There is no doubt ransomware has become a growing threat within healthcare organizations and is only on the rise. It was recently reported that each day, approximately 4,000 ransomware attacks occur, with the majority taking place within the healthcare industry. Healthcare organizations are a hard target not only because of the valuable data they maintain such as personal information including private medical history, social security numbers, and detailed payment and provider information; they are also targeted because many hospitals are more likely to pay a ransom rather than risk delays that could result in death and lawsuits.
As healthcare organizations continue to face these new threats, some are paying up while others have prevailed. In 2016 the FBI issued a request that organizations do not pay ransomware demands. As the threats continue to mount, how can you prepare your IT department from falling into the ransomware trap? In this blog post, we identify the top five ways to defend your organization with a health IT ransomware response plan. Here they are:
First and foremost, organizations must understand what ransomware is, how it can be identified, and how to report it. This can be done through an ongoing information security and training process, web filtering technology, and a robust patching program, among others. Once ransomware has been detected, it should then be escalated through the appropriate channels.
Determine the scope of the ransomware and whether or not it can be removed. If it can’t, then the threat must be escalated to the appropriate team. Is the attack a low, moderate, or high threat? How many users have been affected? Understanding which category the attack falls into will help escalate the issue appropriately and help you better determine how the threat should be managed.
The first step in containing ransomware is to get the infected machines off the network. You must assume that the malware could make use of an Internet connection and that it’s sending information back to the criminals. Perform a forensic analysis to find the source and type of the ransomware infection. Once you are confident that the ransomware is contained and the chances of any further compromise have been eliminated, then you can begin to restore your files.
If your data is encrypted by ransomware, backups allow you to restore your environment from a point in time before the attack to avoid paying the ransom. When a critical IT environment has been backed up, you can recover the information rather than the potential disaster of spending hours, days or weeks rebuilding databases.
Test your plan, and test it again. While having an incident response plan in place is the best possible defense against ransomware, one that isn’t regularly tested may have undetected problems that could cause your strategy to go wrong during a high-pressure situation like a ransomware attack.
Your ransomware response plan should provide for a post-incident evaluation of the response, including recording lessons learned. As threats evolve, the plan should be periodically reviewed and revised. It may make sense to do so on the same schedule as data security breach plans.