware is not a new threat. It has been around for nearly three decades, dating back to the release of the 1989 AIDS Trojan. A mature security program is essentially your only weapon providing ultimate protection preparing for and minimizing this ever-changing, modern-day cybercrime.
Frank Siepmann provides strategic consulting support in the areas of planning, implementing and leading enterprise-wide cybersecurity programs for Pivot Point Consulting clients. He brings 20-plus years of progressive experience in the cybersecurity industry holding senior leadership positions at Fortune 100 companies.
To learn more about our Cybersecurity Advisory Services, contact us at info@pivotpointconsulting or 800.381.9681.